• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
  • TPRM by ThirdPartyTrust
  • Beacon by ThirdPartyTrust
  • Solutions
  • Risk Assessment Automation
  • Security Questionnaire Automation
  • Shadow IT Management
  • Zero Day Remediation
  • Integrations
  • Industries
    • Financial
    • Energy
    • Healthcare and Hospitals
    • Legal
    • Life Sciences
    • Manufacturing Industry
    • Retail
    • Technology
    • Other Industries
  • Pricing
  • Resources
  • Blog
  • Strategy Guides
  • Case Studies
  • Data Sheets
  • Webinars
  • Dictionary
  • API
  • Company
  • About us
  • Careers
  • Partners
  • Partners Login
  • Product Security
  • Privacy Policy

Why the OWASP Top 10 can be an ally to your organization

Published by Sabrina Pagnotta on May 21, 2020
Categories
  • Blog
Tags
  • Cybersecurity
  • TPRM Best Practices
  • Vendor Best Practices
Why-the-OWASP-Top-10-can-be-an-ally

Whether your organization develops its own application or has to choose one from a third-party to engage with, there are plenty of vulnerabilities that you need to look out for – that is, if you want to stay safe from data breaches. Third-party risk can be introduced in many forms: a cloud provider, a software component, a poorly secured library… What they all have in common is that they could expose your organization’s sensitive data or that of or your customers.

While most of the risks in a web application could be detected and mitigated with an external audit, some companies find it hard to assign the time and resources it takes. That’s when the OWASP Top 10 comes in as a starting point for detecting possible issues around third-party components.

In this blog, we’ll discuss what this ranking is and how it relates to third-party risk management.

What is the OWASP Top 10?

According to its own website, the OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical risks to web applications, and provides the grounds for evaluating their security.

Companies can adopt this document to ensure that their web applications minimize these risks, creating a culture around secure software development.

These are top 10 web application security risks:

  1. Injection, such as SQL, NoSQL, OS, and LDAP injection, which occur when untrusted data is sent to an interpreter as part of a command or query.
  2. Broken Authentication, as a result of application functions related to authentication and session management implemented incorrectly.
  3. Sensitive Data Exposure, including financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
  4. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
  5. Broken Access Control, which refers to poor authentication security. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, etc.
  6. Security Misconfiguration, as a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
  7. Cross-Site Scripting (XSS), which allows attackers to execute scripts in the victim’s browser to hijack user sessions, deface web sites, or redirect the user to malicious sites.
  8. Insecure Deserialization, which often leads to remote code execution and can be used to perform injection or privilege escalation attacks.
  9. Using Components with Known Vulnerabilities. If a vulnerable library or software component is exploited, it would facilitate serious data loss or server takeover.
  10. Insufficient Logging & Monitoring, which, coupled with missing or ineffective integration with incident response, allows attackers to maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
owasp-top-10-third-party-risk

How does the ranking relate to third-party risk?

The OWASP Top 10 relates to third-party risk in two fronts.

If your organization develops its own web application, this document will provide the guidelines for a secure development. With a clear understanding of the risks that have to be avoided, you will be able to find and manage possible OWASP issues from third-party components.

It will also serve as a tool to audit the application and detect any vulnerabilities that might eventually put a customer in danger of being breached – ergo, of having high third-party risk.

This type of audit, while not exhaustive, is far more accessible than performing an external audit, which can be too expensive for startups or mid-sized companies. However, if the possibility of performing an external audit exists, testing the application against the OWASP Top 10 beforehand can definitely serve as a good starting point.

The level of risk out there doesn’t really change according to the company’s maturity, as cyber threats are constantly evolving and are capable of targeting all types and sizes of organizations. If yours is at an early stage and cannot afford a SOC attestation or any type of external audit, the OWASP Top 10 can be a good ally.

You can start using it as a framework of best practices and common security mistakes to avoid upon developing your own application, and then build a security strategy around that. Even more important, you should determine which of the OWASP Top 10 risks apply to your systems, and which other risks you carry that aren’t mentioned there.

On the other hand, if your organization has to choose a new vendor or third-party to engage with, the OWASP Top 10 can help you make the safest decision. If the solution you’re considering isn’t safe against these top risks, that’s a red flag – you can’t share sensitive data with a third-party who’s not going to protect it properly.

At the end of the day, what we are all looking for in a solution is confidence that, apart from fulfilling its business functions, it will protect our data.




To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now:


Trial Account Sign-Up
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • BLOG
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT