
Understanding the OWASP list - flywithdolp
https://whitessource.com/owasp-top-10-vulnerabilities
======
jpalomaki
I think most should be actually checking the "OWASP Application Security
Verification Standard Project" [1] instead of just the Top 10 list.

The application security verification standard has quite clear requirements
that you can just feed into your software development process. The
requirements are split to three different levels, L1, L2 and L3. L1
requirements are more or less straightforward, standard application
development stuff. L2 and L3 go more into processes. The idea is also that the
L1 requirements can be verified by external penetration testing, without
access to source code.

I would say the L1 requirements are something everybody involved in creating
web apps professionally should check. Maybe some the requirements don't make
sense for your particular application, but for those cases it is a good
exercise to write down why not.

[1]
[https://www.owasp.org/index.php/Category:OWASP_Application_S...](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)
(the document can be downloaded from the links on the right side)

~~~
lol768
ASVS is a good idea, but it has forever lost its credibility for me after the
following recommendation appeared in one of its published documents (2.13 I
believe, level 1 ASVSv3):

>Verify that account passwords make use of a sufficient strength encryption
routine and that it withstands brute force attack against the encryption
routine

I think this has been fixed, but I don't understand why encryption (which
implies reversibility) was _ever_ advocated over a proper password hashing
method such as BCrypt or PBKDF2. And no, using terms like "one way encryption"
would not be any better - it shows a general lack of understanding.

~~~
tptacek
There is a general lack of understanding. OWASP is a shambolic volunteer
project and its outputs are uneven at best. I would be particularly wary of
OWASP when it comes to specialist topics, and cryptography is a great example
of that.

~~~
rtempaccount1
OWASP may be a shambolic volunteer project, but it's interesting that, in many
areas, it's still the best thing available for the last 18 years...

~~~
tptacek
Is that interesting? Are other aspects of computing more mature? I look at the
kind of stuff Kyle Kingsbury finds with Jepsen and wonder.

~~~
rtempaccount1
Well I find it interesting :) A huge quantity of value flows through web
applications, they're used by pretty much every business sector in the world
for a wide range of purposes.

Security vulnerabilities in Web applications have been a major cause of big
losses at a large number of these companies.

Despite that, the most authoritative, best funded, Web application security
group is OWASP. A group with a full-time staff of < 10, and an annual budget
of well under $10M.

It's interesting to me anyway, that the wider IT industry doesn't see value in
trying to establish security practices and tooling which could be used to
reduce some of these losses. Even if they don't like OWASP itself for any
reason, that they don't look to establish something else to achieve the same
goal.

------
rtempaccount1
The OWASP Top 10 is intended as an awareness tool to help raise visibility of
web app. security issues.

I'd agree with the article that it gets misused (a lot) as some kind of
checklist that, if you apply, you can have a "secure" application.

Ironically OWASP has several other great projects that are designed to provide
methodologies to improve application security like ASVS
[https://www.owasp.org/index.php/Category:OWASP_Application_S...](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)
and at a more organizational level, OWASP SAMM
[https://owaspsamm.org/](https://owaspsamm.org/) .

Where I do feel some frustration with this article is where , to me, it feels
like it's suggesting that "shift left security" (the idea that security
activities should take place earlier in the development lifecycle) is any any
way a new concept.

The idea of doing more application security work early in the development
process has been around at least 20 years and probably more.

Instead of having new buzzwords for it, to try and make it more attractive,
I'd be much more interested in a study of _why_ after all this time it's still
not uncommon to see a first security touchpoint for a project be a penetration
test done 2 weeks before go-live.

~~~
t34543
I think it’s fairly simple - security often slows down development and
competes with features. Product managers get their way, and features can trump
bug fixes for far too long.

~~~
throwaway_bad
Eh, can't only blame product managers for this.

Developers don't like security features that make development slower either.

I made the mistake of adding Content Security Policy to an app that was still
in the prototype stage and it caused endless headaches whenever I needed to
add new dependencies.

Your app shouldn't be outright insecure, but defense in depth (e.g., security
features that are only useful contingent on the presence of another security
vulnerability) can be safely deprioritized until your app gets complex enough
to need it.

~~~
dspillett
_> can be safely deprioritized until your app gets complex enough to need it_

I'd accept "until your app looks like it might leave proof-of-concept
classification".

And always be mindful of how quickly PoC code can magically end up needing to
be production ready overnight or worse being in production before it is...
Retrofitting security can be a nightmare, one that can be so easily avoided.

------
fulafel
There are multiple lists, some for purpouses other than web app
implementation. Some examples:

[https://www.owasp.org/index.php/OWASP_Cloud-
Native_Applicati...](https://www.owasp.org/index.php/OWASP_Cloud-
Native_Application_Security_Top_10)

[https://www.owasp.org/index.php/OWASP_Mobile_Top_10](https://www.owasp.org/index.php/OWASP_Mobile_Top_10)

[https://www.owasp.org/index.php/OWASP_Proactive_Controls](https://www.owasp.org/index.php/OWASP_Proactive_Controls)

------
petra
The lift scala framework offers protection against many of the OWASP vulns
automatically:

[https://seventhings.liftweb.net/security](https://seventhings.liftweb.net/security)

Can this be improved to include support for all the OWASP ?if not, why ?

------
kingofpee
Never heard of OWASP before

Do programmers really follow it? Is it a status quo for companies to make sure
their software follow OWASP top 10 like a checklist?

~~~
statictype
Yes. Its an important bullet point in RFPs for enterprise software.

~~~
kingofpee
So OWASP compliance is a thing as much as GDPR compliance in the enterprise
world?

~~~
ownagefool
Not really.

GDRP results in major fines thus has major funding. OWASP is something someone
might tack on, but most of the people involved have little to no ability to
check.

------
unixhero
Yup. And add MITRE ATT&CK to that list

