Graphics from Jefferson Santos – https://unsplash.com/@jefflssantos

The Open Worldwide Application Security Program

Cybersecurity has become a critical component of modern IT infrastructure, as the increasing reliance on digital technologies makes organizations vulnerable to a wide range of threats and attacks. OWASP plays a key role in promoting secure coding practices, providing education and training, and fostering collaboration to address cyber threats, helping organizations prioritize cybersecurity and protect their digital assets. Today, we provide you with an overview of OWASP services and the opportunities it represents.

Henrik Bartsch

Henrik Bartsch

Introduction

Cybersecurity - a commonly used word with many applications. Whether it’s protecting sensitive data, privacy, or national security, cybersecurity is a necessary skill for many businesses and software developers of all types and educational institutions. Without it, the consequences can be devastating:

For example, unauthorized access was discovered at the University Hospital in Frankfurt on October 6th. One day later, the hospital had to be disconnected from the internet for security reasons. The impact on IT was immense, but no data was encrypted or intercepted and patient care was able to continue. At the beginning of 2023, the city administration of Rodgau (Offenbach district) suffered a complete system failure due to a hacker attack. Source (Available in German)

According to the Federal Criminal Police Office in Germany, at least 130,000 cases of cybercrime have been uncovered in 2022 alone.

Even if it is (almost) impossible to make every system absolutely secure in a world in which the internet and the services available there are becoming increasingly important, it is still possible to make it as difficult as possible for attackers. As a result, an attack either does not occur in the first place or consumes a lot of time and resources - making the target unattractive for further attacks. In this context, we would like to talk today about the Open Worldwide Application Security Program, which publishes free information on cyber security, maintains databases and provides tools to improve security. 1 We will focus on the most important and helpful methods and tools provided by the Open Worldwide Application Security Program.

Validity of information provided by OWASP

Before we look at the details of OWASP, we want to focus on the most important points that OWASP makes on its website regarding the validity of the information:

OWASP Makes No Guarantee of Validity

OWASP goes on to point out that theoretically anyone with access to a browser can modify the databases. Despite this fact, OWASP also claims that much of the information will be correct.

Just because anyone can change a particular information source at will does not necessarily mean that it will contain incorrect information. We can compare this to the popular online platform Wikipedia, which also theoretically allows any user to access and edit its content. However, Wikipedia has proven to be a reliable source of information, at least in many areas. 2 3 4

Author’s note: It is more likely that OWASP does not contain any information. These Zero-Day Exploits are often not known to the general public and are not fixed until they are discovered on an already active system.

All in all, no one can guarantee the accuracy and especially the completeness of the OWASP data - but it is a good reference point for improving systems, especially since (depending on the vulnerability) it may have been reported multiple times.

Top Ten

One of OWASP’s best-known projects is the “OWASP Top Ten”. These are a series of vulnerabilities that the organization has identified as the most problematic in recent years. They are published by OWASP as a “Standard Awareness Document” to give developers worldwide the opportunity to identify the most frequently occurring problems and to integrate them into the security architecture when creating new projects.

The latest version of the OWASP Top Ten was published on 06.01.2024 5. The results are therefore relatively up to date.

Mobile Application Security

OWASP’s Mobile Application Security flagship project provides several methodologies to help organizations and developers build secure mobile applications. These include the Mobile Application Security Verification Standard and the Mobile Application Security Testing Guide, which provide detailed guidance and recommendations for secure applications. Also included is a checklist of features and capabilities that a secure application in this area should provide. 6 7 application in this area should provide. 6 7

Both of these guides focus on the following eight areas of a mobile application:

  1. Storage
  2. Cryptography
  3. Authentication
  4. Networking
  5. Platform
  6. Code
  7. Resilience
  8. Privacy

The organization lists a number of institutions using OWASP Mobile Application Security on its website. 7 Here are a few examples:

  1. National Institute of Standards and Technology - U.S. Department of Commerce
  2. German Federal Office for Information Security
  3. ioXt - Internet of secure things
  4. and a number of other actors.

ModSecurity Core Ruleset

So far we have covered a lot of theoretical issues that can be particularly relevant in the design phase of software. With the ModSecurity Core Ruleset, OWASP goes a little deeper into the aspects of software that uses web application firewalls to protect users and service providers from attacks over HTTP. 8 It attempts to provide rules for web application firewalls to protect against a range of possible attacks. Special attention is given to the OWASP Top Ten, which are the most common. This set of rules has been developed in collaboration with netnea and (like all other OWASP products) is freely available for use by anyone. 9

Additional information regarding this topic can be found here, here and finally here.

ModSecurity Core Ruleset

So far we have covered a lot of theoretical issues that can be particularly relevant in the design phase of software. With the ModSecurity Core Ruleset, OWASP goes a little deeper into the aspects of software that uses web application firewalls to protect users and service providers from attacks over HTTP. 8 It attempts to provide rules for web application firewalls to protect against a range of possible attacks. Special attention is given to the OWASP Top Ten, which are the most common. This set of rules has been developed in collaboration with netnea and (like all other OWASP products) is freely available for use by anyone. 9

Additional information regarding this topic can be found here, here and finally here.

Dependency Track

External libraries integrated into projects are an often underestimated source of security vulnerabilities. This is because few software companies can really do without external code, as it often represents a significant cost saving. However, the code is not necessarily visible to the users of the libraries - or a library is Open Source and can therefore be viewed by both developers and attackers.

It is very difficult to keep track of vulnerabilities, especially in open source projects. On the one hand, the code base changes very quickly (depending on the project), making analysis difficult or impossible. On the other hand, it is sometimes more difficult for attackers to introduce malicious code because so many people are working on the code. Use should be considered on a case-by-case basis, especially depending on the functionality that such a library offers and the amount of time and money that a self-programmed solution would require.

OWASP provides a Dependency Checker to identify libraries with vulnerabilities in projects as efficiently as possible - and thus close the vulnerabilities as quickly as possible. It automatically analyses a given project to obtain all the dependencies and their version numbers. It then searches a publicly available database for associated vulnerabilities. All results (unless restricted by the developer) are then output by the dependency checker.

Such dependency checkers are particularly useful for use in CI/CD pipelines. Here, each time dependencies are changed, it is possible to check which vulnerabilities are known in a database, before an attacker can actually cause damage via a (known) vulnerability. A version of the Dependency Checker as a GitHub Action can be found here.

To illustrate this, let’s say we have a project with a malicious dependency that allows us to access data on our remote server. If such a dependency does not properly filter the input data, an attacker may be able to access areas of the remote server that they should not have access to. An output from the dependency checker could then point to such a link:

https://cwe.mitre.org/data/definitions/35.html

This link takes us to the Common Weakness Enumeration, a database of vulnerabilities. The content of this web page would now tell us that an attacker could use malicious content to access memory areas higher up in the hard drive structure. If this were to happen, the attacker could potentially gain access to sensitive information, passwords, usernames, or any other type of information that is not meant to be seen by outsiders.

TL;DR

Cybersecurity is an issue that we believe is vastly underestimated. Cybersecurity has the potential to destroy a company’s entire reputation - but only if it is ignored. Absolute security is impossible to achieve in practice, but it still makes sense to protect your software and hardware infrastructure from malicious or unauthorised access. OWASP provides a basis for this, which has been proven in many areas. We recommend that you take a look at the OWASP resources to help you identify security gaps in your software projects.

Sources

Footnotes

  1. owasp.org

  2. theconversation.com

  3. theconversation.com

  4. edtechmagazine.com

  5. owasptopten.org

  6. mas.owasp.org 2

  7. owasp.org 2 3

  8. wikipedia.org 2

  9. owasp.org 2