OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.
OWASP Top Ten 2017 | Relevant TSS-WEB Requirement | Coverage |
A1- Injection | Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see 8.4 Output Validation (Encoding & Escaping) ). Secondary: restrictive input validation (see 8.2 Input Validation ) | Full |
A2 - Broken Authentication | Use of secure and strong authentication mechanisms (see 8.5 User Authentication and Registration ) and session management hardening (see 8.10 Hardening of Session Management ). | Full |
A3 - Sensitive Data Exposure | Application server hardening (see 3. Operational Requirements, restrictive error handling (see 8.12 Error Handling & Logging ) as well as data protection measures (see 8.13 Data Security & Cryptography ). | Full |
A4 - XML External Entities (XXE) | Primary: Harden XML parser (see 8.2 Input Validation ) | Full |
A5 - Broken Access Control | Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section 8.11 Access Controls ). | Full |
A6 - Security Misconfiguration | Perform server hardening (see 3. Operational Requirements ) | Full |
A7 - Cross-Site Scripting (XSS) | Primary: Context sensitive output validation (see 8.4 Output Validation (Encoding & Escaping) ), ideally implemented implicitly by a Web framework. Secondary: Use of security headers (see 8.15 Client-Side Security as well as Appendix A: Requirements for HTTP Security Header and restrictive input validation (see 8.2 Input Validation ). Special Cases: Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see 8.15 Client-Side Security ). The same applies to Web frameworks that provide similar APIs (see section 8.4 Output Validation (Encoding & Escaping) ). | Full |
A8 - Insecure Deserialization | Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4. Protection of Source and Program Code Secondary: Perform strict input validation (see 8.2 Input Validation ) | Full |
A9 - Using Components with Known Vulnerabilities | Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4. Protection of Source and Program Code | Full |
A10 - Insufficient Logging & Monitoring | Full |