5

Many people are aware of the "OWASP Top 10". I'm wondering if OWASP (or any similar authority) has gone above and beyond just the top 10 most commons attacks and made a larger list (e.g. the "OWASP Top 1,000", etc.).

I'm fleshing out the requirements for my first big web app and I want to make sure I'm as prepared as I possible can be. I'd like to know where I can go to find a larger (but still manageable, not like 10s of thousands!) list of vulnerabilities I need to defend my network and applications against.

If no such "master list" exists, how would IT Sec recommend I research and secure my web app (besides hiring one of you as a consultant!)? Any "must-read" books/articles/blogs? Thanks in advance!

zharvey
  • 911
  • 3
  • 10
  • 14

3 Answers3

14

There is not a top 1000, because that wouldn't actually be relevant to most people. The OWASP top 10 are chosen because they are applicable across the vast majority of web applications, and are likely to be exploited if you do not secure them.

Beyond that, if you are starting from a position of already having applications and infrastructure:

  • Understand your assets - have a list of all your applications, platforms and versions

This can be very challenging in a large organisation, but without it, how will you know what you are vulnerable to?

  • Cross reference this list with the CVE database to understand the types and number of vulnerabilities which apply to your assets

The CVE database goes to the level of specific versions of applications and platforms so you can get a very tailored view of vulnerabilities you should be aware of. It also provides a rating (from 1 to 10) and a description of how the vulenrability can be exploited (eg local, remote etc)

  • Identify your threat actors

This could be environmental activists, terrorists, competitors, foreign governments, bored students, organised crime gangs etc.

  • Assess impact and likelihood based on the previous steps and prioritise remediation

You can never protect against all possible attacks, so this step is essential to help you decide where your limited budget and time will have the best return. If you can't articulate the value of a remediation project to the board you may find it difficult to get buy-in and budget.

  • Implement remediation activities

  • Rinse and Repeat - security never ends

A better position is to build a security governance framework which helps define and assure security in the development lifecycle, so this will help you build an architecture and testing plan to help reduce the likelihood of vulnerabilities getting into code in the first place - but this is a much longer discussion, and probably will see you utilising consultants :-)

tl;dr - OWASP Top 10 will give you the best initial view on what you need to do to protect yourself. After that check the CVE database for specific vulnerabilities for your code. Improving your procedures/framework/SDLC will protect you best in the long run. Proactive, rather than reactive.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Awesome answer - thanks @Rory - I figured CVE would crop up in some answers and this was just the kind of structure I was looking for. Thanks again – zharvey Jul 02 '12 at 12:42
  • Rory's third point - prioritise remediation based on impact - is especially important. It is impossible to completely defend against ALL possible attacks. You should only take steps to address threats which have a major impact on your systems. That is why risk assessment is a key step in any security assessment. –  Jul 02 '12 at 13:04
1

OWASP lists far more attacks than just the top 10. Please see the attack category on the OWASP Wiki.

chao-mu
  • 2,801
  • 18
  • 22
0

OWASP Top 10 categories cover almost all the issues for the web applications. This is the list of 10 issues,however if you dig deeper you will come to know the categorization behind this.

Please read https://www.owasp.org/index.php/Top_10_2013-Top_10

ammy
  • 1
  • 2