OWASP – Open Web Application Security Project, is the leading open source platform for Application Security. Beginners can find more on here :
They have released a special project called “OWASP Top 10” in Year 2003 which consisted most critical web vulnerabilities by that time. So far OWASP has published several versions of Top 10 vulnerabilities based on their statistics. Now it is a mature project in OWASP.
OWASP Top 10 :
Most organizations, developers and penetration testers use this project as a baseline for their software security, which is good and appreciable. As per the processes following in software companies, they develop secure codes, verify their business logics and test for security aspects before major releases. It’s like we are coming closer to hack proof web applications. Really?
Those days we couldn’t find trustful accessible place to get knowledge about application security. Then OWASP appeared. So people tend to build their web applications more securely and it’s still continuing.
So far we are talking about good side of these concepts. What’s the end result? We are secured!
Not at all.
When one party defending all the holes, other party should be looking for new holes. That’s what exactly happen in cyber security world. IT security professionals stop the bleeding in one edge, Hackers attack to another edge with different techniques.
We said to world that we are OWASP compliance, SANS compliance. But our applications are still hacked by others. We show the world that we have put guards on all the identified entry points. Are you still believe that they try with the same entry points?
Better you may not. Every year WhiteHat security published Top 10 web hacking techniques. Most of the time Top hacking techniques are not targeting the top web vulnerabilities. If you need examples, here are some,
Keep in mind that OWASP Top 10 list which we are currently using published in 2013. Now it’s 2016 and we are screaming attackers are one step ahead us.
Few nominated hacking techniques for 2015
- Abusing CDN’s with SSRF Flash and DNS
- Abusing XLST for Practical Attacks
- Hunting Asynchronous vulnerabilities
- Logjam and Magic Hashes
Better you google the meaning of those attacks. So where are we now?
Here are some top hacking techniques in year 2014,
- Heartbleed, ShellShock, Poodle, Rosetta Flash…
Am I telling OWASP, SANS are bad? Sorry you misunderstood. I’m telling that it’s not enough in this game. You can clearly see a gap between top 10 vulnerabilities and top 10 attacks. So we need be creative here, not only applying theoretical security practices to our applications and systems.
This is not a problem with OWASP or SANS, they have done enough and don’t expect everything from them. We all have limitations. Do your own home works and try to be handsome.