What Is the Open Web Application Security Project (OWASP)?
The Open Web Application Security Project (OWASP) is a non-profit foundation by a global community dedicated to providing free application security resources. OWASP offers guidance on developing and maintaining secure software applications. The goal is to educate software architects, developers, and business owners about security risks.
OWASP supports open source as well commercial security products. Its website offers a place for security experts and IT professionals to learn about application security and get actionable advice for securing their applications.
OWASP publishes the widely known Top 10 Web Application Security Risks, which is updated every few years as new risks emerge and listed risks change. The list includes the most dangerous web application security risks and offers recommendations for mitigating them. OWASP also has two similar lists for APIs and mobile applications.
This is part of an extensive series of guides about application security.
In this article:
How Can OWASP Help Your Security Efforts?
OWASP strives to educate all stakeholders involved in the software development lifecycle, including architects, developers, designers, managers, and business owners. The goal is to inform stakeholders about the importance of web security and the consequences of poor security practices.
Security knowledge base
OWASP offers an online wiki supported by almost two decades of research and backed by leading security experts. OWASP’s ethical hackers gathered vulnerabilities from thousands of applications and hundreds of organizations. They leverage the information to share knowledge of vulnerabilities, threats, and key strategies for implementing countermeasures.
Examples of risks and attacks
OWASP provides code examples and sample applications intentionally riddled with security flaws to help developers train to avoid known pitfalls. The community-backed resources can help organizations mitigate risk, conduct threat modeling, and perform architectural threat analysis.
OWASP compliance
Software development teams can adopt OWASP compliance as part of the software development lifecycle and use the information to create risk management policies that improve credibility. OWASP offers code review guides and frameworks that provide documentation for penetration testing best practices, helping teams measure risk relative to specific environments.
Conforming to OWASP standards and making development more security-conscious helps teams and organizations better mitigate vulnerabilities and improve the overall quality of applications.
Related content: Read our guide to OWASP certification (coming soon)
Key OWASP Projects
The OWASP foundation helps aspiring open source projects improve software security. The foundation is a well-known and credible entity within the security community, offering funding and project summits for qualifying programs. The community holds conferences and local chapters that connect projects with users.
OWASP projects are open source and built by the community of volunteers. Project leaders are in charge of defining their project’s roadmap, vision and tasks, promoting the project, and building the team. OWASP currently supports over 100 active projects, with new applications submitted weekly.
OWASP projects give members the opportunity to test ideas and theories while getting professional advice and support from the OWASP community. Each project has a web page, Slack Channel, and mailing list. Most projects also maintain their content in OWASP’s GitHub organization.
OWASP Top 10 Series
The OWASP Top 10 list explains the most critical web application vulnerabilities. Data analysts determine eight of these threats, and an industry survey helps decide the last two threats. When it was first created, the list was perceived as an awareness document.
However, the list is now considered an industry standard for training, testing, and development. It is also referenced in several compliance regulations, including The Payment Card Industry Data Security Standard (PCI DSS).
The importance of the OWASP Top 10 list
A web application vulnerability is a security weakness in software designed to run on a web browser. The ability to run on web browsers makes applications highly accessible but also makes them a target for attackers.
Web applications can include many security vulnerabilities—there are hundreds of application security vulnerabilities, including misconfigurations and flawed code. It is inadvisable to think a web application does not have a vulnerability of some kind.
The OWASP top 10 list provides organizations and development teams with a way to prioritize mitigation. Once these vulnerabilities are detected, organizations can immediately work on remediating these issues before, during, and after development.
OWASP Cheat Sheet Series
The OWASP Cheat Sheet Series provides a set of simple guides for application developers and security defenders. Instead of focusing on detailed yet impractical best practices, these guides offer good practices that most developers can implement.
Related content: Read our guide to OWASP cheat sheets (coming soon)
OWASP ZAP
Zed Attack Proxy (ZAP) is an OWASP open source penetration testing tool. It is flexible and extensible, designed especially to help test web applications. ZAP works as a Man-in-the-Middle (MitM) proxy, standing between a tester’s browser and the tested web application.
OWASP ZAP can intercept and inspect the messages sent between the browser and tested web application, modify these contents when needed, and forward the packets to the destination. You can use it as a standalone application or as a daemon process.
Related content: Learn more in our detailed guide to OWASP ZAP (coming soon)
OWASP Dependency-Check
Dependency-Check is OWASP’s software composition analysis (SCA) tool. It attempts to identify publicly disclosed vulnerabilities within your project’s dependencies. It tries to determine if a common platform enumeration (CPE) identifier exists for each dependency. If OWASP Dependency-Check finds a CPE identifier, it generates a report that links to all relevant CVE entries.
Related content: Learn more in our detailed guide to OWASP Dependency Check (coming soon)
OWASP Juice Shop
OWASP Juice Shop is a web application made intentionally vulnerable for security training purposes. It is written in JavaScript and filled with many hacking challenges of varying difficulty levels created for user exploitation. It helps users start learning about web application security.
You can use OWASP Juice Shop for security training, Capture the Flag (CTFs), as a guinea pig for security tools, and awareness demos. It encompasses vulnerabilities from the OWASP Top 10 list as well as many other security flaws from real-world applications.
eb application security.
Related content: Learn more in our detailed guide to OWASP Juice Shop (coming soon)
OWASP SAMM
The Software Assurance Maturity Model (SAMM) is a software security compliance model developed by OWASP and sponsored by industry organizations. OWASP SAMM aims to provide a measurable and effective way to analyze and improve the software security posture of organizations of all types and sizes.
This self-assessment model can help raise awareness and inform organizations on how to securely design, develop, and deploy software. Organizations that implement and strictly adhere to the model can increase their confidence, knowing they are prepared to handle source code threats.
Related content: Learn more in our detailed guide to OWASP SAMM (coming soon)
OWASP Top 10 Web Application Security Risks
Below we present a brief overview of the top 10 risks and how to prevent them.
Learn more about these risks in our detailed guide to the OWASP Top 10.
Broken Access Controls
All sensitive information must be available to a limited set of users based on their access permissions. Broken access controls allow unauthorized users to access data without the required permissions.
To ensure proper access controls:
- Establish a secure application development lifecycle with strong security and privacy controls.
- Leverage secure designs and pre-built components.
- Implement threat modeling.
- Embed security controls in user stories.
- Apply plausibility checks across the application.
- Keep the application tiers separate.
Cryptography Failures
Cryptographic vulnerabilities result from improper encryption and decryption methods, including using obsolete ciphers and misapplying protocols.
To ensure strong cryptography to protect data:
- Disable autocomplete and caching on data collection forms.
- Minimize the data surface.
- Encrypt data at rest and in transit.
- Implement up-to-date encryption.
- Use adaptive hashing functions to save passwords.
Injection Vulnerabilities
Attackers exploit these vulnerabilities to inject malicious commands into applications. SQL injection is the most common injection attack. To mitigate injection attacks:
- Authenticate all data from untrusted sources, including end-users.
- Separate data and commands to prevent applications from executing supplied data as commands.
- Use parameterized SQL queries.
- Use a secure API instead of an interpreter.
- Use intrusion detection and server-side validation to identify suspicious behavior.
Design Flaws
Design flaws affect insecure applications that lack threat modeling and secure design practices. Insecure design often fails to profile business risks and determine the required security level.
To ensure secure design:
- Establish a secure application development lifecycle with strong security and privacy controls.
- Leverage secure designs and pre-built components.
- Implement threat modeling.
- Embed security controls in user stories.
- Apply plausibility checks across the application.
- Keep the application tiers separate.
Security Misconfigurations
Issues with an application’s security configurations can enable attacks. For instance, applications that don’t filter packets properly may allow attackers to use default credentials.
To prevent security misconfigurations:
- Implement repeatable hardening processes with identical configurations across all environments.
- Avoid incorporating unnecessary features or components and delete unused objects.
- Incorporate configuration reviews and updates into the patch management process.
- Segment the application’s architecture to contain threats.
- Automate verification processes to evaluate configurations.
Outdated and Vulnerable Components
Unsupported and out-of-date software and components with known vulnerabilities allow attackers to compromise applications.
To keep applications free of vulnerable components:
- Regularly test and scan components for vulnerabilities.
- Maintain inventory of all components and dependencies.
- Eliminate redundant components, features, and dependencies.
- Only use components from trusted sources (i.e., signed packages).
- Monitor components and libraries to identify unmaintained and unpatched objects.
Authentication Issues
Authentication vulnerabilities include weak identification and authentication measures, allowing attackers to stuff credentials or break through with brute force.
To prevent authentication vulnerabilities:
- Use multi-factor authentication.
- Close expired and inactive sessions.
- Use robust passwords and avoid default credentials.
- Monitor all login attempts.
- Leverage a session manager to secure user sessions.
Integrity Vulnerabilities
Maintaining data and software integrity is essential for securing applications. Failure to verify integrity can result in exploits. One such vulnerability is insecure deserialization, where the application fails to deserialize vulnerable external objects, allowing attackers to manipulate the data received at the back end.
To ensure integrity:
- Verify the source of data and software using digital signatures.
- Ensure dependencies and libraries only consume trusted repositories.
- Review configuration and code changes to prevent malicious configurations and code from reaching the software pipeline.
- Segregate and securely configure the CI/CD pipeline.
Security Monitoring and Logging Failures
These failures include detection and response errors. Monitoring and logging are essential for detecting breaches, ensuring visibility, and allowing security and IT teams to respond.
To ensure proper monitoring and logging:
- Log all validation failures with the relevant context information for forensic analysis.
- Use an easy-to-consume log format.
- Encode all log data correctly to mitigate injection attacks.
- Keep audit trails for all high-value transactions.
SSRF Vulnerabilities
Server-side request forgery (SSRF) is a security vulnerability allowing attackers to induce server-side applications to send malicious HTTP requests to a chosen domain. It arises when applications don’t validate user-supplied data. Attackers often use SSRF to bypass firewalls and other access controls.
To prevent SSRF:
- Segment the functionality of sensitive resources to minimize the impact of SSRF attacks.
- Use policies that deny access by default or block non-essential traffic.
- Sanitize and validate user-supplied data.
- Use allow lists to restrict access.
- Avoid sending raw responses to the client.
- Disable HTTP redirection.
OWASP Top 10 API Security Threats
OWASP published the API Security Top 10 to inform organizations about security issues affecting APIs. Below we present a brief overview of the top 10 API risks.
Learn more about these risks in our detailed guide to the OWASP API Top 10.
Object-Level Authorization Failures
APIs often expose endpoints handling object identifiers, widening the attack surface. Object-level authorization should apply to all functions that access data sources using user input.
To prevent broken object-level authorization:
- Implement a system to detect and remediate broken object-level authorization.
- Use strong authorization mechanisms. 
- Use API gateways. 
- Use threat modeling to evaluate authorization policies.
User Authentication Failures
Attackers often exploit incorrectly implemented authentication mechanisms to steal tokens and impersonate users.
To protect user authentication:
- Use multi-factor authentication to verify user identity.
- Block access after several login attempts.
- Secure user credentials.
- Use robust API keys.
- Apply the ASVS requirements to the authentication system.
Data Exposures
Developers often expose too much data, assuming the client will filter the data before presenting it to users.
To prevent data exposure:
- Use a proactive, shift-left security approach to build secure APIs.
- Don’t rely on clients to filter data.
- Minimize back end responses.
Insufficient Resources and Rate-Limiting
APIs often fail to impose restrictions on resource requests, enabling DoS and brute force attacks.
To mitigate these flaws:
- Evaluate the API design and ensure it has the proper rate-limiting controls.
- Refer to OWASP’s Automated Threat Handbook to understand the bots consuming your computing resources.
Function-Level Authorization Failures
An overly complex access control system increases the risk of policy misconfigurations and authorization failures. Attackers exploit these flaws to access user resources and admin functions.
To prevent broken function-level authorization:
- Ensure the access control policies are clear, outlining who can access what.
- Ensure everyone knows their responsibilities.
- Audit the access control system regularly.
Mass Assignment
Mass assignment often results from unfiltered, client-supplied data bound to data models. Attackers can guess object properties or read documentation to edit properties.
To prevent mass assignment:
- Use penetration tests to identify vulnerabilities.
- Don’t directly map client data to internal variables.
- Use an allow list for object properties. 
Security Misconfigurations
Security misconfigurations often result from default or incomplete configurations.
To prevent security misconfigurations:
- Periodically audit the system for misconfigurations.
- Avoiding relying on defaults.
- Use scanning and testing tools to check the application stack.
- Don’t include sensitive information in error messages. 
Injection Vulnerabilities
These vulnerabilities include SQL, NoSQL, and command injection flaws. Attackers send malicious data to an interpreter that executes unauthorized commands or exposes sensitive data.
To prevent injection attacks:
- Validate inputs using an allow list.
- Process incoming API requests with parameterized interfaces.
- Restrict record returns by reviewing the filtering logic.
Asset Mismanagement
APIs often expose more endpoint devices than web apps, so it’s essential to maintain proper documentation.
To ensure proper asset management:
- Maintain an inventory of all APIs.
- Review all APIs for security.
- Standardize API functions.
- Prioritize APIs according to risk level.
Insufficient Monitoring and Logging
Combined with incident response, monitoring and logging allow organizations to detect and block attackers. Without proper monitoring, attackers can persist, causing damage undetected.
To ensure sufficient monitoring and logging:
- Use a standard logging format for all APIs.
- Monitor every API endpoint throughout its lifecycle.
OWASP Top 10 Mobile Security Risks
Below we present a brief overview of the top 10 risks facing mobile applications.
Learn more about these risks in our detailed guide to the OWASP Mobile Top 10.
Misuse of Platforms
Misusing the Android or iOS platform is the greatest security vulnerability for mobile devices. Apps can unintentionally misuse platforms.
To address this vulnerability:
- Follow the platform’s security guidelines.
- Utilize the server-side security features available.
- Use secure configurations and coding practices.
- Harden the server-side.
- Limit data transmission between applications.
- Limit file access permissions.
- Encrypted stored data.
Insecurely Stored Data
Insecure data storage allows attackers to exploit stolen mobile devices and steal sensitive information. Sometimes, it is unavoidable to have applications store sensitive data, but it is essential to ensure this data is not accessible to unauthorized users. Encryption alone is not always enough.
To secure stored data:
- Encrypt all data.
- Use authorization and authentication mechanisms for accessing mobile apps.
- Restrict mobile app access to stored files.
- Use secure coding practices.
Communication Flaws
Insecure communication allows attackers to intercept data as it traverses the Internet.
To ensure secure communication:
- Use SSL/TLS certificates.
- Avoid untrusted and unsigned certificates.
- Use strong encryption protocols.
- Send sensitive data to the back end.
- Avoid sending session IDs with SSL tokens.
- Protect transmission channels with SSL/TLS.
Authentication Failures
Mobile devices often allow users to log in with default credentials when they fail to recognize users correctly, allowing malicious actors to bypass authentication measures.
To ensure secure authentication:
- Use the right authentication mechanisms and security protocols.
- Deploy authentication on the server-side.
- Avoid storing credentials on mobile devices.
- Encrypt local storage with strong keys.
- Avoid “remember me” options.
- Provide warnings when users opt for “remember me” options.
- Use device-based authentication to prevent users from accessing data from other devices.
- Implement binary attack protections.
Cryptography Flaws
Attackers exploit cryptography flaws to access sensitive data. It is usually easy to exploit weak encryption mechanisms on mobile devices.
To ensure sufficient cryptography:
- Don’t store data on mobile devices.
- Use robust cryptography algorithms.
Authorization Failures
Attackers exploit insufficient authorization measures and IDOR vulnerabilities to access sensitive data and escalate privileges. If an app’s authorization is incomplete, it might grant user permissions without sufficient verification.
To prevent insecure authorization:
- Avoid granting roles and permissions via mobile devices.
- Verify each identity independently through the back end code.
Client-Side Code Quality Issues
Poor coding practices can result in poor and inconsistent code quality. While client code issues are harder for attackers to detect, they pose a significant risk if discovered.
To protect client code quality:
- Implement safe and consistent coding practices.
- Use static code analysis.
- Refrain from simple logic.
- Integrate with reliable libraries.
- List all third-party libraries to patch and update components.
- Use automated tools to test memory leaks and buffer overflow.
- Flag permissions on the content provider to block unauthorized access.
Tampering Risks
Counterfeit mobile apps with tampered code are often available on app stores. For instance, attackers may modify an application’s binary to install a backdoor.
To address code tampering risks:
- Look for test keys, known APKs, and OTA certificates.
- Check if the build is official using the build.prop element.
- Look for SU binaries and try to use direct SU commands.
- Test-run the SU command to check the current user ID.
- Allow the mobile app to identify and react to code integration.
- Use anti-tampering techniques like validation, code hardening, checksum, and digital signatures.
Reverse Engineering Vulnerabilities
Attackers often reverse engineer and decompile applications to analyze code and insert malicious functionality. Reverse engineering allows attackers to understand how an app works and exploit its weaknesses.
To minimize reverse engineering:
- Check if an attacker can decompile the application using debugging tools.
- Use robust obfuscation, including for metadata.
- Build the app with C or C++ to secure runtime changes.
- Segment the source code to control the app’s code flow.
- Use binary packaging to prevent decompilation.
- Implement anti-debugging mechanisms.
Redundant Functionality
Hackers can exploit many applications with redundant functionality to reach the back end. Some functions allow users to execute a privileged action anonymously.
To address this vulnerability:
- Manually review the code before releasing it to production.
- Analyze API endpoints and check logs and files to verify that attackers cannot exploit hidden functionality.
- Check app configurations for hidden switches.
- Verify that API endpoints and log statements are not publicly available.
- Check if the log contains information about privileged accounts or back end processes.
Preventing OWASP Vulnerabilities with Bright Security
Bright Security is a developer-first Dynamic Application Security Testing (DAST) scanner that can test your applications and APIs (SOAP, REST, GraphQL), enabling you to bake security testing into your development and CI/CD pipelines.
Detect the OWASP Top 10 for web applications and APIs, MITRE 25 and more, including Business Logic Vulnerabilities. You can easily reduce your security and technical debt by scanning early and often, on every build, to be secure by design.
With NO false positives, there is no need for manual validation of security findings, removing costly and time consuming human bottlenecks that cripple your rapid releases and drain your security team’s limited resources.
See Additional Guides on Key Application Security Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of application security.
Application Migration
Authored by Faddom
- Application Migration: Prep, Strategies & Tips for Success
- Ultimate 13-Step Server Migration ChecklistÂ
- AWS Application Discovery Service: The Basics and How to Get Started
API Security Testing
Authored by Pynt
- API Security Testing: Risks, Technologies and Best Practices
- API Security Testing Tools: Key Features & 8 Tools to Know
- API Security Scanning: Process, Tools, and Best Practices
API Security
Authored by Pynt
- API Security: Threats, Tools, and Best Practices
- API Attacks: 6 Common Threats & Prevention Strategies
- 10 API Security Standards and Protocols You Must Know
