What is OWASP application security?

What is OWASP Application Security

Jan 22nd 2021

Application security is a crucial practice for businesses using web and mobile applications to
offer services to your customers or operational support to your business.

It provides the necessary layers of protection that secure your data from malicious actors so
your business can maintain a positive reputation and build strong relationships.


OWASP Top Ten application security risks

The Open Web Application Security Project (OWASP) developed a public framework that documents the top ten risks to application security.

The OWASP Top Ten provides developers and security professionals with the industry’s consensus on the most significant risks to web applications and recommends security controls to mitigate them.


Application security code


Here are the application security risks and mitigations described by the OWASP Top Ten:

1. Injection

Injection flaws occur when malicious data is sent to an interpreter, such as a database or terminal, and performs unintended actions by manipulating the execution logic. This can lead to a breach of sensitive data or a compromise of the application environment.

User-supplied data should not be trusted. “Whitelist” server-side input validation and safe functions, such as parameterised queries, should be used to effectively mitigate this risk.


2. Broken authentication

The improper design and implementation of identity controls lead to broken authentication. Malicious actors with access to billions of valid credentials can compromise just a few or one admin account to compromise an entire system.

Multi-factor authentication is the most effective way to mitigate this type of attack. Strong password management processes should be implemented and credentials should never be transferred insecurely.


3. Sensitive data exposure

Malicious actors can steal sensitive data that are inadequately protected by web applications and APIs. The biggest flaw is failing to encrypt data which enables criminals to access or modify Personally Identifiable Information (PII), financial information or credentials.

You should identify which data is deemed sensitive according to legislation and ensure it is encrypted at rest and in transit. You should not store data unnecessarily to ensure it cannot be stolen.


Sensitive data exposure


4. XML External Entities (XXE)

Flaws in old or misconfigured XML processors can lead to malicious actors extracting data, performing an external request or compromising internal documents, to name a few.

Developers must be trained to identify and mitigate XXE to ensure code is not weakened and XML processors are patched.


5. Broken access control

Malicious actors can use vulnerability scanning tools to identify the lack of appropriate access controls in applications. If they gain access through these flaws, it may be possible to impersonate users or administrators to access sensitive data.

Access controls should be implemented in server-side code so the user cannot modify them.


6. Security misconfiguration

Misconfiguration is the most common of all the top ten risks. It can occur as a result of many issues, including default or incomplete configurations and open cloud storage.

All systems, servers, firewalls and network devices within the application environment must be securely configured, and the latest security updates applied as soon as they are available.


7. Cross-Site Scripting (XSS)

XSS is the second most common vulnerability. The three forms of XSS, reflected, stored and DOM, enable malicious actors to execute scripts in the user’s browser to influence their session activity.

You must treat user input as zero-trust, using sanitisation and validation techniques to prevent injected malicious code from being processed by your application.

You may also apply built-in browser protections, such as HTTP security headers, to minimise the impact of an undetected XSS vulnerability.


8. Insecure deserialisation

Remote code execution is one of the most impactful results of insecure deserialisation. These attacks are difficult to carry out as the underlying exploit code often needs to be changed first.

It is essential to reject serialised objects from untrusted sources to mitigate insecure deserialisation attacks and use safe serialisation functions in your code where possible.


9. Using components with known vulnerabilities

Some components have known vulnerabilities that malicious actors can exploit to gain access to data and servers. Software components, such as underlying application libraries and frameworks, often contain weaknesses that may impact the security of the application as a whole.

You should implement a patching process to resolve vulnerabilities and remove any unnecessary components from your application environment.


10. Insufficient logging and monitoring

Logging and monitoring are important processes to enable fast detection and response to malicious activity, such as attempted or successful attacks.

You should implement a response and recovery plan that ensures suspicious activities are identified and mitigated efficiently.


Insufficient logging and monitoring


Sentrium can improve your application security

Sentrium provides web and mobile application security testing and Threat Modelling as part of the routine development lifecycle.

Your security assessment is tailored to the size and complexity of your applications, giving you an efficient and comprehensive testing approach that will add value to your secure development lifecycle.

Contact us to discuss your application security requirements and learn how our services may support your security strategy.

Path traversal bug in Grafana: Preventable mistake or an important lesson?

Path traversal bug in Grafana: Preventable mistak...


New Exchange RCE vulnerability actively exploited

How effective is secure code review for discovering vulnerabilities?

How effective is secure code review for discoveri...

Application Security (AppSec)

Application Security (AppSec)

Dealing with Dependencies

Enhancing Security in your Software Development L...

Exchange Server Emergency Mitigation Service

Exchange Server Emergency Mitigation Service


VMware vCenter Critical RCE Vulnerability


OWASP Top 10 2021 Released

Introduction to Windows 11 (Beta) Security

Introduction to Windows 11 (Beta) Security

HTTP/3 and QUIC: A new era of speed and security

HTTP/3 and QUIC: A new era of speed and security?

Microsoft reports open redirection phishing tactic

Microsoft reports open redirection phishing tactics

Fortinet WAF allows remote code execution

Fortinet WAF allows remote code execution

Microsoft Exchange Bugs

Microsoft Exchange Proxy Vulnerabilities

PetitPotam: Windows AD CS NTLM Relay Attack

PetitPotam: Windows AD CS NTLM Relay Attack

What to do after your penetration testing report

What should you do after your penetration testin...

What is penetration testing and why is it important to use a CREST-approved provider?

What is penetration testing and why is it importa...

How to prepare your business for secure cloud migration

How to prepare your business for secure cloud mig...

How secure use of the cloud can transform your business

How secure use of the cloud can digitally transfo...

What is crest and how does it benefit you?

What is CREST and what are the benefits of using ...

How can the 10 steps to cyber security help to protect your organisation?

How can the 10 steps to cyber security help to pr...

The importance of cyber security

Celebrating Sentrium’s contribution to cyber secu...

Pentration testing report

What should you do after your penetration testing...

Protect against a phishing attack

How to protect against a phishing attack

Secure data in cloud computing

How to secure data in cloud computing

The Security risks of cloud computing

What are the security risks of cloud computing?

Maintain security when employees work remotely

How to maintain security when employees work remo...

Identify and avoid phishing attacks

How to identify and avoid phishing attacks

Penetration testing

What is penetration testing and why is it important?
  • Left Arrow Icon
  • Right Arrow Icon