OWASP is 🔑 to level up as a software engineer

Jessie Auguste
CodingBlackFemales
Published in
4 min readMar 20, 2022

“The problem of insecure software is perhaps the most important technical challenge of our time”

Eoin Keary, OWASP Global Board

What is OWASP?

The Open Web Application Security Project is created by a group of people who work within technology.

Their aim is to make secure coding practices so accessible that everyone is empowered to build securely by default.

The OWASP community use a ‘wiki’ approach to keep up with the speed of change in the threat landscape.

Keeping this information up to date is a critical aspect of this project

“Security should not be a black art or closed secret that only a few can practice. The project to build this guide keeps this expertise in the hands of the people who need it — you, me and anyone that is involved in building software.”

Eoin Keary, OWASP Global Board

You’ve probably heard the top 10. But what is it?

The OWASP Top Ten is widely regarded as the first step towards more secure coding.

It’s important not to use it as a complete checklist of everything that you can do to remain secure, think of it as a good start.

If you’re covering the top 10 in a web app or software you’re building, you’re likely to be a lot more protected than otherwise.

How do they choose what goes into the top 10?

The 2021 top 10 is ranked based on a few factors. A combination of these factors contributes to the score that chooses a threat’s inclusion and position in the top ten. The three categories are likelihood, detectability and impact.

They use a standard risk model to determine how many points each risk has.

Risk = Likelihood * Impact

I’ll only include the main factors from the methodology here, but you can read a more in depth explanation of the risk rating methodology here.

Likelihood

A threat actor is an individual or group that acts, or has the power to exploit a vulnerability

Motive

  • How motivated is this group of threat agents to find and exploit this vulnerability?

Skill Level

  • How technically skilled is this group of threat agents?

Opportunity

  • What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?

Size

  • How large is this group of threat agents?

Vulnerability

Ease of Discovery

  • How easy is it for this group of threat agents to discover this vulnerability?

Ease of Exploit

  • How easy is it for this group of threat agents to actually exploit this vulnerability?

Awareness

  • How well known is this vulnerability to this group of threat agents?

Intrusion Detection

  • How likely is an exploit to be detected?

Impact

Loss of Confidentiality

  • How much data could be disclosed and how sensitive is it?

Loss of Integrity

  • How much data could be corrupted and how damaged is it?

Loss of Availability

  • How much service could be lost and how vital is it?

Loss of Accountability

  • Are the threat agents’ actions traceable to an individual?

Why is this so important for us as developers?

There are not nearly enough security experts in the world to make any significant dent in the overall problem of cyber crime and catch all of the criminals.

It’s important to remember that there is no single strategy that will guarantee success. The point of coding securely is to slow attackers down.

Nothing is bulletproof, but it is important we implement strategies that make it less likely that an attack will be successful.

The front line of defence for application security must to us, as the builders of the technology being used by the people who are trusting us with their data.

So what are the top 10?

As of 2021, the Top 10 are:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery

How does using OWASP make you a better developer?

You’ll build more secure code by default

You’ll catch vulnerabilities earlier

You’ll build more robust code as a result

Interested in learning more?

If you’re a black woman in tech, Coding Black Females with CybSafe will be running an ‘Introduction to Cyber Security and secure coding practices’ course.

This course will give an introduction to key cyber security concepts that are critical to producing secure code. Based on the OWASP top 10, you will be introduced to methods used by attackers to compromise web applications, as well as be provided with the methods to mitigate them.

Apply here!

Closing date for applications: May 9th

Start Date: Monday 20th June

Programme Length: 6 Weeks

Day and Time: Monday 6–7pm BST

--

--

Jessie Auguste
CodingBlackFemales

Backend Software Engineer at CybSafe, Co-host of Glowing in Tech podcast: linktr.ee/glowingintech