The OWASP Top Ten List is one of the best informal standards and guidelines for web application security -- it is a listing of common threats that result from weak design or implementation activities during software development and deployment. As a reflection of what's gone wrong in the industry, it's a valuable asset; However, OWASP has even more valuable information that I'd like to see get more attention – specifically, the practices that mitigate or prevent such vulnerabilities. A proactive Top Ten mitigation tactics would be a very valuable thing. It's always easier to identify problems, but the real value comes when you can also identify steps you can take to fix or ideally prevent these problems from manifesting in the first place.
A common security maturity lifecycle
Find & Fix
The OWASP Top Ten list's vulnerability centric approach is indicative of the way most organizations approach application security. For most, the first step is to buy tools or conduct assessments that discover vulnerabilities and then scramble to plug the holes; this is the classic "find and fix" approach. Nothing wrong with it, but from an application security maturity perspective, it's relatively low on the evolution scale.
Defend in Place
Often, an organization realizes that they need to put a stop-gap measure in place because it will take a lot of time an effort to fix the vulnerabilities identified. This typically manifests in the form of web appellation firewalls (WAFs) and other "defend in place" solutions. Over time, most people recognize that they need to address the problem at the source. This is also often coupled with the realization that architect, developer, and QA/test teams are under-educated with respect to application security (the same vulnerabilities recur time and time again).
Fix at the Source
This approach can take a while to get right, but is the most effective approach to application risk management. Education and training doesn't happen overnight and an ideal solution combines the new know-how with augmented SDLC activities and integration with existing tools and infrastructure: security assessment, software development process, reporting, defect management, et al.
Protecting data isn't just about understanding and finding vulnerabilities; you need to design security in, provide defense mechanisms, and use compensating controls to reduce application risk. There is a consensus and active dialogue amongst OWASP leaders that we need a Top 10 for proactive, preventative measures– the challenge is figuring out what such a list would look like.
My recommendation is a short, easy-to-consume list of defense measures (i.e. input sanitation, data validation, etc.) that can be adopted relatively quickly and serve as the basis for a maturity evolution for development/IT Teams……
………Perhaps the OWASP Top Mitigation List?
Fill in your own blank: The OWASP Top Ten _____________ List.
Security Innovation offers a free OWASP Top Ten: Threats & Mitigations eLearning course that takes a proactive, address-at-the-source approach to web application security. Have a look and see if this might be a good foundation for the next generation OWASP Top Ten list.