Appendix B: OWASP Top Ten 2017 Mapping

OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.

OWASP Top Ten 2017

Relevant TSS-WEB Requirement

A1- Injection

Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see ​

Secondary: restrictive input validation (see

A2 - Broken Authentication

Use of secure and strong authentication mechanisms (see​) and session management hardening (see ​

A3 - Sensitive Data Exposure

Application server hardening (see ​, restrictive error handling (see ​ as well as data protection measures (see ​ ).

A4 - XML External Entities (XXE)

Primary: Harden XML parser (see ​

A5 - Broken Access Control

Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ​

A6 - Security Misconfiguration

Perform server hardening (see ​

A7 - Cross-Site Scripting (XSS)


Context sensitive output validation (see ​ ), ideally implemented implicitly by a Web framework.


Use of security headers (see ​ well as ​ and restrictive input validation (see ​

Special Cases:

Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ​ The same applies to Web frameworks that provide similar APIs (see section ​

A8 - Insecure Deserialization

Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​

Secondary: Perform strict input validation (see ​

A9 - Using Components with Known Vulnerabilities

Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​

A10 - Insufficient Logging & Monitoring

See ​