from Hacker News

Understanding the OWASP list

by flywithdolp on 10/13/19, 7:03 AM with 50 comments

• by jpalomaki on 10/13/19, 12:32 PM

  I think most should be actually checking the "OWASP Application Security Verification Standard Project" [1] instead of just the Top 10 list.

  The application security verification standard has quite clear requirements that you can just feed into your software development process. The requirements are split to three different levels, L1, L2 and L3. L1 requirements are more or less straightforward, standard application development stuff. L2 and L3 go more into processes. The idea is also that the L1 requirements can be verified by external penetration testing, without access to source code.

  I would say the L1 requirements are something everybody involved in creating web apps professionally should check. Maybe some the requirements don't make sense for your particular application, but for those cases it is a good exercise to write down why not.

  [1] https://www.owasp.org/index.php/Category:OWASP_Application_S... (the document can be downloaded from the links on the right side)

• by rtempaccount1 on 10/13/19, 10:19 AM

  The OWASP Top 10 is intended as an awareness tool to help raise visibility of web app. security issues.

  I'd agree with the article that it gets misused (a lot) as some kind of checklist that, if you apply, you can have a "secure" application.

  Ironically OWASP has several other great projects that are designed to provide methodologies to improve application security like ASVS https://www.owasp.org/index.php/Category:OWASP_Application_S... and at a more organizational level, OWASP SAMM https://owaspsamm.org/ .

  Where I do feel some frustration with this article is where , to me, it feels like it's suggesting that "shift left security" (the idea that security activities should take place earlier in the development lifecycle) is any any way a new concept.

  The idea of doing more application security work early in the development process has been around at least 20 years and probably more.

  Instead of having new buzzwords for it, to try and make it more attractive, I'd be much more interested in a study of why after all this time it's still not uncommon to see a first security touchpoint for a project be a penetration test done 2 weeks before go-live.

• by fulafel on 10/13/19, 10:45 AM

  There are multiple lists, some for purpouses other than web app implementation. Some examples:

  https://www.owasp.org/index.php/OWASP_Cloud-Native_Applicati...

  https://www.owasp.org/index.php/OWASP_Mobile_Top_10

  https://www.owasp.org/index.php/OWASP_Proactive_Controls

• by petra on 10/13/19, 12:15 PM

  The lift scala framework offers protection against many of the OWASP vulns automatically:

  https://seventhings.liftweb.net/security

  Can this be improved to include support for all the OWASP ?if not, why ?

• by kingofpee on 10/13/19, 10:33 AM

  Never heard of OWASP before

  Do programmers really follow it? Is it a status quo for companies to make sure their software follow OWASP top 10 like a checklist?

• by unixhero on 10/13/19, 1:44 PM

  Yup. And add MITRE ATT&CK to that list