What is the OWASP Top 10?
OWASP (Open Web Application Security Project) is an organization that provides unbiased and practical cost-effective information about computer and Internet applications. As outlined on their website, the OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.
The Top 10 represents the most impactful attack techniques that bad actors are using to attack applications. Categorically, they are:
A3:2017-Sensitive Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A7:2017-Cross-Site Scripting (XSS)
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging & Monitoring
The Top 10 list is updated periodically based on the current threat landscape and the latest version from 2017 can be found here.
How do the OWASP Top 10 attacks manifest themselves?
Each of the attack techniques represent a possible application vulnerability that a bad actor can exploit if left unchecked. For example, if a developer uses an Apache Web Server instance (A9:2017) that has not been patched for the known CVE-2018-11776, then they must understand the impact and inform the operations and security teams to ensure they protect against the vulnerability exploit in some other way.
What are bad actors trying to achieve with the OWASP Top 10 attack techniques?
Universally, a bad actor is going to use one or a combination of these techniques to accomplish their goal of:
- Compromising your infrastructure to inflict damage (e.g., delete data, take down your network)
- Steal assets (e.g., data, IP, money)
- Commit fraud (e.g., use the value of the application/resource for their own gain)
What is the impact of an attack using a technique outlined in the OWASP Top 10?
Any attack, using any technique, large or small, can have a significant impact on an organization, depending on the scope and how the attack manifests itself. As seen in the Equifax breach in 2017 where the Apache Struts vulnerability exploit was used, the impact was massive and wide reaching.
Financially, the impact will be dependent on what the result of the attack was, but the total costs can be staggering. While it is an extreme example, to date, Equifax has spent more than $1.4 billion on a breach that exposed 148 million records.
Organizationally, the impact of a successful attack can be wide-ranging, distracting security teams from their daily roles to address a wide range of unexpected challenges. Legal teams need to address a range of possible lawsuits from both customers and investors. Compliance teams will need to address regulatory challenges if data or intellectual property has been stolen. Public relations and marketing will need to respond to press and analyst queries to maintain brand image. Finally, customer support will have to manage angry customers and maintain positive morale while addressing their normal roles and responsibilities.
What type of applications and industries are at risk?
Bad actors and the Top 10 attack techniques are application, industry and size agnostic. Everyone is a potential target. In some ways, small to medium size businesses are more susceptible because they often lack the staffing and funding to protect against all of the variations.
Protecting against OWASP Top 10 attack techniques with Cequence Security
CQ appFirewall, a security module for the Cequence Application Security Platform (ASP), addresses the OWASP Top 10 techniques along with PCI DSS Section 6.6 in three ways:
- Simplifies management, enabling your team to do more with less. CQ appFirewall fully leverages intelligence generated by the patented CQAI analytics engine within the platform to virtually eliminate the need to manually create and update applications and threat signatures.
- Improves security efficacy with customizable application infrastructure defense. Threat response options that go beyond traditional alert and block, CQ appFirewall allows you to improve security efficacy with creative mitigation techniques such as geo-fencing and deception.
- Integrates with your existing security infrastructure. As an integral component of Cequence ASP, CQ appFirewall takes advantage of CQ Connect to share information with other devices and thus improve the efficacy of your entire security infrastructure. The distributed, container-based architecture enables you to deploy CQ appFirewall in the cloud, data center or hybrid locations.