Boost application security with the Open Web Application Security Project's guidelines Credit: OWASP Modern software development is firmly focused on speed. The race to be first in the market is extremely competitive. To innovate, companies develop at breakneck pace, quickly establishing feedback loops that allow them to hone their software. Security, however, is often an afterthought for stressed developers and the business people pushing them to deliver faster.The importance of application security (AppSec) is widely understood, with 97 percent of respondents to the SANS Institute’s 2016 State of Application Security report revealing they have an AppSec program in place.However, only 26 percent of respondents described their AppSec program as mature or very mature. Clearly work must still be done, and that’s where something like the Open Web Application Security Project (OWASP) can prove very useful.OWASP a source of impartial adviceIt can be difficult to find unbiased advice and practical information to help you develop your AppSec program. The competitive technology and services market has plenty to say, but much of it is designed to steer you toward a particular tool or service provider. The OWASP was created to combat that issue, offering genuinely impartial advice on best practices and fostering the creation of open standards.Anyone can participate in the OWASP. All of the materials and guidelines it offers are completely free of charge and available under an open software license for anyone to use. Recommendations for commercial products and services are considered inappropriate. The OWASP aims to be a pool of knowledge that you can genuinely trust, free of ulterior motives.The OWASP Top 10Any developer interested in AppSec would do well to start with the OWASP Top 10. The list was last published in 2013, and it is in the process of being updated, but it’s still a valid and valuable run-down of some of the major risks. Here’s the list:InjectionBroken Authentication and Session ManagementCross-Site Scripting (XSS)Insecure Direct Object ReferencesSecurity MisconfigurationSensitive Data ExposureMissing Function Level Access ControlCross-Site Request Forgery (CSRF)Using Components with Known VulnerabilitiesUnvalidated Redirects and ForwardsEvery entry is broken down in great detail, so developers can find out whether they’re vulnerable and learn how to prevent an attack. There are also example attack scenarios and further references to help identify vulnerabilities, eradicate them and test to ensure they’re properly dealt with.Ignore the OWASP Top 10 at your perilYou might assume a free set of guidelines like this, developed by some of the best minds in worldwide software security, would serve as a standard framework for developers, but sadly that doesn’t seem to be the case.As many as 25 percent of web apps today are vulnerable to eight of the entries on the OWASP Top 10, according to Contrast Security research, and 80 percent had at least one vulnerability. The organization found that sensitive data exposure topped the list, affecting 69 percent of web apps tested. CSRF was second, affecting 55 percent of apps, and broken authentication and session management was third, affecting 41 percent of apps.It’s clear organizations are not committing sufficient resources or attaching a high enough importance to application security. Top AppSec challengesJumping back to the SANS Institute report for a moment, we find that respondents listed their top three challenges to implementing application security in their organizations:33 percent pointed to silos between security, development and business units, making it hard to establish ultimate responsibility and preventing effective collaboration37 percent bemoaned the lack of funding and management buy-in38 percent reported a lack of application security skills, tools and methodsBreaking down silos and changing a company culture takes time, but the rewards reach well beyond application security. The potential cost of a data breach should be enough to persuade management to take more stringent steps and commit resources. A virtual CISO can help to offset skills shortages. And any organization seeking a solid methodology and a set of practical guidelines would do well to start with the OWASP.The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe