Mar. 07, 2024
Machinery
There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.
Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Efforts have been made in numerous languages to translate the OWASP Top 10 - 2021. If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don’t see your language listed (neither here nor at github ), please email [email protected] to let us know that you want to help and we’ll form a volunteer group for your language. We have compiled this readme with some hints to help you with your translation.
To collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable analysis for the Top 10 and other future research as well. This data should come from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions. Data will be normalized to allow for level comparison between Human assisted Tooling and Tooling assisted Humans.
Plan to leverage the OWASP Azure Cloud Infrastructure to collect, analyze, and store the data contributed.
We plan to support both known and pseudo-anonymous contributions. The preference is for contributions to be known; this immensely helps with the validation/quality/confidence of the data submitted. If the submitter prefers to have their data stored anonymously and even go as far as submitting the data anonymously, then it will have to be classified as “unverified” vs. “verified”.
Scenario 1: The submitter is known and has agreed to be identified as a contributing party.
Scenario 2: The submitter is known but would rather not be publicly identified.
Scenario 3: The submitter is known but does not want it recorded in the dataset.
Scenario 4: The submitter is anonymous. (Should we support?)
The analysis of the data will be conducted with a careful distinction when the unverified data is part of the dataset that was analyzed.
There are a few ways that data can be contributed:
Template examples can be found in GitHub: https://github.com/OWASP/Top10/tree/master/2021/Data
We plan to accept contributions to the new Top 10 from May to Nov 30, 2020 for data dating from 2017 to current.
The following data elements are required or optional.
The more information provided the more accurate our analysis can be.
At a bare minimum, we need the time period, total number of applications tested in the dataset, and the list of CWEs and counts of how many applications contained that CWE.
If at all possible, please provide the additional metadata, because that will greatly help us gain more insights into the current state of testing and vulnerabilities.
If at all possible, please provide core CWEs in the data, not CWE categories.
This will help with the analysis, any normalization/aggregation done as a part of this analysis will be well documented.
If a contributor has two types of datasets, one from HaT and one from TaH sources, then it is recommended to submit them as two separate datasets.
HaT = Human assisted Tools (higher volume/frequency, primarily from tooling)
TaH = Tool assisted Human (lower volume/frequency, primarily from human testing)
Similarly to the Top Ten 2017, we plan to conduct a survey to identify up to two categories of the Top Ten that the community believes are important, but may not be reflected in the data yet. We plan to conduct the survey in May or June 2020, and will be utilizing Google forms in a similar manner as last time. The CWEs on the survey will come from current trending findings, CWEs that are outside the Top Ten in data, and other potential sources.
At a high level, we plan to perform a level of data normalization; however, we will keep a version of the raw data contributed for future analysis. We will analyze the CWE distribution of the datasets and potentially reclassify some CWEs to consolidate them into larger buckets. We will carefully document all normalization actions taken so it is clear what has been done.
We plan to calculate likelihood following the model we developed in 2017 to determine incidence rate instead of frequency to rate how likely a given app may contain at least one instance of a CWE. This means we aren’t looking for the frequency rate (number of findings) in an app, rather, we are looking for the number of applications that had one or more instances of a CWE. We can calculate the incidence rate based on the total number of applications tested in the dataset compared to how many applications each CWE was found in.
In addition, we will be developing base CWSS scores for the top 20-30 CWEs and include potential impact into the Top 10 weighting.
Also, would like to explore additional insights that could be gleaned from the contributed dataset to see what else can be learned that could be of use to the security and development communities.
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Our programming includes:
We are an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of our projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security. The OWASP Foundation launched on December 1st, 2001, becoming incorporated as a United States non-profit charity on April 21, 2004.
For two decades corporations, foundations, developers, and volunteers have supported the OWASP Foundation and its work. Donate, Become a Member, or become a Corporate Supporter today.
No more insecure software.
To be the global open community that powers secure software through education, tools, and collaboration.
As the world’s largest non-profit organization concerned with software security, OWASP:
in order to enable developers to write better software, and security professionals to make the world’s software more secure.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.
Email Address
Most questions you might have about the OWASP Foundation can be found by searching this website. If you need to contact us directly with a request we use a ticketing system which can be accessed here. Several other common contact points include:
Our global address for general correspondence and faxes can be sent to our physical office address, at:
The OWASP Foundation Inc.
300 Delaware Ave
Ste 210 #384
Wilmington, DE 19801
+1 951-692-7703 (phone)
EIN #20-0963503
The European legal address and VAT number is:
OWASP Europe VZW
c/o Sr Fiduciarire Cv
Steenvoordestraat 184
9070 Destelbergen
Belgium
VAT: BE 0836743279
The activities, programs, and events of the Foundation conform to a number of policies set forth in our Policies & Procedures and the Code of Conduct. Additionally we expect our Board Members, Leaders, Staff, and volunteers to model the upmost in integrity, honesty, and patience with supporting our extended communities.
All OWASP materials are available under an OSI-approved Open Source License or one of the latest Creative Commons licenses for most documentation projects. This website is (C) OWASP and licensed under the Creative Commons Attribution-ShareAlike 4.0 International license (CC-BY-SA 4.0)
Previous: Who gives you the most money for your car?
Next: What is IAST used for?
If you are interested in sending in a Guest Blogger Submission,welcome to write for us!
All Comments ( 0 )