TSS-WEBAppendix B: OWASP Top Ten 2017 Mapping

Appendix B: OWASP Top Ten 2017 Mapping

Owned by Matthias Rohr
Last updated: Sept 10, 2020

OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.

OWASP Top Ten 2017

Relevant TSS-WEB Requirement

A1- Injection

Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490).

Secondary: restrictive input validation (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199)

A2 - Broken Authentication

Use of secure and strong authentication mechanisms (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327745​) and session management hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179649).

A3 - Sensitive Data Exposure

Application server hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305, restrictive error handling (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179658) as well as data protection measures (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015823 ).

A4 - XML External Entities (XXE)

Primary: Harden XML parser (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199)

A5 - Broken Access Control

Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/983054).

A6 - Security Misconfiguration

Perform server hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305)

A7 - Cross-Site Scripting (XSS)

Primary:

Context sensitive output validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490 ), ideally implemented implicitly by a Web framework.

Secondary:

Use of security headers (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/950292as well as ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015832 and restrictive input validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199).

Special Cases:

Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/950292). The same applies to Web frameworks that provide similar APIs (see section ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490).

A8 - Insecure Deserialization

Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878).

Secondary: Perform strict input validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199)

A9 - Using Components with Known Vulnerabilities

Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878).

A10 - Insufficient Logging & Monitoring

See ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179658