Such a simple question, but it has many different answers, all of which can be important to your understanding of web application security. The Open Web Application Security Project (OWASP) is a non-profit organization with a simple mission: Improving the Security of Software. The organization is open to anyone, receiving contributions from security professionals and software developers focused on providing best practice standards and tools to help everyone develop more secure software. The term OWASP is used in a couple different contexts, so we’re going to explore those here and help shed some light on the most important assets that OWASP has shared with the security community.
OWASP Top 10
Probably the most well-known of all the OWASP projects, this document is a compilation of the top ten most common categories of security vulnerabilities in web applications. The list is compiled from industry surveys conducted across a wide array of organizations and the most recent list was published in 2017. This information can then be used in variety of ways by the overall security community, through things like:
- Developer training material to help teach them to combat some of these most common issues and stop them from being introduced to new software
- Used by security professionals and penetration testers to make sure they are assessing based on common issues/standards
- Tied to other standards and assessment frameworks to make sure “secure software” has more of a baseline definition
This is by no means an exhaustive list, but focusing on the top ten most common issues in software provides a good starting point for all kinds of security-related activities.
OWASP Testing Guide
Expanding on the Top 10, OWASP has also produced a complete testing guide to help inform web application penetration testing and security assessments. The OWASP Testing Guide is a thorough methodology that can be used during web application security assessments to look for a wide variety of security vulnerabilities, covering security issues in much more depth than the Top 10. Included in this guide is everything from test cases, to associated risks of vulnerabilities, to proof-of-concept code, to remediations and helpful reference links as you try and fix these issues. The OWASP Testing Guide is a core part of our web application penetration testing methodology as it should be for most penetration testers.
OWASP Mobile Security Testing Guide
Similarly to the OWASP Testing Guide that addresses web applications, OWASP also has a complete Mobile Security Testing Guide that addresses the methodology and techniques for conducting mobile application security assessments. This document provides a great overview of all the considerations that need to be taken when reviewing the security of a mobile application, regardless of platform, language, or framework. If you’re interested in getting into mobile application penetration testing and are looking for a good place to start, this is it.
While OWASP is most well known for the Top 10 and their Testing Guide, they contribute a wide array of other security resources for the application security community. Check out some of the other items below:
- OWASP Zed Attack Proxy (ZAP) – Zap or Zaproxy is an open source proxy and traffic interceptor to facilitate web application penetration testing. Think Burp Suite, but free with a similar feature set.
- OWASP Juice Shop – This is a purposefully vulnerable web application that can be used to practice and try out different application-related exploitation techniques.
- OWASP Application Security Verification Standard – Where the Testing Guide is more of a methodology and process, the ASVS is more of a checklist of standards for testing and development.
- OWASP Cheat Sheet Series – Short and sweet, this collection of documents is designed to be a “first stop” in a variety of different application security areas.