Most of the people will start talking about OWASP Top 10 when it comes to web application security. Why does it matter so much to all those people who are trying to secure their applications against attacks or to all those penetration testers who are testing for vulnerabilities within these applications?
It just makes me think if it's sufficient to secure or to test web applications only for vulnerabilities that appear in this list? Also what about all those vulnerabilities that do not just appear in this list? The latest Top 10 list was produced in 2007, which is also called OWASP Top 10 2007. Now this list does not contain Buffer Overflow and Denial of Service attacks which were there in ealier versions of OWASP Top 10 list. Does that mean that these attacks have just disappeared and all our applications are now immune to these attacks or does that mean that other attacks have become more wide spread and have taken precedence over the attacks that do not appear in this list any more? If that's the case, does that make all those attacks that do not appear in the Top 10 list any less attractive or less severe than the ones that appear in this list. If that's not true, then wouldn't it make more sense to secure our applications against all those attacks that appear in the OWASP Top 10 list as well as against all those that do not?
So why do we care so much about OWASP Top 10?
OWASP Top 10 is an awareness document for web application security that has been created by industry thought leaders with mutual consensus and lists the Top 10 most serious web application vulnerabilities. Adopting this document can act as an effective first step towards security awareness program and changing the software development culture within the organization for creating secure software applications. Therefore, adopting this document should be treated as the beginning of your security awareness program and everyone should strive to mitigate against the vulnerabilities mentioned in this document as a minimum requirement towards producing secure software and should not treat it as an end to achieve. Only by doing this, we can be one step closer towards producing secure software applications.
It just makes me think if it's sufficient to secure or to test web applications only for vulnerabilities that appear in this list? Also what about all those vulnerabilities that do not just appear in this list? The latest Top 10 list was produced in 2007, which is also called OWASP Top 10 2007. Now this list does not contain Buffer Overflow and Denial of Service attacks which were there in ealier versions of OWASP Top 10 list. Does that mean that these attacks have just disappeared and all our applications are now immune to these attacks or does that mean that other attacks have become more wide spread and have taken precedence over the attacks that do not appear in this list any more? If that's the case, does that make all those attacks that do not appear in the Top 10 list any less attractive or less severe than the ones that appear in this list. If that's not true, then wouldn't it make more sense to secure our applications against all those attacks that appear in the OWASP Top 10 list as well as against all those that do not?
So why do we care so much about OWASP Top 10?
OWASP Top 10 is an awareness document for web application security that has been created by industry thought leaders with mutual consensus and lists the Top 10 most serious web application vulnerabilities. Adopting this document can act as an effective first step towards security awareness program and changing the software development culture within the organization for creating secure software applications. Therefore, adopting this document should be treated as the beginning of your security awareness program and everyone should strive to mitigate against the vulnerabilities mentioned in this document as a minimum requirement towards producing secure software and should not treat it as an end to achieve. Only by doing this, we can be one step closer towards producing secure software applications.
Posts
0 comments:
Post a Comment