Cloud Concepts

Project Mgmt. Concepts

Architecture & Design Patterns - 1

Architecture & Design Patterns - 2

Security Practices

.NET Core Essentials-1

.NET Core Essentials-2

.NET Core Essentials-3

.NET Core Essentials-4

.NET Core Essentials-5

.NET Core Essentials-6

.NET Core Essentials-7

Previous NET-Architecture-Overview CLR-BCL-and-SDK-Components Next

OWASP (Open Web Application Security Project )

What is OWASP?

OWASP stands for the Open Web Application Security Project. It is a non-profit global community focused on improving the security of software. OWASP provides free tools, documentation, and resources to help developers build secure applications.

OWASP Top 10

One of OWASP’s most well-known projects is the OWASP Top 10, a regularly updated list of the ten most critical web application security risks. It serves as a guide for developers and security professionals to understand and mitigate common vulnerabilities.

Example: Broken Access Control

Broken Access Control occurs when users can access data or perform actions outside their intended permissions. This often happens due to missing or misconfigured authorization checks.

Example Scenario

Suppose a web application uses URLs like: 

http://example.com/user/12345

If a user changes the ID to 12346 and gains access to another user's data without proper authorization, this is known as an Insecure Direct Object Reference (IDOR)—a type of broken access control.

How to Prevent It

  • Enforce role-based access control
  • Validate user permissions on every request
  • Avoid exposing internal object references in URLs

OWASP encourages developers to adopt secure coding practices and regularly test their applications for vulnerabilities.

The OWASP Top 10

The OWASP Top 10 is a standard awareness document that lists the ten most critical security risks to web applications. Published by the Open Worldwide Application Security Project (OWASP), a non-profit foundation, it provides developers and security professionals with the most common and dangerous vulnerabilities to help them prioritize security efforts.

The list, which is updated every few years, is based on a consensus among global security experts and data from bug bounties, vendors, and organizations. The latest version was released in 2021.

The OWASP Top 10 for 2021

  1. Broken Access Control (A01:2021): Issues with access controls can allow an attacker to bypass authorization and act as a privileged user. This was moved to the #1 spot due to its high prevalence and impact.
  2. Cryptographic Failures (A02:2021): Previously called "Sensitive Data Exposure," this focuses on failures related to cryptography that can expose sensitive data.
  3. Injection (A03:2021): This category, which now includes Cross-Site Scripting (XSS), involves an attacker sending untrusted data to a code interpreter. Examples include SQL and OS command injection.
  4. Insecure Design (A04:2021): A new category for 2021, it focuses on design and architectural flaws, which require the use of threat modeling and secure design principles to fix.
  5. Security Misconfiguration (A05:2021): This common vulnerability occurs when a system is improperly configured, such as having default settings or displaying overly descriptive error messages.
  6. Vulnerable and Outdated Components (A06:2021): Attacks can exploit vulnerabilities in outdated libraries and frameworks used by web applications.
  7. Identification and Authentication Failures (A07:2021): Formerly "Broken Authentication," this now includes flaws related to identification failures. It covers vulnerabilities that allow attackers to compromise passwords, keys, or session tokens.
  8. Software and Data Integrity Failures (A08:2021): A new category for 2021, this covers vulnerabilities related to integrity violations of data and software, including insecure deserialization and issues in CI/CD pipelines.
  9. Security Logging and Monitoring Failures (A09:2021): Previously "Insufficient Logging & Monitoring," this expanded category includes failures that make it difficult to detect and respond to security incidents.
  10. Server-Side Request Forgery (SSRF) (A10:2021): A new category promoted from the community survey, SSRF occurs when a web application pulls from a remote resource without proper validation, allowing an attacker to force the server to send requests to an unintended location.

Why the OWASP Top 10 is important

  • Awareness and guidance: It provides developers with a concise and easy-to-understand list of the most critical risks to consider.
  • Prioritization: The list helps organizations focus their resources on the most significant threats, prioritizing remediation efforts effectively.
  • Standardization: It serves as a benchmark for web application security, and is often used by auditors to assess an organization's commitment to secure development practices.
  • Training and education: The OWASP Top 10 is a foundational part of application security training for developers and security professionals.
Back to Index
Previous NET-Architecture-Overview CLR-BCL-and-SDK-Components Next
*