Appendix B: OWASP Top Ten 2017 Mapping

OWASP Top Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Source Web Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2017 version of OWASP Top 10.

OWASP Top Ten 2017

Relevant TSS-WEB Requirement

A1- Injection

Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490).

Secondary: restrictive input validation (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199/8.2+Input+Validation)

A2 - Broken Authentication

Use of secure and strong authentication mechanisms (see https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/327745/8.5+User+Authentication+and+Registration​) and session management hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179649/8.7+Hardening+of+Session+Management).

A3 - Sensitive Data Exposure

Application server hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305/3.+Secure+Operation, restrictive error handling (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179658) as well as data protection measures (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015823 ).

A4 - XML External Entities (XXE)

Primary: Harden XML parser (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199/8.2+Input+Validation)

A5 - Broken Access Control

Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/983054/8.8+Access+Controls).

A6 - Security Misconfiguration

Perform server hardening (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/98305/3.+Secure+Operation)

A7 - Cross-Site Scripting (XSS)

Primary:

Context sensitive output validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490 ), ideally implemented implicitly by a Web framework.

Secondary:

Use of security headers (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/950292/8.12+Client-Side+Securityas well as ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1015832/Appendix+A%3A+Requirements+for+HTTP+Security+Header and restrictive input validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199/8.2+Input+Validation).

Special Cases:

Processing of untrusted HTML markup must be validated with mature HTML sanitizing APIs, use of secure JavaScript APIs (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/950292/8.12+Client-Side+Security). The same applies to Web frameworks that provide similar APIs (see section ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/360490).

A8 - Insecure Deserialization

Primary: Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment).

Secondary: Perform strict input validation (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/262199/8.2+Input+Validation)

A9 - Using Components with Known Vulnerabilities

Keep your 3rd party components updates and perform SCA assessments in build pipeline (see ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/65878/4.+Secure+Development+Environment).

A10 - Insufficient Logging & Monitoring

See ​https://secodis.atlassian.net/wiki/spaces/TSSWEB/pages/1179658