What Is OWASP? | NOC.org

What Is OWASP?

OWASP (Open Worldwide Application Security Project) is a nonprofit foundation dedicated to improving the security of software. Founded in 2001, OWASP produces freely available tools, documentation, standards, and research that help developers, security professionals, and organizations build and maintain secure applications. OWASP is vendor-neutral and community-driven — its resources are open to everyone and developed through collaborative contribution.

OWASP is best known for the OWASP Top 10, a regularly updated list of the most critical security risks facing web applications. The Top 10 has become the de facto standard for web application security awareness and is referenced by compliance frameworks, security auditors, and development teams worldwide.

The OWASP Top 10

The OWASP Top 10 is a consensus-driven ranking of the most prevalent and impactful web application security risks. The list is updated periodically based on data from hundreds of organizations and thousands of real-world applications. The most recent version (2021) includes the following categories:

A01: Broken Access Control

The most common web application vulnerability. Broken access control occurs when users can act outside their intended permissions — accessing other users' data, modifying records they should not, or escalating privileges. Proper authorization checks on every request are essential.

A02: Cryptographic Failures

Previously called "Sensitive Data Exposure," this category covers failures related to cryptography — transmitting data in plaintext, using weak algorithms, improper key management, or failing to encrypt sensitive data at rest or in transit.

A03: Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection (SQLi) is the most well-known form, but injection also includes OS command injection, LDAP injection, and template injection. Input validation and parameterized queries are the primary defenses.

A04: Insecure Design

A newer category that addresses fundamental design flaws — security problems that cannot be fixed by a perfect implementation because the design itself is insecure. Threat modeling, secure design patterns, and security requirements in the design phase help prevent these issues.

A05: Security Misconfiguration

Misconfiguration is one of the most common issues in production environments: default credentials, unnecessary features enabled, overly permissive permissions, missing security headers, and verbose error messages that leak information.

A06: Vulnerable and Outdated Components

Using libraries, frameworks, or software with known vulnerabilities. Organizations must track dependencies, monitor for CVEs, and patch or upgrade components promptly. Software vulnerabilities in third-party components are a leading cause of breaches.

A07: Identification and Authentication Failures

Weaknesses in authentication mechanisms — allowing weak passwords, missing multi-factor authentication, session fixation, or credential stuffing. Broken authentication gives attackers direct access to user accounts and systems.

A08: Software and Data Integrity Failures

Failures related to code and infrastructure that do not protect against integrity violations — insecure CI/CD pipelines, auto-update mechanisms without signature verification, and deserialization of untrusted data.

A09: Security Logging and Monitoring Failures

Without adequate logging and monitoring, breaches go undetected. This category covers insufficient logging, missing alerts, and the inability to detect, escalate, or respond to active attacks in a timely manner.

A10: Server-Side Request Forgery (SSRF)

SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL. Attackers exploit SSRF to access internal services, read metadata endpoints in cloud environments, or scan internal networks.

How WAFs Use OWASP Rules

A web application firewall (WAF) is one of the primary tools for defending against OWASP Top 10 attacks in production. WAFs inspect incoming HTTP requests and block those that match known attack patterns. The OWASP ModSecurity Core Rule Set (CRS) is an open-source set of WAF rules specifically designed to detect and block the attack types listed in the OWASP Top 10:

• SQL injection patterns are matched against CRS rules that detect common SQLi syntax in query parameters, headers, and request bodies.
• Cross-site scripting (XSS) payloads are identified by rules that look for script tags, event handlers, and encoded attack strings.
• Clickjacking and other client-side attacks are mitigated through security header enforcement.
• Remote code execution attempts are blocked by rules that detect OS command patterns and known exploit signatures.

WAF rules based on OWASP CRS provide a strong baseline defense, but they are not a substitute for secure coding practices. The most effective security posture combines secure development, regular testing, and runtime protection through a WAF.