OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.
OWASP Top Ten 2017 | Relevant |
TSS-WEB Requirement | |
A1- Injection | Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see 8.4 Output Validation (Encoding & Escaping)). Secondary: restrictive input validation (see 8.2 Input Validation) |
A2 - Broken Authentication | Use of secure and strong authentication mechanisms (see 8.5 User Authentication and Registration) and session management hardening (see 8. |
A3 - Sensitive Data Exposure | Application server hardening (see 3. Operational Requirements, restrictive error handling (see 8. |
10 Error Handling & Logging) as well as data protection measures (see 8. |
A4 - XML External Entities (XXE) | Primary: Harden XML parser (see 8.2 Input Validation) |
A5 - Broken Access Control | Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section 8. |
A6 - Security Misconfiguration | Perform server hardening (see 3. Operational Requirements) |
A7 - Cross-Site Scripting (XSS) | Primary: Context sensitive output validation (see 8.4 Output Validation (Encoding & Escaping) ), ideally implemented implicitly by a Web framework. Secondary: Use of security headers (see 8. |
12 Client-Side Securityas well as Appendix A: Requirements for HTTP Security Header and restrictive input validation (see 8.2 Input Validation). Special Cases: Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see 8. |
12 Client-Side Security). The same applies to Web frameworks that provide similar APIs (see section 8.4 Output Validation (Encoding & Escaping)). | |
A8 - Insecure Deserialization | Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4 |
. Secure Development Environment). Secondary: Perform strict input validation (see 8.2 Input Validation) | |
A9 - Using Components with Known Vulnerabilities | Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4. |
A10 - Insufficient Logging & Monitoring | See 8. |