Whether your organization develops its own application or has to choose one from a third-party to engage with, there are plenty of vulnerabilities that you need to look out for – that is, if you want to stay safe from data breaches. Third-party risk can be introduced in many forms: a cloud provider, a software component, a poorly secured library… What they all have in common is that they could expose your organization’s sensitive data or that of or your customers.
While most of the risks in a web application could be detected and mitigated with an external audit, some companies find it hard to assign the time and resources it takes. That’s when the OWASP Top 10 comes in as a starting point for detecting possible issues around third-party components.
In this blog, we’ll discuss what this ranking is and how it relates to third-party risk management.
What is the OWASP Top 10?
According to its own website, the OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical risks to web applications, and provides the grounds for evaluating their security.
Companies can adopt this document to ensure that their web applications minimize these risks, creating a culture around secure software development.
These are top 10 web application security risks:
- Injection, such as SQL, NoSQL, OS, and LDAP injection, which occur when untrusted data is sent to an interpreter as part of a command or query.
- Broken Authentication, as a result of application functions related to authentication and session management implemented incorrectly.
- Sensitive Data Exposure, including financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
- XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
- Broken Access Control, which refers to poor authentication security. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, etc.
- Security Misconfiguration, as a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
- Cross-Site Scripting (XSS), which allows attackers to execute scripts in the victim’s browser to hijack user sessions, deface web sites, or redirect the user to malicious sites.
- Insecure Deserialization, which often leads to remote code execution and can be used to perform injection or privilege escalation attacks.
- Using Components with Known Vulnerabilities. If a vulnerable library or software component is exploited, it would facilitate serious data loss or server takeover.
- Insufficient Logging & Monitoring, which, coupled with missing or ineffective integration with incident response, allows attackers to maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
How does the ranking relate to third-party risk?
The OWASP Top 10 relates to third-party risk in two fronts.
If your organization develops its own web application, this document will provide the guidelines for a secure development. With a clear understanding of the risks that have to be avoided, you will be able to find and manage possible OWASP issues from third-party components.
It will also serve as a tool to audit the application and detect any vulnerabilities that might eventually put a customer in danger of being breached – ergo, of having high third-party risk.
This type of audit, while not exhaustive, is far more accessible than performing an external audit, which can be too expensive for startups or mid-sized companies. However, if the possibility of performing an external audit exists, testing the application against the OWASP Top 10 beforehand can definitely serve as a good starting point.
The level of risk out there doesn’t really change according to the company’s maturity, as cyber threats are constantly evolving and are capable of targeting all types and sizes of organizations. If yours is at an early stage and cannot afford a SOC attestation or any type of external audit, the OWASP Top 10 can be a good ally.
You can start using it as a framework of best practices and common security mistakes to avoid upon developing your own application, and then build a security strategy around that. Even more important, you should determine which of the OWASP Top 10 risks apply to your systems, and which other risks you carry that aren’t mentioned there.
On the other hand, if your organization has to choose a new vendor or third-party to engage with, the OWASP Top 10 can help you make the safest decision. If the solution you’re considering isn’t safe against these top risks, that’s a red flag – you can’t share sensitive data with a third-party who’s not going to protect it properly.
At the end of the day, what we are all looking for in a solution is confidence that, apart from fulfilling its business functions, it will protect our data.
To learn more about how ThirdPartyTrust can help you manage third-party risk, request your free trial now: