• United States




What is OWASP, and why it matters for AppSec

Feb 22, 20174 mins
Application SecurityInternet SecurityIT Skills

Boost application security with the Open Web Application Security Project's guidelines

Modern software development is firmly focused on speed. The race to be first in the market is extremely competitive. To innovate, companies develop at breakneck pace, quickly establishing feedback loops that allow them to hone their software. Security, however, is often an afterthought for stressed developers and the business people pushing them to deliver faster.

The importance of application security (AppSec) is widely understood, with 97 percent of respondents to the SANS Institute’s 2016 State of Application Security report revealing they have an AppSec program in place.

However, only 26 percent of respondents described their AppSec program as mature or very mature. Clearly work must still be done, and that’s where something like the Open Web Application Security Project (OWASP) can prove very useful.

OWASP a source of impartial advice

It can be difficult to find unbiased advice and practical information to help you develop your AppSec program. The competitive technology and services market has plenty to say, but much of it is designed to steer you toward a particular tool or service provider.

The OWASP was created to combat that issue, offering genuinely impartial advice on best practices and fostering the creation of open standards.

Anyone can participate in the OWASP. All of the materials and guidelines it offers are completely free of charge and available under an open software license for anyone to use.

Recommendations for commercial products and services are considered inappropriate. The OWASP aims to be a pool of knowledge that you can genuinely trust, free of ulterior motives.

The OWASP Top 10

Any developer interested in AppSec would do well to start with the OWASP Top 10. The list was last published in 2013, and it is in the process of being updated, but it’s still a valid and valuable run-down of some of the major risks. Here’s the list:

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

Every entry is broken down in great detail, so developers can find out whether they’re vulnerable and learn how to prevent an attack. There are also example attack scenarios and further references to help identify vulnerabilities, eradicate them and test to ensure they’re properly dealt with.

Ignore the OWASP Top 10 at your peril

You might assume a free set of guidelines like this, developed by some of the best minds in worldwide software security, would serve as a standard framework for developers, but sadly that doesn’t seem to be the case.

As many as 25 percent of web apps today are vulnerable to eight of the entries on the OWASP Top 10, according to Contrast Security research, and 80 percent had at least one vulnerability. The organization found that sensitive data exposure topped the list, affecting 69 percent of web apps tested. CSRF was second, affecting 55 percent of apps, and broken authentication and session management was third, affecting 41 percent of apps.

It’s clear organizations are not committing sufficient resources or attaching a high enough importance to application security.

Top AppSec challenges

Jumping back to the SANS Institute report for a moment, we find that respondents listed their top three challenges to implementing application security in their organizations:

  • 33 percent pointed to silos between security, development and business units, making it hard to establish ultimate responsibility and preventing effective collaboration
  • 37 percent bemoaned the lack of funding and management buy-in
  • 38 percent reported a lack of application security skills, tools and methods

Breaking down silos and changing a company culture takes time, but the rewards reach well beyond application security. The potential cost of a data breach should be enough to persuade management to take more stringent steps and commit resources. A virtual CISO can help to offset skills shortages. And any organization seeking a solid methodology and a set of practical guidelines would do well to start with the OWASP.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.