Definition释义
The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software. OWASP operates under an ‘open community’ model, where anyone can participate in and contribute to projects, events, online chats, and more. A guiding principle of OWASP is that all materials and information are free and easily accessed on their website, for everyone. OWASP offers everything from tools, videos, forums, projects, to events. In short, OWASP is a repository of all things web-application-security, backed by the extensive knowledge and experience of its open community contributors.开放Web应用安全项目(OWASP)是一个致力于提高软件安全性的非营利性基金会。OWASP在“开放社区”模式下运行,任何人都可以参与项目、活动、在线聊天等,并为其做出贡献。OWASP的指导原则是,所有材料和信息都是免费的,每个人都可以在其网站上轻松访问。OWASP提供从工具、视频、论坛、项目到活动的一切。简言之,OWASP是一个web应用程序安全的所有内容的存储库,由其开放社区贡献者的广泛知识和经验支持。
What is the OWASP Top 10?OWASP前10名是什么?
OWASP Top 10 is an online document on OWASP’s website that provides ranking of and remediation guidance for the top 10 most critical web application security risks. The report is based on a consensus among security experts from around the world. The risks are ranked and based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential impacts. The purpose of the report is to offer developers and web application security professionals insight into the most prevalent security risks so that they may incorporate the report’s findings and recommendations into their security practices, thereby minimizing the presence of these known risks in their applications.OWASP Top 10是OWASP网站上的一个在线文档,提供了前10个最关键web应用程序安全风险的排名和补救指南。这份报告基于世界各地安全专家的共识。根据发现的安全缺陷的频率、漏洞的严重性及其潜在影响的大小对风险进行排序。报告的目的是让开发人员和web应用程序安全专业人员深入了解最普遍的安全风险,以便他们可以将报告的发现和建议纳入其安全实践中,从而最大限度地减少其应用程序中存在的这些已知风险。
How does OWASP Top 10 work and why is it important?OWASP前10名是如何工作的?为什么它很重要?
OWASP maintains the Top 10 list and has done so since 2003. Every 2-3 years the list is updated in accordance with advancements and changes in the AppSec market. OWASP’s importance lies in the actionable information it provides; it serves as a key checklist and internal Web application development standard for many of the world’s largest organizations.OWASP自2003年以来一直保持前十名的排名。每2-3年,该列表将根据AppSec市场的发展和变化进行更新。OWASP的重要性在于它提供的可操作信息;它是许多世界上最大的组织的关键清单和内部Web应用程序开发标准。
Auditors often view an organization’s failure to address the OWASP Top 10 as an indication that it may be falling short with regards to compliance standards. Integrating the Top 10 into its software development life cycle (SDLC) demonstrates an overall commitment to industry best practices for secure development.审计人员通常认为,一个组织未能解决OWASP前10名问题,表明该组织在合规标准方面可能存在不足。将前10名整合到其软件开发生命周期(SDLC)中,表明了对安全开发行业最佳实践的总体承诺。
Figure above, a comparison between 2013 and 2017 versions.上图为2013版和2017版之间的比较。
The most recent version was released in 2017 and it included significant changes to the 2013 version, as shown in the figure below. Injection issues remain one of the most vulnerable security issues in the application, and sensitive data exposure rose in importance. Some new issues were added, such as insecure deserialization, and some other issues were merged.最新版本于2017年发布,包括对2013年版本的重大更改,如下图所示。注入问题仍然是应用程序中最易受攻击的安全问题之一,敏感数据暴露的重要性也随之增加。添加了一些新问题,如不安全的反序列化,并合并了一些其他问题。
What are the latest OWASP Top 10 categories?最新的OWASP十大类别是什么?
The OWASP Top 10 2017 includes the following: 2017年OWASP前10名包括以下内容:
1. Injection. A code injection occurs when invalid data is sent by an attacker into a web application. The attacker’s intent in doing so is to make the application do something it was not designed to do.1.注射。当攻击者向web应用程序发送无效数据时,会发生代码注入。攻击者这样做的目的是让应用程序执行它原本不打算执行的操作。
- Example: SQL injection is one of the most common injection flaws found in applications. SQL injection flaws can be caused by use of untrusted data by an application when constructing a vulnerable SQL call.示例:SQL注入是应用程序中最常见的注入缺陷之一。SQL注入缺陷可能是由应用程序在构造易受攻击的SQL调用时使用不受信任的数据造成的。
- Solution: Source code review is the best way to prevent injection attacks. Including SAST and DAST tools in your CI/CD pipeline helps to identify injection flaws that have just been introduced. This allows you to identify and mitigate them before production employment.解决方案:源代码检查是防止注入攻击的最佳方法。在CI/CD管道中包括SAST和DAST工具有助于识别刚刚引入的注入缺陷。这使您能够在生产使用之前识别并缓解这些问题。
2. Broken Authentication. Certain applications are often improperly implemented. Specifically, functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions. This can lead to stolen user identity and moreii.2.身份验证失败。某些应用程序的实现往往不正确。具体而言,与身份验证和会话管理相关的功能在错误实现时,允许攻击者泄露密码、关键字和会话。这可能导致盗用用户身份和其他信息。
- Example: A web application allows the use of weak or well-known passwords (i.e. “password1”).示例:web应用程序允许使用弱密码或已知密码(即“password1”)。
- Solution: Multi-factor authentication can help reduce the risk of compromised accounts. Automated static analysis is highly useful in finding such flaws while manual static analysis can add strength in evaluating custom authentication schemes. Synopsys’ Coverity SAST solution includes a checker that specifically identifies broken authentication vulnerabilities. 解决方案:多因素身份验证有助于降低帐户受损的风险。自动静态分析在发现此类缺陷方面非常有用,而手动静态分析可以增强评估自定义身份验证方案的能力。Synopsys的Coverity SAST解决方案包括一个专门识别破坏的身份验证漏洞的检查器。
3. Sensitive Data Exposure. Sensitive data exposure is when important stored or transmitted data (such as social security numbers) is compromised.3.敏感数据暴露。敏感数据暴露是指重要的存储或传输数据(如社会安全号码)被泄露。
- Example: Financial institutions that fail to adequately protect their sensitive data can be easy targets for credit card fraud and identity theft. 示例:未能充分保护其敏感数据的金融机构很容易成为信用卡欺诈和身份盗窃的目标。
- Solution: SAST tools such as Coverity and SCA tools such as Black Duck Binary Analysis include features and checkers that identify security vulnerabilities that can result in sensitive data exposure. 解决方案:Coverity等SAST工具和Black Duck Binary Analysis等SCA工具包括识别可能导致敏感数据泄露的安全漏洞的功能和检查工具。
4. XML External Entities (XXE). Attackers are able to take advantage of web applications that use vulnerable component processing XML’s. Attackers are able to upload XML or include hostile commands or content within an XML document.4.XML外部实体(XXE)。攻击者能够利用使用易受攻击的组件处理XML的web应用程序。攻击者能够上载XML或在XML文档中包含恶意命令或内容。
- Example: An application allows untrusted sources to perform XML uploads.示例:应用程序允许不受信任的源执行XML上载。
- Solution: Static application security testing (SAST) is very helpful at detecting XXE in source code. SAST helps inspect both application configuration and dependencies.解决方案:静态应用程序安全测试(SAST)非常有助于检测源代码中的XXE。SAST帮助检查应用程序配置和依赖项。
5. Broken Access Control. Broken access control is when an attacker is able to get access to user accounts. The attacker is able to operate as the user or as an administrator in the system.5.访问控制中断。断开的访问控制是指攻击者能够访问用户帐户。攻击者可以作为系统中的用户或管理员进行操作。
- Example: An application allows a primary key to be changed. When the key is changed to another user’s record, that user’s account can be viewed or modified.示例:应用程序允许更改主键。当密钥更改为其他用户的记录时,可以查看或修改该用户的帐户。
- Solution: It is critical to use penetration testing in order to detect unintended access-controls. Changes in architecture and design may be warranted to create trust boundaries for data access.解决方案:为了检测非预期的访问控制,使用渗透测试至关重要。架构和设计的更改可能会保证为数据访问创建信任边界。
6. Security Misconfiguration. Security misconfigurations are when design or configuration weaknesses result from a configuration error or shortcoming.6.安全配置错误。安全错误配置是指由于配置错误或缺陷而导致的设计或配置缺陷。
- Example: A default account and its original password are still enabled, making the system vulnerable to exploit.示例:默认帐户及其原始密码仍处于启用状态,使系统易受攻击。
- Solution: Solutions like Synopsys’ Coverity SAST include a checker that identifies information exposure available through an error message. 解决方案:Synopsys的Coverity SAST等解决方案包括一个检查器,用于识别通过错误消息暴露的信息。
7. Cross-Site Scripting (XSS). XSS attacks occur when an application includes untrusted data on a webpage. Attackers inject client-side scripts into this webpage.7.跨站点脚本(XSS)。当应用程序在网页上包含不受信任的数据时,就会发生XSS攻击。攻击者将客户端脚本注入此网页。
- Example: Untrusted data in an application allow for an attacker to ‘steal a user session’ and gain access to the system.示例:应用程序中的不受信任数据允许攻击者“窃取用户会话”并访问系统。
- Solution: SAST solutions well versed in data flow analysis can be a great tool to help find these critical defects and suggest remedies. The OWASP website also provides a cheat sheet to best practices to eliminate such defects from your code. For OWASP Top 10 categories like XSS, that also have a Common Weakness Enumerator (CWE), Black Duck will alert teams that this is the weakness that lead to the vulnerability, enabling them to better understand the vulnerability and prioritize their remediation efforts.解决方案:精通数据流分析的SAST解决方案是帮助发现这些关键缺陷并提出补救措施的绝佳工具。OWASP网站还提供了最佳实践的备忘单,以消除代码中的此类缺陷。对于OWASP前10个类别,如XSS,也有一个通用弱点枚举器(CWE),Black Duck将提醒团队这是导致该漏洞的弱点,使他们能够更好地了解该漏洞并确定补救工作的优先级。
8. Insecure Deserialization. Insecure Deserialization is a vulnerability where deserialization flaws allow an attacker to remotely execute code in the system.8.不安全的反序列化。不安全的反序列化是一个漏洞,其中反序列化缺陷允许攻击者在系统中远程执行代码。
- Example: An application is vulnerable because it deserializes hostile objects that were supplied by an attacker.示例:应用程序易受攻击,因为它反序列化攻击者提供的恶意对象。
- Solution: Application security tools help detect deserialization flaws and Penetration testing can be used to validate the problem.解决方案:应用程序安全工具有助于检测反序列化缺陷,渗透测试可用于验证问题。
9. Using Components With Known Vulnerabilities. This vulnerability’s title states its nature; it describes when applications are built and run using components that contain known vulnerabilities.9.使用具有已知漏洞的组件。该漏洞的标题说明了其性质;它描述了何时使用包含已知漏洞的组件构建和运行应用程序。
- Example: Due to the volume of components used in development, a development team may not even know or understand the components used in their application. This can result in them being out-of-date and therefore vulnerable to attack.示例:由于开发中使用了大量的组件,开发团队甚至可能不知道或不理解其应用程序中使用的组件。这可能导致它们过时,因此容易受到攻击。
- Solution: Software composition analysis (SCA) tools like Black Duck can be used alongside static analysis to identify and detect outdated and insecure components in your application. 解决方案:Black Duck等软件组合分析(SCA)工具可以与静态分析一起使用,以识别和检测应用程序中过时和不安全的组件。
10. Insufficient Logging And Monitoring. Logging and monitoring are activities that should be performed to a website frequently, to guarantee it is secure. Failure to adequately log and monitor a site leaves it vulnerable to more severe compromising activities.10.记录和监测不足。日志记录和监视是应该经常对网站执行的活动,以确保网站的安全。未能充分记录和监控站点会使其容易受到更严重的危害活动的影响。
- Example: Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application.示例:可以审核的事件(如登录、失败登录和其他重要活动)不会被记录,从而导致应用程序易受攻击。
- Solution: After performing Penetration testing, developers can study the test logs to identify possible shortcomings and vulnerabilities. SAST solutions can also help identify unlogged security exceptions. 解决方案:执行渗透测试后,开发人员可以研究测试日志,以确定可能的缺陷和漏洞。SAST解决方案还可以帮助识别未标记的安全异常。
https://www.synopsys.com/glossary/what-is-owasp-top-10.html
