Mapping Research Against the OWASP Top 10 to Develop an Effective Application Security Model

Posted by Tom Bain on June 5, 2012 at 11:20 AM

The OWASP Top 10 has become a globally recognized informal standard for web application security. Many organizations are using it to focus their application security and compliance programs so that they can model their these programs after a widely-used and proven best practices model.

The OWASP Top 10 list is a consensus among many of the world’s leading information security experts about the greatest risks, based on  frequency of attacks and the magnitude of the impact these attacks have on businesses. Because it is based on risk and not just sheer volume of vulnerabilities found in applications, it is an incredibly effective means of assessing criticality of vulnerabilities. The concept is to build processes to prevent the ten most serious web-based attacks, and reduce security risks and development costs.

Recently,  Ponemon Institute’s 2010 Annual Study: U.S. Cost of a Data Breach found an average cost of $194 per compromised customer record, which is down from $214 per record compromised and that the average cost of a data breach has also decline from $7.2 million in 2010 to $5.5 million for 2011 breaches. One of the conclusions is that many enterprises have neglected to build adequate safeguards into their software applications. 

Further, Security Innovation developed a study with the Ponemon Institute that focused on application security specifically, building on the costs of data breaches across enterprise organizations. The unique factor going into this study was that it was a side-by-side comparison between security personnel and developers, measuring their perceptions and perspectives on application security – the five key takeaways were as follows:

Finding #1: Organizations aren’t prioritizing Application security as they should be. This is evidenced by the fact that 64% of security professionals and 79% of developers stated they have no process for building security into software, like an SDLC (without a process in place, any appsec initiative is doomed).

Finding #2: Organizations don’t seem to know how to fix vulnerable code, and the fact that 29% of security execs and 47% of developers state they have no formal mandate to remediate those vulnerabilities (this demonstrates a major disconnect).

Finding #3: Insecure software is causing data breaches at an alarmingly high rate, as 43% of security and 59% of developers stated they’ve experienced between 1-10 data breaches in the past 24 months (not a good track record).

Finding #4: It’s clear that organizations seem to be in the dark on who should be responsible for implementing application security, as 64% of security and 44% of developers responded that they do not collaborate (certainly difficult to implement an appsec program if those two groups aren’t talking).

Finding #5: Social media (and mobile technologies) are daunting to organizations, where just about half of the security and developer respondents stated that they feel these represent the biggest threat over the next two years (better test these apps and get some in-house expertise on how these apps are coded).

Overall, application security is rapidly recognized as a top priority, and OWASP’s primary objective is to educate business managers and technical personnel on how to assess and protect against a wide range of application vulnerabilities. Both Ponemon studies align fundamentally with OWASP’s list, in that is critical to prioritize building security into software applications based on the seemingly innumerable methods of attack.

Check out the presentation of this research from Ed Adams and Larry Ponemon on-demand.

The Top 10 list and other OWASP projects are rich in content, and really can help an organization transform application security. Establishing a strong foundation of training, standards and tools that make secure coding possible is key, and this white paper might serve as a resource for your organization: Simplifying Application Security & Compliance with OWASP Top Ten Whitepaper.

From a technical perspective, OWASP’s Top 10 list of critical security risks can be used at each stage of the software development life cycle to strengthen design, coding and testing practices - and can be used to justify security activities to show progress over time toward industry standard security and compliance. So check out this out too: OWASP Top Ten for Developers Whitepaper.

 

Topics: application security

Tom Bain

Written by Tom Bain