OWASP (Open Web Application Security Project) is a non-profit group that provides information regarding the latest and most effective web application security practices.
OWASP mission is to ensure the security of software and web application is visible to organizations, governments, institutions, or any interested individual such that they can make a well-informed security decision.
OWASP is not affiliated to any particular technological company, hence it uniquely provides working solutions for web application security.
OWASP Top 10 Attacks
The OWASP Top 10 (Latest one is 2017 as of this article being prepared) is based primarily on 40+ data submissions from firms that specialize in application security and an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.
A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high-risk problem areas and provides guidance on where to go from here.
- A1:2017 – Injection
- A2:2017 – Broken Authentication
- A3:2017 – Sensitive Data Exposure
- A4:2017 – XML External Entities (XXE)
- A5:2017 – Broken Access Control
- A6:2017 – Security Misconfiguration
- A7:2017 – Cross-Site Scripting (XSS)
- A8:2017 – Insecure Deserialization
- A9:2017 – Using Components with Known Vulnerabilities
- A10:2017 – Insufficient Logging & Monitoring
Source: OWASP Top 10 Attacks.