OWASP is the kickass foundation that develops open source solutions developers & appsec pros can use to improve security — here’s what you need to know
If you’re someone who’s just trying to wrap your brain around understanding what the biggest cybersecurity risks are, it can be confusing. There are a lot of different resources to look at, and there’s one in particular that you might have heard of but know nothing about. That’s likely something called OWASP.
But what is OWASP and why is it something you definitely need to know? Let’s break down what it is and some of the things it encompasses.
What Is OWASP and What Does OWASP Stand For?
OWASP, which stands for the Open Web Application Security Project, is a credible non-profit foundation that focuses on improving security for businesses, customers, and developers alike. It does this through dozens of open source projects, collaboration and training opportunities. Whether you’re a novice or an experienced app developer, OWASP has something to offer.
That’s because OWASP is well-known throughout the appsec community — and it’s no small thing. In fact, OWASP is a massive, goal-oriented community that consists of tens of thousands of members across more than 275 local chapters around the world! Since 2001, it has enabled professionals to come together to work toward a greater goal of improving application security.
When most people think of OWASP, their thoughts tend to automatically focus on the OWASP top 10 list. But what if I told you that there was more to OWASP than just its best-known top 10 list? Let’s explore them, starting with the first (and best known) list of vulnerabilities.
Exploring the OWASP Top 10 Vulnerabilities
We won’t go too deeply into the topic of the OWASP top 10 vulnerabilities here, but we’d be remiss if we didn’t at least take the time to mention them. That’s a critical part of answering the question “what is OWASP?”
The list of the OWASP top 10 vulnerabilities is much like how it sounds — it’s a list of the 10 most critical security risks to web applications that have been identified by developers. It’s an invaluable resource that can help you to increase security and implement change within your organization by minimizing risks. Updated every few years, it’s something that developers and organizations worldwide have come to rely upon for information on critical cyber security-related vulnerabilities.
So, what are the top 10 application security vulnerabilities?
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
As I said just moments ago, I’m not going to drill-down into the specifics here. If you want to learn more about what these individual vulnerabilities are and how to mitigate them, be sure to check out our other blog that specifically focuses on the OWASP top 10 vulnerabilities.
Next, we’re going to move on to the next and newest list of OWASP vulnerabilities.
OWASP Top 10 Internet of Things Project
The Internet of Things (IoT) is growing at an unprecedented rate. Gartner forecasts that by 2021, there will be 25 billion connected devices in use. This gives a glimpse into the level of growth that we’re talking about here. That’s a lot of devices — potentially insecure devices — that are connected to networks and creating vulnerabilities that hackers can exploit.
This is another place that OWASP can help. OWASP’s top 10 internet of things aims to help all stakeholders — everyone from manufacturers and developers to the end users — better understand the risks of connected technology in an ever-increasing IoT world.
Now, they’ve put out a list of the 10 most critical pitfalls to avoid when developing, deploying, and/or managing IoT systems.
So, what items make the list of the OWASP top 10 Internet of Things vulnerabilities?
- Weak, Guessable, or Hardcoded Passwords
- Insecure Network Services
- Insecure Ecosystem Interfaces
- Lack of Secure Update Mechanism
- Use of Insecure or Outdated Components
- Insufficient Privacy Protection
- Insecure Data Transfer and Storage
- Lack of Device Management
- Insecure Default Settings
- Lack of Physical Hardening
We’ll go more into this in a future article on Infosec Insights. But for now, let’s move on to one example of how these lists of vulnerabilities are applied within the community.
What Is OWASP Juice Shop?
According to the OWASP website, the name “juice shop” actually comes from a word-by-word reverse translation from German’s saftladen, which roughly means “dump” or “useless outfit.”
Um, yeah. Well, that definition probably doesn’t help much. Let’s dig a little deeper.
Basically, OWASP’s Juice Shop is a place where developers, pen testers, and other users can go to test out and exploit vulnerabilities on an insecure system. That’s because, despite its unintuitive name, the juice shop is a modern and sophisticated web application that’s intentionally designed to be insecure. It is designed with the OWASP Top Ten list of vulnerabilities built into it.
But why would someone create something like that, that’s completely insecure? Essentially, the OWASP Juice Shop was created to serve as a guinea pig and testing ground for dev and IT security experts alike. This powerful platform is useful for awareness demonstrations, capture the flag (CTF) events, security trainings, and other purposes.
What are the benefits of using the OWASP Juice Shop?
- It’s Free and Accessible to Anyone. Don’t want to pay for a license or have to deal with bureaucratic headaches? Don’t. That’s one of the beautiful things about OWASP Juice Shop —it’s here, it’s available, and you don’t have to fork a bunch of money or resources over to use it. In this case, you can’t beat free.
- It’s Self-Contained and Auto-Resets. Everything you need is pre-packaged and downloads automatically. Furthermore, once you’re done with the databases, it auto-wipes and repopulates every time the server restarts. This way, you never have to worry about resetting everything manually the next time you want to use it.
- Offers Multiple Installation Options. Want to choose what you want to run on Windows and Linux? Awesome. You can choose between Docker, node.js and Vagrant.
- Tracking Made Easy. Imagine an application that notifies you whenever challenges are solved. The OWASP Juice Shop does that. Furthermore, if you want to keep tabs of successful vulnerability exploits, you can do so using its user-friendly scoreboard feature.
- Make It Your Own. Want the application to look like it’s one of your corporate solutions? No problem. The OWASP juice shop is fully customizable in terms of branding.
What Is OWASP IoT Goat?
Much like OWASP Juice Shop, OWASP IoTGoat (which was set to be released in December 2019) is an insecure platform that’s used for educational and demonstrative purposes. It’s based on OpenWrt, or what’s known as OPEN Wireless RouTer, an open-source Linux-based router firmware.
Essentially, IoTGoat is the IoT equivalent of the Juice Shop. Much like how OWASP Juice Shop integrates the Top 10 application vulnerabilities, IoTGoat is built with IoT vulnerabilities integrated into it. Why? Because there are many unaddressed vulnerabilities that can be found in IoT devices, and the project aims to teach users about the most common varieties. That means, of course, that these vulnerabilities are based on the OWASP Top 10 IoT Vulnerabilities that we mentioned earlier.
What Is OWASP Zed Attack Proxy (ZAP)?
OWASP ZAP, or what’s known as the OWASP Zed Attack Proxy, is an a flexible and invaluable web security tool for new and experienced app security experts alike. Essentially serving as a man-in-the-middle (MitM) proxy, it intercepts and inspects messages that are sent between the client and the web application that’s being tested.
With its powerful APIs and security automation, ZAP simplifies the software security testing process for everyone from new testers to experienced app developers and testing specialists.
What’s OWASP Known for Concerning Security?
Creating top 10 lists and intentionally insecure environments aren’t all that OWASP is known for. The Open Web Application Security Project has multiple other notable ongoing projects as well going on simultaneously. Their projects can be broken down into a few overarching categories:
- Flagship Projects — This category includes projects like OWASP Juice Shop, OWASP SAMM, OWASP Top Ten, OWASP Zap, etc. (We’ll talk about some of these shortly.)
- Lab Projects — These projects include OWASP Internet of Things, OWASP WebGoat, OWASP Enterprise Security API (ESAPI), etc.
- Incubator Projects — This group of projects include the OWASP Risk Assessment Framework (RAF), OWASP Docker Top 10, OWASP SamuraiWTF, etc.
- Projects Requiring Website Updates —This category includes OWASP Broken Web Applications, OWASP Cloud Security, OWASP Honeypot, etc.
We don’t have the time to cover all of them, so be sure to check out the previous link if you want to see them all.
Three examples of other notable OWASP projects include:
OWASP Cheat Sheet Series (OCSS)
This resource, which now lives in an OCSS GitHub repository, provides appsec security professionals with shortcuts and guidance through “cheat sheets” on specific security-related topics. The idea behind the OWASP Cheat Sheet Series was to create quick resources that help to lessen the burden of their responsibilities.
OWASP Security Assurance Maturity Model (SAMM)
Need to improve the security posture of your software in a measurable way? Then look no further than OWASP SAMM. This self-assessment model helps you to evaluate your existing software security practices and security-related activities. Simply put, it’s another open framework that helps organizations create risk-specific strategies to improve their software security.
OWASP Security Knowledge Framework (SKF)
Looking for appsec best practices? Not sure of the best approach to writing secure code? Or, maybe you want to learn how to integrate security by design into your web app(s). No worries — regardless of which scenario best fits your situation, OWASP has you covered. Their Security Knowledge Framework, or SFK for short, is an open-source resource knowledgebase for app developers that provides those types of information. It serves as a great training resource as well and provides excellent examples and guidance for how to approach different appsec issues.
No matter whether you’re a software developer, an ethical hacker, or just an IT security professional who wants to keep your business and software applications secure, OWASP is an essential resource.