Why You Shouldn’t Use the OWASP Top 10 as a List of Software Security Requirements

Thursday, February 21, 2013

Rohit Sethi


On February 15, the Open Web Application Security Project (OWASP) came out with its 2013 list of candidates for the Top 10 web application security flaws. This list is available here and open for public comment - the final Top 10 list will come out in April or May.

If it’s anything like previous years, OWASP Top 10 2013 will become the de facto yardstick that organizations use to test if their applications are secure. This is at least partially because the Payment Card Industry Data Security Standards specifically enumerates the OWASP Top 10.

The challenge is that while the Top 10 details security flaws, these flaws don’t map cleanly to requirements. To understand this, let’s look at one of the current OWASP Top 10 flaws A2: Broken Authentication and Session Management. How do you assert that you aren’t vulnerable to A2? Unlike, say, Cross Site Scripting, where you might know specifically what to look for (proper input validation and output escaping), this flaw is actually a broad class of vulnerabilities. For example, there are certain very common vulnerabilities:

  • Are you hashing and salting user passwords?
  • Are passwords sufficiently encrypted during transmission?
  • Is the ‘forgot password’ mechanism protected against brute-force attacks?

At the same time, there are several other kinds of threats specific to particular technology stacks:

  • If relying on X509 mutual authentication, are you verifying the certificate chain of trust?
  • If implementing SAML are you using HTTP Post binding instead of HTTP Redirect binding to avoid data being cached/observed on proxy nodes along the way?
  • If implementing  a custom session management mechanism, do the sessions have sufficient entropy to prevent being guessed?

In our experience, few organizations go to the level of detail of outlining which specific requirements they are assessing. Instead, they may run the application through a scanning solution which only tests against a small subset of the above threats, and declare that they’ve accurately assessed A2.  In other cases, they may have a penetration tester run an opaque set of tests against the application and declare that they haven’t found any authentication or session management vulnerabilities.  OWASP has long understood this, and has gone to the length of creating the much more comprehensive Application Security Verification Standard (ASVS) project. Unfortunately, that project has only a fraction of the attention of the Top 10 project.

In addition to the breadth of specific threats, the other obvious issue with using the OWASP Top 10 as a yard-stick is that it can completely leave out very serious security vulnerabilities for a particular application. For example, a Rails application may be vulnerable to Mass Assignment vulnerability and it won’t be assessed simply because it wasn’t defined as one of the Top 10.

The OWASP Top 10 is a great awareness tool, but it’s not a substitute for a tailored set of software security requirements.

Possibly Related Articles:
OWASP PCI DSS Application Security Vulnerabilities
Post Rating I Like this!
Alberto Gonzalez Personally If I have to check a web application for vulnerabilities I use OWASP top 10 and SANS top 25 http://www.sans.org/top25-software-errors/ but people must check also for technology specific vulnerabilities like the mentioned in your last paragraph.

I think OWASP TOP 10 is a good starting point for people who have no idea where to start looking for vulnerabilities in web applications.
Jessica Barden Forgot password is not the way to protect against brute force attacks. My friend suggest me to read about security flaws on http://www.writingbunch.co.uk/ and I have discovered many ideas through it.
alex roy I agree with your post, and I would even offer that we as security practitioners are doing a disservice to our customers (internal or external) when we report vulnerabilities using the language of the OWASP Top 10. What does "broken session management" mean to a business stakeholder? It probably means the same thing as when my mechanic tells me that my exhaust gas recirculation valve needs to be replaced.
abdul bari Chanessra I enjoyed reading your post and found it to be informative and to the topic. Thank you for not rambling on and on just to fill the page. Thanks. text your ex back 2 method reviews https://www.facebook.com/textyourexbackreview
abdul bari Chanessra Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. https://www.rebelmouse.com/conversationchemistry/
Albert Roger This is so amazing! Very nice and interesting post. http://www.aoneassignment.com/
Robin Fitch The OWASP Top 10 is a great awareness tool and i really like it. Thanks for sharing with us.. http://www.mightyresearchpapers.com/
Anushka Jain Packers and Movers in Mumbai Charges or http://www.expert5th.in/packers-and-movers-mumbai/
Packers and Movers in Hyderabad Charges or http://www.expert5th.in/packers-and-movers-hyderabad/
Packers and Movers in Pune Charges or http://packersmoverspune.top3rd.in/
Anushka Jain Packers and Movers in Bangalore Charges or http://www.expert5th.in/packers-and-movers-bangalore/
Packers and Movers in Delhi Charges or http://www.expert5th.in/packers-and-movers-delhi/
Packers and Movers in Chennai Charges @ http://www.expert5th.in/packers-and-movers-chennai/
Packers and Movers in Gurgaon Charges http://www.expert5th.in/packers-and-movers-gurgaon/
Kuldeep Sharma Packers and Movers Kolkata to siliguri @ www.europackersandmovers.com/
Kuldeep Sharma Packers movers kolkata @ http://www.europackersandmovers.com/

Movers and packers kolkata dumdum @ http://www.europackersandmovers.com/
Morgan Fitch Thanks to offer such supportive information here. http://www.courseworkbuzz.co.uk/
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.