Since all software may be vulnerable to attack, lists of software risks can be found at organizations like OWASP, SANS, and others. These groups, and the lists they create, help the software-reliant organizations manage risk better. In this blog, we’ll be discussing a notable OWASP project.
OWASP projects are supported by an open community of researchers and expert from all over the world weighing in on various topics, and then come to agreement of what’s important to various audiences. In this case, we’re discussing the 2021 OWASP Top 10 Project for Web Applications. From the beginning, this project was designed to address software-related risks, primarily from the perspective of software developers, AppSec experts, security solution providers, and organizations as a whole.
Since Checkmarx is highly regarded as one of the world’s best application security solution providers, it would make sense that this OWASP project, and its resulting list, would be one of the underpinnings of our SAST technology. Checkmarx researchers are often contributors to OWASP projects, and those who develop our application security solutions track the OWASP community efforts quite closely.
A Quick Interview with an Expert
In order to learn more about the OWASP Top 10 list in general, I had an opportunity to sit down with Rui Pereira, Senior Product Manager for CxSAST. Rui has years of experience as a software developer, security expert, and product visionary, and I wanted to hear his thoughts on the latest list.
I began our conversation around OWASP in general, and zeroed in on the Top 10 in question. According to Rui, “This OWASP project is important because we can incorporate this list of risks into the process of building and securing software. And if we use this document to build more security awareness, we can mitigate many of the security risks before they happen. It’s important that every organization include this list into their risk management approaches, and the latest list provides a common language of web application security risks all organizations should understand and strive to better manage.
Rui went on to mention that we are now seeing developers use infrastructure as code, open source code from many supply chains, containers, microservices, APIs, etc. and in general, everything is becoming code. Developers needs to be keenly aware of the new risks when developing all the code pieces that make their modern applications run. This can be a very difficult task since developers are often not trained well in school pertaining to coding securely, crypto, etc., so they need to have some sort of guide to help them code more securely.
I then asked Rui about what has changed in the latest 2021 version vs. the earlier version of the OWASP list from 2017. “We see from the latest version that a couple of categories shifted in relevance,” says Rui. “A new category on the risks related to insecure design and architectures was included, and the use of threat modeling, secure design patterns, reference architectures, and so on were contained in this category. The community agrees that we need to add more security during the pre-code activities. These activities are critical to the principles of secure by design, and in the context of shifting even farther left, organizations can learn how to stay ahead of the game in our upcoming virtual customer conference called Checkmate, coming on October 20th.”
Checkmarx SAST is Leading the Pack
Next, I was curious about changes to the Checkmarx SAST solution in the context of the latest OWASP list. Rui said that our SAST development team received the latest list and has already implement changes and additions to our queries to address the new Top 10. According to Rui, “We reorganized some of the queries that were already present in our SAST solution and reclassified them into the correct categories for the latest list. Plus, we added some new queries that fully address the newer risks in the latest version of our SAST.
Our customers can be confident that they are covered when using the OWASP Top 10 query preset to address the risks found in the list. In fact, we are the only SAST solution on the market that has addressed the 2021 OWASP Top 10 at this time. Although there are many queries, presets, and other protections included in our SAST, Checkmarx makes OWASP updates a high priority.”
Make Sure You’re Updated
For organizations who already have Checkmarx SAST, ensure you are running version 8.9 or above to get the latest coverage for the OWASP Top 10. You can learn more and download the latest version here.
For organization who are not customers yet, but want to learn more about Checkmarx Application Security solutions, feel free to request a demo here.