Introducing the OWASP for security testing

Taking web application security seriously with the Open Web Application Security Project.

Written by Morten Eriksen on Apr 8, 2020

Maintaining security of digital experiences and web applications is no easy task, to be passed over by automatic routines or superficial care. The world of digital platforms and CMS is not getting simpler or less complex, however, so where do you start to ensure the security of your mission critical services and offerings?

OWASP may be an excellent starting point.

What is OWASP?

OWASP, short for “Open Web Application Security Project,” is one of the strongest ways to safeguard stability and security for websites, web applications, and web services. The nonprofit organization was founded in 2001 by Mark Curphey and has a volunteer base of approximately 13,000 individuals—all contributing to industry standards, conferences, and workshops.

OWASP is essentially an online community that provides articles, methodologies, documentation, tools, technologies, education, training, community assistance, and general networking for web application security—all freely available.

Most widespread security breaches

OWASP maintains a top 10 list of the most critical security risks for web applications, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting XSS, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring.

Snyk has done a magnificent job at taking a closer look on how often the listed vulnerabilities have been exploited by cyber criminals to breach organizations. Snyk found that while the OWASP top 10 is a good list of the causes of security breaches, the order is not correct in real life. The two most common causes were using components with security vulnerabilities (no. 9) and exposing sensitive data (no. 6). Using components with known security vulnerabilities was the root, and often the only cause of 24% of the breaches, while exposing sensitive data rarely was a root cause in itself, but was present as one of several causes in 52% of the cases.

Among the targets for injections were the Panama Papers breach, the VerticalScope/Techsupportforum.com breach, and the Ubuntu forums breach. For more details and examples, visit Snyk.io.

How do we test security?

Enonic is ISO-9001 certified, and we take quality management and security seriously. Every change in the code is verified by more than 5500 automatic tests, allowing us to discover many errors as soon as they are created. Every release undergoes special tests using extensive checklists that are based on the OWASP Web Application Security Testing Checklist principles and our own experience with Enonic XP. These checklists require a meticulous gathering of data on the behavior of the system and form the basis of approval or rejection of the new changes. Finally, all our major releases of Enonic XP are tested by an external “white hat” agency following the OWASP principles.

We also perform configuration management, ensure secure transmission, authentication, session management, authorization, and data validation, as well as testing for denial of service. Other topics include business logic, cryptography, and risk functionality within file uploads. And we of course test HTML5 specific areas like web messaging and web storage SQL injection.

According to a report by Boye & Co, Enonic “uses hardened infrastructure components such as Jetty, and their own framework on top of this.” To minimize the attack surface, Enonic XP does not provide any default publicly available APIs, and these must be added by the developers through code or configuration.

“This way,” continues Boye, “customers have full control over the attack surface, and can for instance implement tight validation of any input. XP also provides a rich metrics and monitoring API and logging capabilities that can be used to detect and prevent malicious attacks. With Enonic, these measures are an integrated part of the service.”

Learn more: Boye & Co evaluates Enonic »

Resources

About the author

Morten Eriksen

Morten is the CEO and co-founder of Enonic. He has extensive experience as an entrepreneur focusing on areas like business development, product management, sales, and marketing. He started a digital agency in 1995 and built his first CMS in 1997, then founded Enonic in 2000 where his mission is to accelerate digital projects using innovative technology.