OWASP Top 10 - Introduction

When starting a new web application, the security risks are sadly often underestimated by everyone (developers, architects, IT, managers…).

Web applications are more vulnerable to attacks compared to standalone applications as they usually expose a service over a network to a potentially large population of users. Of course, the risk is higher when the population is not clearly identified (web site on internet) but it exists also with a closed list of known persons (entreprise application on intranet) because we always have data exchanged between the client (browser, web service client) and the server.

When you choose to ignore these risks, your data can be deleted, corrupted or stolen. And maybe worst, your customers can become victims of attacks because of your service. Their session can be hijacked by an attacker that will be granted all permissions on their personal data.

What about your reputation then ? Remember the « PSNgate » two years ago…

800px-Owasp_logo
OWASP provides an ordered list of the most important the risks according to their risk rating methodology and prevalence statistics provided by different organizations. While the methodology gives a theorical rating based on a few criteria like detectability, ease of exploit and technical impact, the prevalence statistics can change the order with concrete data from the real world.

E.g. in the last release this year, CSRF risk was moved down from rank 5 to rank 8. According to OWASP, « this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused on it enough to significantly reduce the number of CSRF vulnerabilities in real world applications. »[ref: OWASP Top 10 2013 – Release Notes].

Here are the most important risks identified by OWASP.

Although OWASP gives very interesting advices to prevent these risks, these are only generalities. If you want to protect your application against these risks, you will need to find by yourself the appropriate mitigations depending on your environment (OS, programing language, application server, database…).

In my next 10 articles (1 article per risk), I will share with you some concrete mitigations (frameworks, best practices, code snippets…) I have put in place to reduce these risks in a Java-based web application.

To see all articles related to OWASP Top 10, follow the tag #owasp


Vous avez trouvé cette publication utile? Cliquer sur
Ippon
Ippon est un cabinet de conseil en technologies, créé en 2002 par un sportif de Haut Niveau et un polytechnicien, avec pour ambition de devenir leader sur les solutions Digitales, Cloud et BigData.

Ippon accompagne les entreprises dans le développement et la transformation de leur système d’information avec des applications performantes et des solutions robustes.

Ippon propose une offre de services à 360° pour répondre à l’ensemble des besoins en innovation technologique : Conseil, Design, Développement, Hébergement et Formation.

Nous avons réalisé, en 2017, un chiffre d’affaires de 31 M€ en croissance organique de 30%. Nous sommes aujourd’hui un groupe international riche de plus de 320 consultants répartis en France, aux USA, en Australie et au Maroc.
FRANCE Website LinkedIn