OWASP is a nonprofit foundation that works to improve the security of software.
OWASP (Open Worldwide Application Security Project) is an open community dedicated to enabling organizations to design, develop, acquire, operate, and maintain software for secure applications that can be trusted. Its programs include community-led open-source software projects and local and global conferences, involving hundreds of chapters worldwide with tens of thousands of members.
OWASP plays a crucial role in raising awareness about web application security risks, and provides valuable resources, tools, documentation, and best practices to address the increasing challenges of web application security. OWASP helps developers, security professionals, and organizations understand potential threats and adopt security best practices.
OWASP maintains a list of the ten most critical web application security risks, along with effective processes, procedures, and controls to mitigate them. OWASP also provides a list of the Top 10 API Security Risks to educate those involved in API development and maintenance and increase awareness of common API security weaknesses.
The OWASP community encourages individuals and organizations to contribute to its projects and resources. This collaborative and survey-driven approach allows the community to harness the collective knowledge and expertise of its members, resulting in comprehensive and up-to-date resources.
There are security risks common to both apps and APIs that bear consideration when implementing security solutions. For example:
The OWASP Top 10 is a widely recognized list of the most critical web application security risks. The list serves as a guide for developers, security professionals, and organizations as they prioritize their efforts in identifying and mitigating critical web application security risks.
The presence of a risk on the OWASP Top 10 list does not necessarily indicate its prevalence or severity in all web applications, and the Top Ten is not ranked in a specific order or by priority.
The OWASP Top 10 web application security risks for 2021 are:
Broken Access Controls. This vulnerability results when insufficient enforcement of access controls and authorization allow attackers to access unauthorized functionality or data. This may be due to insecure direct object references (IDORs), which can arise when an application fails to validate or authorize user input that is used as a direct reference to an internal object. It may also occur due to missing function level access controls, when the application only validates access controls at the initial authentication or authorization stage but does not consistently enforce those controls throughout the application's functions or operations. A web application firewall (WAF) can help protect against these attacks by monitoring and enforcing access controls to prevent unauthorized access to sensitive objects or resources.
The 2021 OWASP Top 10 reflects some new categories and naming changes from the previous 2017 OWASP Top 10. These changes included the integration of the 2017 risk threat XML External Entities (XXE) into the 2021 Security Misconfiguration category and adding 2017 Cross-Site Scripting (XSS) to the 2021 Injection category. The 2017 risk Insecure Deserialization is now part of the 2021 Software and Data Integrity Failures category.
OWASP currently sponsors 293 projects, including the following 16 OWASP Flagship projects that provide strategic value to OWASP and application security as a whole.
OWASP plays a critical role in the ongoing quest to improve software security by raising awareness about web application security risks and advocating for best practices among developers, security professionals, and organizations. As a community-driven project, OWASP brings together experts and enthusiasts to collaborate on improving web application security, helping to build a security-conscious culture that promotes secure coding practices and secure development methodologies.
In addition, OWASP provides a wealth of free and open-source tools, documents, and resources that empower organizations to enhance their security posture, including the OWASP Top 10, the OWASP API Security Top 10, and the Automated Threats to Web Applications Project. Other OWASP initiatives include:
Get involved by becoming a member of OWASP or attending a local chapter meeting, which are free and open to both members and nonmembers. In addition, OWASP hosts nearly a dozen global and regional events each year, which are great opportunities to improve your career skills, build your professional network, and learn about new trends in the industry.
F5 supports the OWASP Foundation and its dedication to improving software security and raising awareness of web application security risks and vulnerabilities. F5 Web Application Firewall solutions block and mitigate a broad spectrum of risks stemming from the OWASP Top 10.
F5 WAF solutions combine signature and behavioral protections, including threat intelligence from F5 Labs and ML-based security, to keep pace with emerging threats. It eases the burden and complexity of consistently securing applications across clouds, on-premises, and edge environments, while simplifying management via a centralized SaaS infrastructure. F5 WAFs also streamline app security by integrating protections into development frameworks and CI/CD pipelines with core security functionality, centralized orchestration, and oversight via a single dashboard with a 360-degree view of app performance and security events across distributed applications.
F5 also addresses the risks identified in the OWASP API Security Top 10 with solutions that protect the growing attack surface and emerging threats as apps evolve and API deployments increase. F5 Web Application and API Protection (WAAP) solutions defend the entirety of the modern app attack surface with comprehensive protections that include WAF, API Security, L3-L7 DDoS mitigation, and bot defense against automated threats and fraud. The distributed platform makes it simple to deploy consistent policies and scale security across your entire estate of apps and APIs regardless of where they’re hosted, and integrate security into the API lifecycle and broader ecosystems.
F5 also offers solutions to address the risks outlined in OWASP’s Automated Threats to Web Applications Project. F5 Distributed Cloud Bot Defense prevents fraud and abuse that can bypass existing bot management solutions and provides real-time monitoring and intelligence as well as ML-based retrospective analysis to protect organizations from automated attacks, without inserting user friction or disrupting the customer experience. Distributed Cloud Bot Defense maintains effectiveness regardless of how attackers retool, whether the attacks pivot from web apps to APIs or attempt to bypass anti-automation defenses by spoofing telemetry or using human CAPTCHA solvers.
F5 also offers multi-tiered DDoS protection for advanced online security as a managed, cloud-delivered mitigation service that detects and mitigates large-scale network, protocol, and application-targeted attacks in real time; the same protections are available as on-premises hardware, software, and hybrid solutions as well. F5 Distributed Cloud DDoS Mitigation defends against volumetric and application-specific layer 3-4 and advanced layer 7 attacks before they reach your network infrastructure and applications.
F5 BIG-IP Advanced WAF – Protection for Every App, Anywhere ›