Security Testing with OWASP: Get Started Now
The Open Web Application Security Project: Making web app security less scary.
Written by Morten Eriksen on
Securing digital experiences and web applications is complex. The digital landscape isn't getting simpler, so where do you start to ensure your critical services are safe?
OWASP is a great place to begin.
What is OWASP?
The Open Web Application Security Project (OWASP) is a nonprofit organization that helps safeguard websites, web applications, and web services. Founded in 2001, it has a volunteer base of 13,000 people, contributing to industry standards, conferences, and workshops.
OWASP provides free articles, methodologies, documentation, tools, technologies, education, training, community assistance, and networking for web application security.
Common Security Breaches
OWASP has a top 10 list of critical security risks for web applications. These include:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forger
Broken access control is a significant contributor to breaches, with some research suggesting it plays a role in 74% of breaches (Securis) and is present in 94% of applications tested (SoftwareSecured). It's often linked to privilege abuse and insider threats.
Estimates vary, but one study suggests that 42% of data breaches are at least partially caused by SQL injection (Ponemon Institute). Another analysis found SQL injection vulnerabilities present in about 10% of all web applications (Bank Info Security).
Research indicates that 60% of organizations that experienced a data breach attributed it to a known, unpatched, vulnerable and outdated component (Foresite). Another study found that 58% of breaches involved a known and unpatched vulnerability (ImmuniWeb).
Examples of breaches include the Panama Papers breach, the VerticalScope/Techsupportforum.com breach, and the Ubuntu forums breach. Recent examples include the 23andMe data breach, where hackers accessed sensitive genetic information, and the MOVEit Transfer breach, which impacted numerous organizations through a vulnerability in file transfer software.
See also: How Passkeys Are Redefining Online Security »
How We Test Security
Enonic is ISO-9001 certified, and we prioritize quality and security. Every code change is verified by over 5,500 automated tests. We also use checklists based on the OWASP Web Application Security Testing Checklist and our experience with the Enonic platform. All major Enonic releases are tested by an external “white hat” agency using OWASP principles.
We also manage configurations, ensure secure transmission, authentication, session management, authorization, and data validation, and test for denial of service.
Other areas include business logic, cryptography, risk functionality within file uploads, and HTML5 specific areas like web messaging and web storage SQL injection.
See also: 6 Steps to Manage GDPR for Digital Experiences »
According to Boye & Co, Enonic “uses hardened infrastructure components such as Jetty, and their own framework on top of this.” Enonic does not provide default public APIs, minimizing the attack surface. Developers must add these through code or configuration.
Boye states, “customers have full control over the attack surface and can implement tight input validation. XP also provides metrics, monitoring, and logging to detect and prevent attacks. These measures are integrated into the Enonic service.”
Learn more: Boye & Co evaluates Enonic »
Resources
First published 8 April 2020, updated 19 February 2025.
