The OWASP Top Ten is an expert consensus of the most critical risks facing web applications and the teams who are developing them. The primary purpose is to raise awareness and provide a framework for prioritizing your application security efforts. You can use the OWASP Top 10 to address most common attacks and vulnerabilities that expose your organization to attack.
Due to the importance of Application Security in reducing overall IT risk, the OWASP Top 10 has been adopted or referenced by a large number of government agencies, industry standards bodies, and prominent companies such as Microsoft, PCI Security Standards Council, Citibank, NIST and others. These organizations continue to hone and enhance the OWASP Top Ten so it reflects the reality of today’s threatscape. An update for 2017 will be release by the end of this year to include all that’s changed and been learned since the last release in 2013.
The OWASP Top Ten Project has been successful because it’s easy to understand, it helps users prioritize risk, and its actionable. There’s a lot to love:
- For the most part it focuses on the most critical threats, rather than specific vulnerabilities. Threats are a more stable measure of risk because they never go away and can provide a framework to think about attacks and vulnerability trends.
- The cadence of release of every 3 years balances the tempo of change in the application security market to produce recommendations with confidence that it doesn’t reflect short-term fluctuations.
- It’s not just about secure coding, there is a great deal of technical information about key risks and countermeasures. All the various exams, tools, methodologies and checklists are designed to be used at every phase of software development.
- There is a passionate and knowledgeable community contributing, with varying points of view to get a thorough understanding of the current state of application security.
- There are other lists that go beyond web application security - there is an OWASP Mobile Top Ten and Privacy risk projects as well as a new list of proactive controls.
- It can be used as security marching orders to align teams and to justify security activities to management, and to show progress over time toward industry standard security and compliance.
For more information on the OWASP Top Ten, check out our on-demand webinar: OWASP Top 10: Threats & Mitigations. for more on interpreting threats and providing actionable offensive and defensive best practices.