How to protect against OWASP TOP 10?

The OWASP Project

The Open Web Application Security Project (OWASP) is an open community, grouping together application security experts from across the globe, each sharing their expertise and working collaboratively to identify the most significant security flaws inherent to web applications and services. Initially registered in 2004 in the United States and in 2011 in Europe, this community has developed substantially over the years and is now recognized worldwide as a leading organization in the field of information systems security. Its top 10 of the most significant flaws constitutes a standard used by the majority of the players in the world of cybersecurity and serves as a benchmark for a considerable number of regulations (PCI DSS, NIS, GDPR, and HIPAA).

How to protect your applications against the attacks highlighted in the OWASP Top 10?

OWASP Top 10 Description Impact Best Practices R&S®Cloud Protector
Injection Injections (SQL, commands, LDAP, XPath) occur when insecure data is sent to an interpreter as a command or request.
  • Data loss, corruption or disclosure
  • Account theft or denial of access
  • Host Takeover
  • Server scan
  • Avoid the use of interpreter
  • Use parameterized interface or mapping tool
  • Host Takeover
  • Whitelist server-side input
  • Sanitize user input
  • Use control to avoid mass disclosure

Read articles on Command injection & SQL injection to know more
Broken Authentication Application functions relying on user authentication and session management are often implemented incorrectly.
  • Money laundering
  • Social security fraud
  • Identity theft
  • Disclosure of protected data
  • Use multi factor authentication
  • Change default credential
  • Implement weak-password check
  • Limit failed login attempts

Rate limiting
Ip reputation

Learn more: Cloud WAF article
Sensitive Data exposure Certain web applications or APIs do not provide sufficient protection in relation to sensitive data (financial data, health data, personal data).
  • Personal data disclosure
  • Identity theft
  • Store only needed data
  • Encrypt all data
  • Implement HTTPS

Limit the header size
XML External Entities Certain web applications use XML parsers that can interpret references to one or more external entities.
  • Data loss, corruption or disclosure
  • Account theft or denial of access
  • Server scan
  • DDoS Attacks
  • Use JSON when possible
  • Upgrade XML libraries
  • Disable external entity
  • Sanitize input

Blacklist rules
Broken Access Control Very often, access restrictions for authenticated users are not implemented effectively enough.
  • Use of administrators functions
  • Modifying account data and access
  • Data disclosure
  • Deny all resources
  • Minimize cross origin resource sharing (CORS)

Read article on Path traversal to know more
Security Misconfiguration Use of an insecure default configuration, open cloud storage services, poorly configured HTTP headers, error messages containing sensitive Information leads to this.
  • Access systeme data
  • Complete system compromise
  • Remove unused feature
  • Segmented application architecturer
  • Use automated test

Error message interception
Cross-site scripting (XSS) XSS occurs when an application picks up insecure data on a web page or when a page is updated from data injected by a user.
  • Credentials and sessions theft
  • Malware download
  • Arbitrary code execution on the victim’s browser
  • Use modern web frameworks
  • Sanitize user input
  • Enable content security policy

Read article on XSS to know more
Insecure Deserialization We talk about insecure deserialization when an application receives malicious serialized objects.
  • DArbitrary Code execution on the server
  • Digital signature on serialized objects
  • Make sure that value matches the wanted type

Blacklist Rules
Using Components with known vulnerabilities As a general rule, components such as libraries, frameworks, software modules, work at the same privilege level as the web application or API that employs these components.
  • Hacker can exploit any of the OWASP top 10 vulnerabilities
  • Remove unused feature
  • Update framework & libraries
  • Download from official sources

Dedicated security engine (for SQL injection, etc.)
Generic signatures
Virtual patching
Insufficient Logging & monitoring Lack or ineffectiveness of the means of surveillance and event logging may result in system sensitivity.
  • Allows a hacker to continue his attack
  • Attacks will go undetected
  • Log every security failure with context
  • Generate log with format like JSON to make the centralization easier

Monitoring panel
Comprehensive dashboards

R&S®Cloud Protector can protect your internet facing web applications from the attacks highlighted in OWASP Top 10, zero day attacks and more, while limiting false positives.

Request your 14 days free trial

It takes only 60 seconds to protect your websites and applications.
What are you waiting for?