OWASP is đ to level up as a software engineer
âThe problem of insecure software is perhaps the most important technical challenge of our timeâ
Eoin Keary, OWASP Global Board
What is OWASP?
The Open Web Application Security Project is created by a group of people who work within technology.
Their aim is to make secure coding practices so accessible that everyone is empowered to build securely by default.
The OWASP community use a âwikiâ approach to keep up with the speed of change in the threat landscape.
Keeping this information up to date is a critical aspect of this project
âSecurity should not be a black art or closed secret that only a few can practice. The project to build this guide keeps this expertise in the hands of the people who need it â you, me and anyone that is involved in building software.â
Eoin Keary, OWASP Global Board
Youâve probably heard the top 10. But what is it?
The OWASP Top Ten is widely regarded as the first step towards more secure coding.
Itâs important not to use it as a complete checklist of everything that you can do to remain secure, think of it as a good start.
If youâre covering the top 10 in a web app or software youâre building, youâre likely to be a lot more protected than otherwise.
How do they choose what goes into the top 10?
The 2021 top 10 is ranked based on a few factors. A combination of these factors contributes to the score that chooses a threatâs inclusion and position in the top ten. The three categories are likelihood, detectability and impact.
They use a standard risk model to determine how many points each risk has.
Risk = Likelihood * Impact
Iâll only include the main factors from the methodology here, but you can read a more in depth explanation of the risk rating methodology here.
Likelihood
A threat actor is an individual or group that acts, or has the power to exploit a vulnerability
Motive
- How motivated is this group of threat agents to find and exploit this vulnerability?
Skill Level
- How technically skilled is this group of threat agents?
Opportunity
- What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?
Size
- How large is this group of threat agents?
Vulnerability
Ease of Discovery
- How easy is it for this group of threat agents to discover this vulnerability?
Ease of Exploit
- How easy is it for this group of threat agents to actually exploit this vulnerability?
Awareness
- How well known is this vulnerability to this group of threat agents?
Intrusion Detection
- How likely is an exploit to be detected?
Impact
Loss of Confidentiality
- How much data could be disclosed and how sensitive is it?
Loss of Integrity
- How much data could be corrupted and how damaged is it?
Loss of Availability
- How much service could be lost and how vital is it?
Loss of Accountability
- Are the threat agentsâ actions traceable to an individual?
Why is this so important for us as developers?
There are not nearly enough security experts in the world to make any significant dent in the overall problem of cyber crime and catch all of the criminals.
Itâs important to remember that there is no single strategy that will guarantee success. The point of coding securely is to slow attackers down.
Nothing is bulletproof, but it is important we implement strategies that make it less likely that an attack will be successful.
The front line of defence for application security must to us, as the builders of the technology being used by the people who are trusting us with their data.
So what are the top 10?
As of 2021, the Top 10 are:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
How does using OWASP make you a better developer?
Youâll build more secure code by default
Youâll catch vulnerabilities earlier
Youâll build more robust code as a result
Interested in learning more?
If youâre a black woman in tech, Coding Black Females with CybSafe will be running an âIntroduction to Cyber Security and secure coding practicesâ course.
This course will give an introduction to key cyber security concepts that are critical to producing secure code. Based on the OWASP top 10, you will be introduced to methods used by attackers to compromise web applications, as well as be provided with the methods to mitigate them.
Closing date for applications: May 9th
Start Date: Monday 20th June
Programme Length: 6 Weeks
Day and Time: Monday 6â7pm BST