Appendix B: OWASP Top Ten 2017 Mapping

OWASP Top Ten 2017

Relevant TSS-WEB Requirement

A1- Injection

Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490).

Secondary: restrictive input validation (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199)

A2 - Broken Authentication

Use of secure and strong authentication mechanisms (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327745​) and session management hardening (see ​).

A3 - Sensitive Data Exposure

Application server hardening (see ​, restrictive error handling (see ​) as well as data protection measures (see ​ ).

A4 - XML External Entities (XXE)

Primary: Harden XML parser (see ​)

A5 - Broken Access Control

Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ​).

A6 - Security Misconfiguration

Perform server hardening (see ​)

A7 - Cross-Site Scripting (XSS)

Primary:

Context sensitive output validation (see ​ ), ideally implemented implicitly by a Web framework.

Secondary:

Use of security headers (see ​as well as ​ and restrictive input validation (see ​).

Special Cases:

Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ​). The same applies to Web frameworks that provide similar APIs (see section ​).

A8 - Insecure Deserialization

Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​).

Secondary: Perform strict input validation (see ​)

A9 - Using Components with Known Vulnerabilities

Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​).

A10 - Insufficient Logging & Monitoring

See ​