16 OWASP Top 10

 

This chapter covers

  • Discovering what OWASP is and what it does
  • Exploring how relevant the OWASP Top 10 is
  • Learning how the OWASP Top 10 is created
  • Looking at how each item in the OWASP Top 10 relates to this book
  • Noting other security-related lists of risks

OWASP (https://owasp.org) is a nonprofit organization that advocates web application security. It was founded in September 2001 and has since created a lot of content and offerings:

  • Events, local and global
  • Cheat sheets for various kinds of attacks, with technology-specific advice
  • Checklists and guidelines for security testing
  • Software such as the OWASP Zed Attack Proxy, ZAP (see chapter 15)
  • Training material such as the Juice Shop, an application with many (intentional) security vulnerabilities
  • And much more

The best-known OWASP project, however, is the OWASP Top 10 list, which we will cover in this chapter, along with other top 10 lists. Not surprisingly, we have covered all aspects of these lists in previous chapters (or, at least, have good reasons why we didn’t). This chapter serves as a refresher on many things we discussed earlier in this book and reiterates how the threats from the list items may be mitigated with ASP.NET Core.

16.1 OWASP Top 10

16.1.1 Top 10 creation process

16.1.2 #1: Broken access control

16.1.3 #2: Cryptographic failures

16.1.4 #3: Injection

16.1.5 #4: Insecure design

16.1.6 #5: Security misconfiguration

16.1.7 #6: Vulnerable and outdated components

16.1.8 #7: Identification and authentication failures

16.1.9 #8: Software and data integrity failures