2. Content
• What is OWASP?
• What is Web Application?
• OWASP Top – 10
• Successful Attack Path
• What next for Developers?
• What next for Verifiers & Organisations?
• Conclusion
2/15
3. What OWASP Is ?
OWASP is an open community dedicated to enabling
organizations to develop, purchase, and maintain
applications that can be trusted. The OWASP
Foundation is the non-profit entity that ensures the
project’s long term success.
3/15
4. What Web Application Is?
“In computing, a web application or web app is
a client–server software application in which the client
(or user interface) runs on a web browser.
Common web applications include webmail, online retail
sales, instant messaging services and many other functions.”
4/15
5. What OWASP Top–10 Is?
The OWASP Top 10 report is based on 8 datasets from 7 firms that
specialize in application security, including 4 consulting companies and 3
tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over
500,000 vulnerabilities across hundreds of organizations and thousands of
applications. The Top 10 items are selected and prioritized according to this
prevalence data, in combination with consensus estimates of exploitability,
detectability, and impact estimates.
5/15
6. •Application security tools and standards
•Complete books on application security testing, secure
code development, and secure code review
•Standard security controls and libraries
•Cutting edge research
6/15
10. What Next For Developers ?
“SECURE CODING”
No application is completely secure, but adhering to the following
principals will minimize risk:
• Minimize the attack surface area (minimize the access points).
• Establish and implement secure default settings with password expiration
and timeouts, etc.
• Implement the principle of “Least Privilege”; don’t give users access to things
that they don’t need to do their jobs.
• Implement “Defence in Depth” with re-authentication, tokens, and hidden
IDs.
• Don’t trust services or 3rd parties.
• Keep security simple (humans will always bypass)
10/15
11. What Next For Verifiers & Organization ?
•To verify the security of a web application you have developed, or
one you are considering purchasing, OWASP recommends that you
review the application’s code (if available), and test the application as
well.
•OWASP has produced the OWASP Application Security
Verification Standard (ASVS). This document defines a minimum
verification standard for performing web application security
assessments.
•Organization must hire Security Professionals, Penetration Testers
so as to keep updated their web applications.
•Organization should keep on testing their web application through
bug bounty programs and Vulnerability Scanners.
11/15
13. Conclusion
The Top 10 cover a lot of ground, but there are many other risks you
should consider and evaluate in your organization.
CREATE A REMEDIATION PLAN
1.Identify assets and risks
• Obtain a full understanding of what you own
• Obtain a full understanding of the risks associated with those assets.
2. Conduct a gap analysis and prioritize risks
•Determine the risks (i.e. high/medium/low) to your most expensive assets
and their priority
3. Planning and Execution
•budget, technology, team, timeframe
4. Track, monitor, and improve the plan.
•Security plans, protocols, feedback response
13/15
14. References
A. Whitepaper on Web Application Security and the OWASP Top 10
By Jon Panella under the guidance of Sapient Nitro.
B. Open Web Application Security Project Report by OWASP.
C. OWASP Top -10 by developersWorks IBM.
14/15