Frequently asked questions: Open Web Application Security Project® (OWASP)

What is OWASP?

The Open Web Application Security Project® (OWASP) is a non-profit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web. (sourced from owasp.org)

What is the OWASP Top 10 and how does it relate to the CyberSecure Canada program?

The OWASP Top 10 is an online publication that provides a ranking of and remediation guidance for the 10 most critical web application security risks (vulnerabilities). The report is based on a consensus among security experts from around the world and it ranks risks based on security defect frequency, vulnerability severity, and their potential impact. This provides developers and security professionals with insight into the most prominent risks and enables them to minimize the potential of the risks in their organizations' security practices for applications/websites.

Securing your website and web applications against the security risks listed in the OWASP Top 10 is a requirement under the CyberSecure Canada program.

How is the OWASP Top 10 used?

The OWASP Top 10 can be used as a guidance document or standard within an organization to help improve it's security posture when dealing with web applications/websites. By implementing mitigation strategies against each of the Top 10 vulnerabilities, organizations can ensure they have taken the necessary steps to secure their web applications.

Using a vulnerability scanner can help provide an analysis against the Top 10 to ensure that they have been implemented. More information can be found at on the OWASP Top 10 webpage.

How often is the OWASP Top 10 updated?

There seems to be approximately 4-5 years between OWASP Top 10 updates. This provides organizations using the OWASP Top 10 ample time to prepare for future updates. The latest version of the OWASP Top 10 was released in 2021.

The OWASP foundation communicates on it's website when an update is in process. It will then take about a year to finalize. The Top 10 categories do not always change with each update, rather they are amended to reflect the current and critical web application security risks. As an example, there were three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.

What is a vulnerability scanner and how is it used?

Vulnerability scanners are automated tools that allow organizations to check if their systems and applications have security weaknesses that could expose them to attacks. For analysing weaknesses related to the OWASP Top 10, a web application vulnerability scanner is required. The scanner will scan web applications, normally from the outside, to look for security vulnerabilities such as the ones present in the Top 10. There are both free, open-source and commercial scanners available. Some guidance from OWASP about scanners can be found on the Vulnerability Scanning Tools webpage.

Do the OWASP Top 10 apply to static websites?

Yes. The OWASP Top 10 applies to static websites, as defined within the requirements for certification under CyberSecure Canada. Websites are becoming more dynamic and functioning more and more like web applications, requiring functionality such as interactivity, integration and authentication.
That being said, if a website is informational only and does not require certain functionality, such as allowing users to type inputs or authenticating users and granting access control, most of the OWASP Top 10 vulnerabilities would not be applicable. For CyberSecure Canada certification, you are still required to run a vulnerability scan and mitigate all the medium/high impact vulnerabilities found.

For organizations that don't host their own websites, what should they do to comply with the OWASP Top 10?

If an organization is using a website hosting service, such as GoDaddy or WordPress, achieving CyberSecure certification requires that they be able to provide evidence or confirmation that the hosting service is scanning their website and it is free of any major vulnerabilities. Ideally the customer would be able to get a scan provided by the hosting service as confirmation. As mentioned above, a scan is required to ensure the requirements for the OWASP Top 10 vulnerabilities are being met.