OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.
OWASP Top Ten 2017 | Relevant TSS-WEB Requirement |
A1- Injection | Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see 8.4 Output Validation (Encoding & Escaping)). Secondary: restrictive input validation (see 8.2 Input Validation) |
A2 - Broken Authentication | Use of secure and strong authentication mechanisms (see 8.5 User Authentication and Registration) and session management hardening (see 8.8 Hardening of Session Management). |
A3 - Sensitive Data Exposure | Application server hardening (see 3. Operational Requirements, restrictive error handling (see 8.10 Error Handling & Logging) as well as data protection measures (see 8.11 Data Security & Cryptography ). |
A4 - XML External Entities (XXE) | Primary: Harden XML parser (see 8.2 Input Validation) |
A5 - Broken Access Control | Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section 8.9 Access Controls). |
A6 - Security Misconfiguration | Perform server hardening (see 3. Operational Requirements) |
A7 - Cross-Site Scripting (XSS) | Primary: Context sensitive output validation (see 8.4 Output Validation (Encoding & Escaping) ), ideally implemented implicitly by a Web framework. Secondary: Use of security headers (see 8.12 Client-Side Securityas well as Appendix A: Requirements for HTTP Security Header and restrictive input validation (see 8.2 Input Validation). Special Cases: Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see 8.12 Client-Side Security). The same applies to Web frameworks that provide similar APIs (see section 8.4 Output Validation (Encoding & Escaping)). |
A8 - Insecure Deserialization | Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4. Protection of Sensitive Development and Deployment Artefacts). Secondary: Perform strict input validation (see 8.2 Input Validation) |
A9 - Using Components with Known Vulnerabilities | Keep your 3rd party components updates and perform SCA assessments in build pipeline (see 4. Protection of Sensitive Development and Deployment Artefacts). |
A10 - Insufficient Logging & Monitoring |