Introducing the OWASP for security testingMorten Eriksen on
Taking web application security seriously with the Open Web Application Security Project.
Maintaining security of digital experiences and web applications is no easy task, to be passed over by automatic routines or superficial care. The world of digital platforms and CMS is not getting simpler or less complex, however, so where do you start to ensure the security of your mission critical services and offerings?
OWASP may be an excellent starting point.
What is OWASP?
OWASP, short for “Open Web Application Security Project,” is one of the strongest ways to safeguard stability and security for websites, web applications, and web services. The nonprofit organisation was founded in 2001 by Mark Curphey and has a volunteer base of approximately 13,000 individuals—all contributing to industry standards, conferences, and workshops.
OWASP is essentially an online community that provides articles, methodologies, documentation, tools, technologies, education, training, community assistance, and general networking for web application security—all freely available.
Most widespread security breaches
OWASP maintains a top 10 list of the most critical security risks for web applications, including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting XSS, insecure deserialisation, using components with known vulnerabilities, and insufficient logging and monitoring.
Snyk has done a magnificent job at taking a closer look on how often the listed vulnerabilities have been exploited by cyber criminals to breach organisations. Snyk found that while the OWASP top 10 is a good list of the causes of security breaches, the order is not correct in real life. The two most common causes were using components with security vulnerabilities (no. 9) and exposing sensitive data (no. 6). Using components with known security vulnerabilities was the root, and often the only cause of 24% of the breaches, while exposing sensitive data rarely was a root cause in itself, but was present as one of several causes in 52% of the cases.
See also: Managing GDPR for digital experiences »
How do we test security?
Enonic is ISO-9001 certified, and we take quality management and security seriously. Every change in the code is verified by more than 5500 automatic tests, allowing us to discover many errors as soon as they are created. Every release undergoes special tests using extensive checklists that are based on the OWASP Web Application Security Testing Checklist principles and our own experience with Enonic XP. These checklists require a meticulous gathering of data on the behaviour of the system and form the basis of approval or rejection of the new changes. Finally, all our major releases of Enonic XP are tested by an external “white hat” agency following the OWASP principles.
We also perform configuration management, ensure secure transmission, authentication, session management, authorisation, and data validation, as well as testing for denial of service. Other topics include business logic, cryptography, and risk functionality within file uploads. And we of course test HTML5 specific areas like web messaging and web storage SQL injection.
According to a report by Boye & Co, Enonic “uses hardened infrastructure components such as Jetty, and their own framework on top of this.” To minimise the attack surface, Enonic XP does not provide any default publicly available APIs, and these must be added by the developers through code or configuration.
“This way,” continues Boye, “customers have full control over the attack surface, and can for instance implement tight validation of any input. XP also provides a rich metrics and monitoring API and logging capabilities that can be used to detect and prevent malicious attacks. With Enonic Cloud, these measures are an integrated part of the service.”
Learn more: Boye & Co evaluates Enonic »