How to protect against OWASP TOP 10?

The OWASP Project

The Open Web Application Security Project (OWASP) is an open community, grouping together application security experts from across the globe, each sharing their expertise and working collaboratively to identify the most significant security flaws inherent to web applications and services. Initially registered in 2004 in the United States and in 2011 in Europe, this community has developed substantially over the years and is now recognized worldwide as a leading organization in the field of information systems security. Its top 10 of the most significant flaws constitutes a standard used by the majority of the players in the world of cybersecurity and serves as a benchmark for a considerable number of regulations (PCI DSS, NIS, GDPR, and HIPAA).

How to protect your applications against the attacks highlighted in the OWASP Top 10?

R&S®Cloud Protector can protect your internet facing web applications from the attacks highlighted in OWASP Top 10, zero day attacks and more, while limiting false positives.
OWASP Top 10
Description
Impact
Best Practices
R&S®Cloud Protector
Broken Access ControlVery often, access restrictions for authenticated users are not implemented effectively enough.
  • Use of administrators functions

  • Modifying account data and access

  • Data disclosure

  • Deny all resource

  • Minimize cross origin resource sharing (CORS)


Read the article on Path Transversal to know more about it.
Cryptographic Failures A bad use of cryptography with weak keys, weak encryption or deprecated hash functions can lead to vulnerabilities in a web application.
  • Disclosure of protected data

  • Identity Theft

  • Account Theft

  • Store only needed data

  • Encrypt all data

  • Implement HTTPS

  • Use strong keys

  • Use recent hash functions



Rate limiting
Upgrade of website to TLS (HTTPS website)
State of the art TLS
Injection Injections (SQL, commands, LDAP, XPath, XSS) occur when insecure data is sent to an interpreter as a command or request.
  • Loss, corruption or disclosure of data
  • .
  • Account theft or denial of access

  • Host takeover

  • Server scan

  • Avoid the use of command interpreters

  • Use interfaces

  • Create a list of authorized entries

  • Escape user input

  • Control massive data leakage


Read the following articles:
Insecure DesignThe concept of insecure design means that security is not integrated in the development of an application.
It’s not a vulnerability but a problem in the organization
  • An attacker can use any of the OWASP top 10 vulnerabilities

  • Use of secure design pattern

  • Writing unit and functional tests

  • Shifting from DevOps to DevSecOps


Acts as a virtual patch to avoid the exploitation of vulnerabilities
Security MisconfigurationUse of an insecure default configuration, open cloud storage services, poorly configured HTTP headers, error messages containing sensitive Information leads to this.
  • Use of administrator functions

  • Data leakage

  • Server compromise

  • Server scanning

  • DDDoS attacks

  • Delete unused functions
  • .
  • Verify the configuration

  • Have a segmented architecture

  • Automated testing


Interception of error messages
Use of a "Blacklist" (XEE)
Vulnerable and Outdated ComponentsAs a general rule, components such as libraries, rameworks, software modules, work at the same privilege level as the web application or API that employs these components.
  • An attacker can use any of the OWASP top 10 vulnerabilities

  • Remove unused functionality

  • Update external components

  • Download components from an official source


Dedicated security engine (SQL injection etc.)
Virtual patching
Identification and Authentication FailureXSS occurs when an application retrieves insecure data and inserts it into a web page or when a page is updated with unfiltered user input.
  • Money laundering

  • Social Security fraud

  • Identity theft

  • Disclosure of protected data

  • Multi-factor authentication

  • Changing passwords

  • Check for weak passwords

  • Limiting the number of login attempts

Request limit
IP Reputation
Software and Data Integrity Failures Insecure deserialization occurs when a web application receives malicious serialized objects.
  • Execution of arbitrary code on the server

  • Using vulnerable code

  • Add a signature on serialized objects

  • Check the types


Use of a "Blacklist
Security Logging and Monitoring Failures In general, libraries, frameworks, modules, etc. have the same level of privilege as the application that uses them.
  • Allows an attacker to continue an attack

  • An attack will not be detected


  • Add each security alert with its context to the logs

  • Generate logs in JSON format so you can centralize them



  • Control Panel
    Log file
    Server-Side Request ForgeryThe lack of monitoring and logging can lead to a sensitive system
    • Server scan

    • File leakage

    • Code execution

    • Disable http redirects

    • Use a list of allowed URLs

    • Generate logs on network traffic



    Limit the number of requests

    Use of a "Blacklist