The Open Online Application Security Project (OWASP) is a non-profit organisation committed to the security of web applications. One of OWASP's key ideas is that all of their resources should be publicly available and easy to find on their website, allowing anybody to improve the security of their own online applications. Documentation, tools, videos, and forums are among the resources available. The OWASP Top 10 is maybe their most well-known initiative.
What does our OWASP benchmark include?
OWASP Benchmark is a fully functional open source web application that contains thousands of vulnerable test cases, each of which is mapped to a specific CWE and can be analysed using any form of Application Security Testing (AST) tool, including SAST, DAST (like OWASP ZAP), and IAST. Static Application Security Testing (SAST) Tools are meant to evaluate source code or generated versions of code in order to detect security issues.
Some tools are beginning to make their way into the IDE. For the kind of problems that may be discovered during the software development phase, this is a powerful period in the development life cycle to use such tools, since it gives the developer quick feedback on faults they may be bringing into the code during development. This fast feedback is quite beneficial, particularly when contrasted to discovering vulnerabilities much later in the development cycle.
What are our strengths?
- Scales well – can be run on a large number of computers and can be repeated (as with nightly builds or continuous integration).
- Buffer overflows, SQL Injection Flaws, and other problems that such tools can automatically discover with high confidence are examples.
The OWASP Benchmark Project is a vendor-agnostic, well-respected, and accurate indication of correctness that may be used to assess various solutions. It's a free and open testing project that compares the accuracy of automated software vulnerability detection technologies. DHS is funding the effort, which has resulted in a massive test suite of over 21,000 test cases to determine the genuine effectiveness of various application security testing techniques. It generates an overall score for application security solutions using both the true positive rate (TPR) and the false positive rate (FPR) (FPR).
What are our weaknesses?
Top challenges that we face
- Silos between security, development, and business groups, according to 33% of respondents, make it difficult to identify ultimate accountability and inhibit effective collaboration.
- 37 percent complained about a lack of finance and management buy-in, while 38 percent said they lacked application security knowledge, tools, and methodologies.
You'd think that a free set of standards like these, created by some of the top brains in software security throughout the globe, would serve as a standard foundation for developers, but that doesn't appear to be the case.
According to Contrast Security research, up to 25% of web apps are vulnerable to eight of the OWASP Top 10 entries today, and 80% have at least one vulnerability. Sensitive data exposure topped the list, impacting 69 percent of online apps assessed, according to the group. Broken authentication and session management came in third, hurting 41% of applications, while CSRF came in second, hurting 55 percent of apps.