Every three years, the Open Web Application Security Project (OWASP) publishes its OWASP Top 10 list of security flaws derived from industry data and extensive independent research. These lists contain the most commonly seen, and most commonly exploited, security flaws. The Top 10 lists are widely used by developers and organizations developing or deploying web applications refer to this list to ensure that the biggest vulnerability categories are mitigated during development or deployment.
OWASP is a worldwide nonprofit organization that focuses on improving software security. The main mission of OWASP is to ensure that software security is visible, and to provide insights and tools to help improve application security globally.
OWASP Top 10 lists are created for various categories, though the most commonly used OWASP Top 10 list is the one for Web Application Security. The current Top 10 list as of 2017 include the following website vulnerabilities:
- A1. Injection
- A2. Broken Authentication
- A3. Sensitive Data Exposure
- A4. XML External Entities (XXE)
- A5. Broken Access Control
- A6. Security Misconfiguration
- A7. Cross-Site Scripting (XSS)
- A8. Insecure Deserialization
- A9. Using Components with Known Vulnerabilities
- A10. Insufficient Logging and Monitoring
It is important to understand that the OWASP Top 10 is not an exhaustive list of all current vulnerabilities. It is only the most common vulnerabilities that are discovered. Care should be exercised while using the OWASP list to plan development or deployment testing.
The first step to avoiding Top 10 vulnerabilities is to fully understand the vulnerabilities and avoid website coding techniques and tools that leave your organization exposed to these threats. A good practice is to use coding frameworks that have built-in protection against common vulnerabilities.
However, even with the most careful coding practices, vulnerabilities can arise due to human error, changing code, third-party software, and evolving threats. Therefore, it is critical that you automate your website protection with a web application firewall (WAF).
Barracuda provides a Free Vulnerability Manager that will automatically check your website for hundreds of known vulnerabilities including the OWASP Top 10. This free tool produces a report that itemizes the problems found and the corrective action required to solve each problem. This report can then be uploaded into the Barracuda Web Application Firewall which will create policies to automatically fix most of the problems.
To maintain protection against the latest threats, the Barracuda Web Application Firewall provides continuous website protection. It uses powerful, cloud-based scanning technologies to inspect your online applications, whether they are already in production or still in development. It identifies and automatically remediates any unpatched vulnerabilities, including those listed on the OWASP Top 10 list, but also many others such as Denial of Service (DoS) attacks and Zero-Day Threats.
The Barracuda Web Application Firewall ensures that your online apps are secure against being used as threat vectors into your network. And by automating a critical part of every application-development process, it accelerates the overall DevOps cycle, letting you deploy secure applications without waiting for the traditional manual process of security auditing, which can be both time-consuming and unreliable.
Contact us to learn more about how to protect your organization from OWASP Top 10 threats and hundreds of additional threats. You can also get a free evaluation of the Barracuda Web Application Firewall and run a free website vulnerability scan.