Appendix B: OWASP Top Ten 2017 Mapping
OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.
OWASP Top Ten 2017 | Relevant TSS-WEB Requirement |
A1- Injection | Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490). Secondary: restrictive input validation (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199) |
A2 - Broken Authentication | Use of secure and strong authentication mechanisms (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327745) and session management hardening (see ). |
A3 - Sensitive Data Exposure | Application server hardening (see , restrictive error handling (see ) as well as data protection measures (see ). |
A4 - XML External Entities (XXE) | Primary: Harden XML parser (see ) |
A5 - Broken Access Control | Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ). |
A6 - Security Misconfiguration | Perform server hardening (see ) |
A7 - Cross-Site Scripting (XSS) | Primary: Context sensitive output validation (see ), ideally implemented implicitly by a Web framework. Secondary: Use of security headers (see as well as and restrictive input validation (see ). Special Cases: Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ). The same applies to Web frameworks that provide similar APIs (see section ). |
A8 - Insecure Deserialization | Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ). Secondary: Perform strict input validation (see ) |
A9 - Using Components with Known Vulnerabilities | Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ). |
A10 - Insufficient Logging & Monitoring | See |