OWASP, the defense “mechanism” against web threats

All computer products and services of software and hardware have failures, inaccuracies, problems, bugs, security gaps or security holes, or vulnerabilities.

Taking advantage of these flaws by performing exploitation of vulnerabilities in services, systems, applications, and computer networks is a common practice and is the main objective of cyber attackers and cybercriminals, knowing that it is an "easy" way to penetrate through these holes, gain access, obtain privileges, and achieve their goals.

A vulnerability is, therefore, a weakness or flaw in a system that can be exploited by a cyber attacker to compromise the security of that system, thus affecting the integrity, availability, or confidentiality of the information. These vulnerabilities can exist at various layers of the technological infrastructure, from the network level to the application level. Some of the most vulnerable areas include web applications, operating systems, databases, network devices, and any other type of software.

Vulnerabilities can be classified into several categories, each with its own set of effects and exploitation methods:

• Injection Vulnerabilities. Some of the most well-known are SQL injection (SQL code injection) and XSS (Cross-Site Scripting), which allow attackers to execute unauthorized code on the targeted system and access or modify sensitive data within a computer system.
• Authentication and Access Control Vulnerabilities. These allow cyberattackers to bypass authentication models and systems, and user identification, or gain unrestricted access with privileges to unauthorized functions or data.
• Session Management Vulnerabilities. They allow cyber attackers to take over and hijack legitimate user sessions to perform actions on behalf of the user, without anyone being aware of it.
• Insecure Configuration Vulnerabilities. Based simply on configuration error as they occur when a system is incorrectly configured, thereby exposing sensitive data or functionalities.
• Vulnerabilities of Sensitive Data Exposure. They represent the exposure of confidential information, such as passwords or sensitive and confidential personal data, to unauthorized individuals.
• Information Leakage Vulnerabilities. These vulnerabilities allow for the unauthorized disclosure of sensitive information.
• Denial of Service (DoS / DDoS) Vulnerabilities. This type of vulnerabilities can lead to service outages or resource saturation of the system, affecting the availability of the system and the business continuity.

To combat this type of threats, a deep understanding of the existing vulnerabilities in all our computer systems is required, in addition to an effective strategy for managing them appropriately.

This is where OWASP (Open Web Application Security Project) comes into play, which is nothing more than a global community dedicated to improving software security. Specifically, it is a worldwide, non-profit community that focuses on providing resources, tools, guides, and open source projects to help companies understand, identify, and mitigate vulnerabilities in web applications and web services and build secure applications and services.

Vulnerability management involves identifying, classifying, and remediating security weaknesses in a computer system. Companies use vulnerability scanning tools and frameworks such as CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) to catalog and assess the risk associated with each discovered vulnerability (whether it is known or a Zero Day of imminent appearance).

Both pentesting (penetration testing) and intrusion testing, although they seem the same, are not. They are techniques used to assess the security of a computer system, but they differ in their approach and scope. Pentesting focuses on simulating a real attack against a specific single system (or subsystem). On the other hand, intrusion testing has a broader character and scope, as it evaluates the security of an entire infrastructure, including all systems, subsystems, networks, and security policies.

OWASP provides the guidelines and tools necessary to be used in both pentesting and intrusion testing, in order to identify and mitigate vulnerabilities in an individual system or across an entire infrastructure. For example, the tools from OWASP ZAP (Zed Attack Proxy) are widely used by cybersecurity professionals to identify vulnerabilities in web applications during penetration testing.

In addition to OWASP, there are other organizations such as MITRE (MITRE ATT&CK, or attack techniques matrix) and ICS2 (ICS2, or International Information System Security Certification Consortium) that focus on cybersecurity, but have different approaches and areas of interest than OWASP.

• MITRE is a non-profit organization that focuses on the research and development of technologies and standards in the field of cybersecurity.
• ICS2 focuses on the certification and training of professionals in cybersecurity.

"In any case, among all of them, OWASP, MITRE, and ICS2, there are overlaps and redundancies in several areas of action, although OWASP stands out for its specific focus on software cybersecurity and web application cybersecurity."

OWASP has a TOP 10 of vulnerabilities that evolves over time. It is a list of the 10 most critical vulnerabilities in web applications. These are classified based on the experience of recognized experts in cybersecurity.

Currently, the latest existing version is the OWASP Top 10 of 2021. Some of its TOP vulnerabilities include code injection, broken/incorrect authentication, and sensitive data exposure. These vulnerabilities represent the most common and urgent risks that companies must address to ensure the security of their web applications.

But, how are vulnerabilities detected, identified, and named? It is a systematic, thorough, and rigorous process that involves gathering information about the OWASP Top 10 of 2021, as well as analyzing their potential impact and also the available mitigation measures.

The vulnerabilities are named according to established standards in the cybersecurity industry, such as:

• CVE (Common Vulnerabilities and Exposures). It consists of a public dictionary, or system of identification and nomenclature of vulnerabilities that is used worldwide, which provides unique identifiers for each vulnerability, thus facilitating interoperability between security tools and collaboration among organizations.
• CVSS (Common Vulnerability Scoring System). Consists of a scoring system used to numerically assess the risk/cyber risk associated with a vulnerability, taking into account factors such as its severity, its scope, the ease of exploitation, and the potential impact.

In conclusion, OWASP plays a fundamental role in improving the cybersecurity of software and web applications, providing resources and tools that help organizations identify, mitigate, and remediate vulnerabilities, thus protecting digital assets and the privacy of users.

"With its community-focused and open-source approach, OWASP continues to be a key player in the fight against constantly evolving cyber threats."

Of course, at Zerolynx we regularly use OWASP and all these globally standardized models and frameworks when providing our Detection Services, such as:

- The Hacking on CMS Platform (Web Pentest).
- The Internal and External Pentesting.
- The Web Security Audit.
- The Mobile Application Security Audit.
- The Denial of Service (DoS) Tests.

"We invite you to learn about all the services of Zerolynx."

"But, if you also want us to inform you better and give you more details, in a more personalized way, do not hesitate to get in touch with us."

Iñigo Ladrón Morales, Content Writer for Zerolynx.