OWASP (Open Web Application Security Project) is an open and collaborative web security audit methodology that is oriented towards web application security analysis and it is used as a point of reference in security auditing. At Tarlogic, we use the OWASP methodology in every web security audit to analyze and evaluate risks.
The analysis of the controls, which are defined by this methodology, allows our auditing team to provide a correct platform analysis, ensuring that all attack vectors have been analyzed and all security issues have been detected. This process helps improve the security and protection of our clients’ IT systems
Web Audit – Security Analysis Approach
There are two main approaches for performing OWASP-based security audits
- OWASP TOP-10 Audit: Under this type of web audit approach, the web application is analyzed for usual weaknesses that are associated with a greater impact on the system security.
- A1: Injection
- A2: Broken authentication
- A3: Sensitive Data Exposure
- A4: XML External Entities (XXE)
- A5: Broken Access Control
- A6: Security Misconfiguration
- A7: Cross-Site Scripting (XSS)
- A8: Insecure deserialization
- A9: Use of components with known vulnerabilities
- A10: Insufficient Loggint&Monitoring
A OWASP TOP-10 web security audit is recommended when assessing web application security for the first time or when the security in this environment is not critical for the company. This type of audit offers a good balance between effort invested and results.
- Complete OWASP Audit: The purposed of a complete OWASP audit, based on the OWASP 2017 methodology, is to validate the 90 controls defined by this methodology, mainly focusing on issues related to the logic of the particular business. This is the ideal approach in case of high criticality, and it helps shield a system against cyber attacks.
Web Audit Techniques
Web application security audits can be performed automatically, using commercially available tools, as well as manually, going over each separate application module.
Tarlogic utilizes both techniques, devoting a grater effort on the manual web security approach, in order to identify those issues and security breaches that are related to the business logic and can be found by using automated tools.
Contact Tarlogic for an OWASP-based web security audit to protect your business applications.