This article will be the first in an 11-part series (yes eleven!) about the OWASP Top 10 and ESAPI (Enterprise Security API). This article will be a general introduction to the topic, while the follow-on articles will each cover one of the Top Ten web application security vulnerabilities and the associated usage of ESAPI (or another useful framework) to correct that vulnerability securely.
Before we get into the Top Ten, I should first mention what OWASP is for the unfamiliar. OWASP (http://www.owasp.org) is the Open Web Application Security Project. It is the result of a group of generous web application security folks offering their time and effort to build lots of useful security documentation as well as products. There are a large number of projects that are maintained by the group in varying levels of support, ranging from documentation (Top Ten) to teaching tools (webgoat) to proxies (webscarab) to a secure development library (ESAPI) and so on. This group is doing excellent work, and some of the smartest security folks around are running the show, so it’s a good group to get involved with if you are tasked with doing serious web development, or are involved on the security side of things.
Now, let’s move on to discuss the OWASP Top Ten. The Top Ten project is a list of the 10 most critical web application security issues. The list is updated every few years (most recently 2007) and is compiled with lots of input from the industry. The security issues on the list represent all at once those that are generally very simple, dangerous, well-known and commonly exploited in the wild. Here is a link to the Top Ten project at OWASP. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
As a harsh generalization, web developers are not very well equipped with security knowledge. On the other hand, attackers are. Since the sophistication level of many of the Top Ten attacks is so low in today’s environment, developers need to strengthen themselves quickly on two fronts: education and tools. That’s where OWASP and ESAPI comes in. As for education, there is an abundance of good educational material (see the secure development guide – which offers web application security best practices) on the OWASP site with new information put up frequently. From the tool perspective, ESAPI (Enterprise Security API) is a web application security tool (or rather a set of APIs that can be used as a tool) that is very effective at thwarting attacks when used properly.
ESAPI functions as a framework that developers can utilize to put protections in their applications that will prevent many if not all of the attacks openly used today. Even better, when used properly, it will also prevent “0-day” attack variants of known exploits and will very likely prevent new classes of vulnerabilities to some extent. Here is a link to the ESAPI project at OWASP. http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
The image below shows how ESAPI fits into your application design.
The image below shows how the features of ESAPI match up to the Top Ten vulnerabilities.
One great benefit to getting involved with OWASP and ESAPI is the community support. There is a great group of leaders in OWASP, and an equally great group of volunteer contributors. The level of education and toolsets being produced by the community is excellent, and getting better and more complete every day.
Although this quick introduction just barely skims the surface, hopefully it has been useful to explain what the Top Ten and ESAPI are generally useful for in their given contexts. Future articles in this series will cover each of the Top Ten vulnerabilities and the techniques that can be used to protect against them. Please come back and join me for the remainder of the series.
Other articles in this series:
Part 0: The OWASP Top Ten and ESAPI
Part 1: The OWASP Top Ten and ESAPI – Part 1 – Cross Site Scripting (XSS)
Part 2: The OWASP Top Ten and ESAPI – Part 2 – Injection Flaws
Part 3: The OWASP Top Ten and ESAPI – Part 3 – Malicious File Execution
Part 4: The OWASP Top Ten and ESAPI – Part 4 – Insecure Direct Object Reference
Part 5: The OWASP Top Ten and ESAPI – Part 5 – Cross Site Request Forgery (CSRF)
Part 6: The OWASP Top Ten and ESAPI – Part 6 – Information Leakage and Improper Error Handling
Part 7: The OWASP Top Ten and ESAPI – Part 7 – Broken Authentication and Session Management
Part 8: The OWASP Top Ten and ESAPI – Part 8 – Insecure Cryptographic Storage
Part 9: The OWASP Top Ten and ESAPI – Part 9 – Insecure Communications
Part 10: The OWASP Top Ten and ESAPI – Part 10 – Failure to Restrict URL Access