Introduction
Imagine if someone went out and looked at existing security issues reported in Web applications and then summarized all that information into a list for everyone to see and learn from. Guess what? It exists! Every few years, the Open Worldwide Application Security Project (OWASP) foundation releases a new OWASP Top-10 list for developers to understand the biggest security issues to watch for when developing applications.
Even if you are just starting out, knowing about this list (and the related write-ups) may help you learn and grow as a developer, so you do not fall into these same known pitfalls. No, you may not immediately have code that uses all of the use cases discussed in the OWASP Top 10. However, even as a newbie, if you are making your own side project on GitHub or elsewhere that others may access your code (or the executable application) then these could be important items to know and understand. Also, knowing that this list exists, the types of issues it contains and where to find more information will better position you for success as you continue to learn, grow and develop different types of applications.
Accessing the OWASP Top 10
The base page for the OWASP Top 10 is: https://owasp.org/Top10/. This page tends to get updates as new lists are released and is a good starting page. This page currently lists the OWASP Top 10 2021 details. It starts by a quick comparison of 2021’s list vs. the prior list (2017). Then, it goes into more detail about the individual issues, in descending priority.
Item Details
The start of each list item is a link to a page with more details. For example, A01:2021-Broken Access Control in the OWASP Top 10 2021 list links to: https://owasp.org/Top10/A01_2021-Broken_Access_Control/
That page, then contains:
- Factors
- Overview
- Description
- How to Prevent
- Example Attack Scenarios
- References
- List of Mapped CWEs
These details will help you understand what the concern is about, why it is important, how it can be attacked and how to prevent it in your own code.
For example, a few suggestions for A01:2021-Broken Access Control include:
https://owasp.org/Top10/A01_2021-Broken_Access_Control/
- Except for public resources, deny by default.
…- Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
…- Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots.
…- Rate limit API and controller access to minimize the harm from automated attack tooling.
Summary
Whether you are a novice developer who is just learning to code or a seasoned engineer working on a production application, understanding the OWASP Top-10 can help you become a better programmer. The OWASP Top-10 is updated every few years. It categorizes and prioritizes the worst vulnerabilities reported on the web, so that engineers can learn from other’s mistakes. Please take a few minutes to read through the OWASP Top-10 at: https://owasp.org/Top10/
Coding Chica 
Leave a comment