OWASP Top 10 for Developers

The Synopsys Cybersecurity Research Center created a series of short videos that help developers learn about software security and how to avoid and fix common mistakes.

Viewers see concrete examples of different types of vulnerabilities and learn about the mitigation steps that will help them build more-secure software.

In application security, the Open Web Application Security Project (OWASP) Top 10 list is a valuable resource for DevSecOps teams that oversee the development and security of web applications. We'll take a closer look at each category in the OWASP Top 10, and provide examples and best practices you can use to minimize the risks to your organization.

In 2021, the OWASP Top 10 list moved broken access control from the fifth position to first on the list of top vulnerabilities in web applications. According to OWASP, 94% of applications were found to have some form of broken access control, with the average incidence rate of 3.81%.

In this video, see an example of broken access control in an insecure bank application. This example uses a classic vulnerability, insecure direct object reference.

Listed as #2 on the OWASP Top 10 list, cryptographic failures expose sensitive data due to a lack of or weak encryption.

In this video, see a demonstration of a cryptographic failure due to a lack of encryption. You’ll also learn about security activities that will help you add security controls to your web applications and sensitive data.

Injection is listed as #3 on the OWASP Top 10 list and occurs when an attacker sends malicious data to an application to make it do something it’s not supposed to do.

Watch how an attacker can compromise a web application using two types of injection: SQL injection and cross-site scripting and learn what security activities can help mitigate these types of attacks.

Listed at #4 in the OWASP Top 10 list, insecure design is a new category in the OWASP Top 10 in 2021 and is related to critical design and architectural flaws in web applications.

In this video see an example of an insecure design flaw and what security controls are necessary to mitigate risks associated with these vulnerabilities.

Listed at #5 on the OWASP Top 10 list, security misconfiguration refers to vulnerabilities that result from an application’s configuration.

In this video see three examples of security misconfiguration and the mitigation tactics needed to ensure web applications don’t fall victim to misconfiguration vulnerabilities.

Listed at #6 in the OWASP Top 10, vulnerable and outdated components is a growing issue. The volume of components used in the development of today’s applications make it difficult for developers to identify outdated or vulnerable code.

Learn how software composition analysis tools identify and manage components in your applications.

Listed at #7 in the OWASP Top 10, identification and authentication failures include a variety of errors related to login and authentication. Learn how attackers can exploit these failures to gain access to a user’s account in an example banking application, and learn best practices and security testing that can be used to implement authentication.

The “Security logging and monitoring failures” category, formerly known as “Insufficient logging and monitoring,” is now listed at #9 in the OWASP Top 10.

Learn how to address these types of failures in your applications and how you can respond to different types of attacks.

Listed at #10, server-side request forgery (SSRF) is a variation on an injection vulnerability, and it occurs when applications fail to properly sanitize input data and validate the supplied URL. An attacker can exploit this by tricking an application into connecting to any network endpoint. In this video you’ll learn how to address risks associated with SSRF.