How to protect against OWASP TOP 10?
The OWASP Project
The Open Web Application Security Project (OWASP) is an open community, grouping together application security experts from across the globe, each sharing their expertise and working collaboratively to identify the most significant security flaws inherent to web applications and services. Initially registered in 2004 in the United States and in 2011 in Europe, this community has developed substantially over the years and is now recognized worldwide as a leading organization in the field of information systems security. Its top 10 of the most significant flaws constitutes a standard used by the majority of the players in the world of cybersecurity and serves as a benchmark for a considerable number of regulations (PCI DSS, NIS, GDPR, and HIPAA).
How to protect your applications against the attacks highlighted in the OWASP Top 10?
|Broken Access Control||Very often, access restrictions for authenticated users are not implemented effectively enough.||
Read the article on Path Transversal to know more about it.
|Cryptographic Failures||A bad use of cryptography with weak keys, weak encryption or deprecated hash functions can lead to vulnerabilities in a web application.||
Upgrade of website to TLS (HTTPS website)
State of the art TLS
|Injection||Injections (SQL, commands, LDAP, XPath, XSS) occur when insecure data is sent to an interpreter as a command or request.||
Read the following articles:
|Insecure Design||The concept of insecure design means that security is not integrated in the development of an application.|
It’s not a vulnerability but a problem in the organization
Acts as a virtual patch to avoid the exploitation of vulnerabilities
|Security Misconfiguration||Use of an insecure default configuration, open cloud storage services, poorly configured HTTP headers, error messages containing sensitive Information leads to this.||
Interception of error messages
Use of a "Blacklist" (XEE)
|Vulnerable and Outdated Components||As a general rule, components such as libraries, rameworks, software modules, work at the same privilege level as the web application or API that employs these components.||
Dedicated security engine (SQL injection etc.)
|Identification and Authentication Failure||XSS occurs when an application retrieves insecure data and inserts it into a web page or when a page is updated with unfiltered user input.||
|Software and Data Integrity Failures||Insecure deserialization occurs when a web application receives malicious serialized objects.||
Use of a "Blacklist
|Security Logging and Monitoring Failures||In general, libraries, frameworks, modules, etc. have the same level of privilege as the application that uses them.||
|Server-Side Request Forgery||The lack of monitoring and logging can lead to a sensitive system|| ||
Limit the number of requests
Use of a "Blacklist