Modern software development is firmly focused on speed. The race to be first in the market is extremely competitive. To innovate, companies develop at breakneck pace, quickly establishing feedback loops that allow them to hone their software. Security, however, is often an afterthought for stressed developers and the business people pushing them to deliver faster.The importance of application security (AppSec) is widely understood, with 97 percent of respondents to the SANS Institute\u2019s 2016 State of Application Security report revealing they have an AppSec program in place.However, only 26 percent of respondents described their AppSec program as mature or very mature. Clearly work must still be done, and that\u2019s where something like the Open Web Application Security Project (OWASP) can prove very useful.OWASP a source of impartial adviceIt can be difficult to find unbiased advice and practical information to help you develop your AppSec program. The competitive technology and services market has plenty to say, but much of it is designed to steer you toward a particular tool or service provider.The OWASP was created to combat that issue, offering genuinely impartial advice on best practices and fostering the creation of open standards.Anyone can participate in the OWASP. All of the materials and guidelines it offers are completely free of charge and available under an open software license for anyone to use.Recommendations for commercial products and services are considered inappropriate. The OWASP aims to be a pool of knowledge that you can genuinely trust, free of ulterior motives.The OWASP Top 10Any developer interested in AppSec would do well to start with the OWASP Top 10. The list was last published in 2013, and it is in the process of being updated, but it\u2019s still a valid and valuable run-down of some of the major risks. Here\u2019s the list:InjectionBroken Authentication and Session ManagementCross-Site Scripting (XSS)Insecure Direct Object ReferencesSecurity MisconfigurationSensitive Data ExposureMissing Function Level Access ControlCross-Site Request Forgery (CSRF)Using Components with Known VulnerabilitiesUnvalidated Redirects and ForwardsEvery entry is broken down in great detail, so developers can find out whether they\u2019re vulnerable and learn how to prevent an attack. There are also example attack scenarios and further references to help identify vulnerabilities, eradicate them and test to ensure they\u2019re properly dealt with.Ignore the OWASP Top 10 at your perilYou might assume a free set of guidelines like this, developed by some of the best minds in worldwide software security, would serve as a standard framework for developers, but sadly that doesn\u2019t seem to be the case.As many as 25 percent of web apps today are vulnerable to eight of the entries on the OWASP Top 10, according to Contrast Security research, and 80 percent had at least one vulnerability. The organization found that sensitive data exposure topped the list, affecting 69 percent of web apps tested. CSRF was second, affecting 55 percent of apps, and broken authentication and session management was third, affecting 41 percent of apps.It\u2019s clear organizations are not committing sufficient resources or attaching a high enough importance to application security.Top AppSec challengesJumping back to the SANS Institute report for a moment, we find that respondents listed their top three challenges to implementing application security in their organizations:33 percent pointed to silos between security, development and business units, making it hard to establish ultimate responsibility and preventing effective collaboration37 percent bemoaned the lack of funding and management buy-in38 percent reported a lack of application security skills, tools and methodsBreaking down silos and changing a company culture takes time, but the rewards reach well beyond application security. The potential cost of a data breach should be enough to persuade management to take more stringent steps and commit resources. A virtual CISO can help to offset skills shortages. And any organization seeking a solid methodology and a set of practical guidelines would do well to start with the OWASP.The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.