OWASP Top 10

What is OWASP and the OWASP Top 10?

The Open Web Application Security Project (OWASP) is a worldwide, nonprofit organization focused on improving the security of software. It functions as an online community that creates freely available articles, methodologies, documentation, tools, and technologies.

The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

Covered OWASP Top 10 risks

OWASP covered
A1 Injection covered
A2 Broken Authentication covered
A3 Sensitive Data Exposure covered
A4 XML External Entities (XXE) covered
A5 Broken Access Control covered
A6 Security Misconfiguration covered
A7 Cross-Site Scripting (XSS) covered
A8 Insecure Deserialization covered
A9 Using Components with Known Vulnerabilities covered
A10 Insufficient Logging & Monitoring covered
PROTECTION LEVEL 100%

I want to see it for myself

A1

Injection

The source of the problem of SQL injection risk is based on SQL queries which have not been parametrized (without PreparedStatement in Java environments). First of all Hdiv minimizes the existence of untrusted data, due to the web information flow control system avoiding the manipulation of data generated by the server side. This architecture only minimizes the risk to new data generated legally from editable form elements. It is important to note that even using a PreparedStatement, if the query is based on untrusted data generated previously at the server side (e.g. ID of an item within a list) an SQL injection risk is possible.

In addition Hdiv implements an internal system that detects SQL Injection risks within source code.

covered RISK COVERED

A2

Broken Authentication

Hdiv protects applications against brute force login attacks and does not allow access to unauthorized resources thanks to its information flow control.

covered RISK COVERED

A3

Sensitive Data Exposure

Hdiv offers several features to minimize sensitive data exposure. Our products include confidentiality to all data generated at the server side. Hdiv replaces original parameter values generated on the server side by relative values (0,1,2,4, etc.) to avoid exposing critical data to the client. Additionally, Hdiv is able to hide (partially o completely) sensitive data depending on the user profile while keeping track of the usage of each user and to detect vulnerabilities, such as sending plain text creditcard numbers or similar errors.

covered RISK COVERED

A4

XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Hdiv actively protects applications against XML External Entities (XXE) attacks.

covered RISK COVERED

A5

Broken Access Control

Hdiv flow control ensures data integrity, nullifying this risk. Hdiv’s web information flow control system controls all data generated at the server side ensuring its integrity. An additional option makes it possible to ensure the confidentiality of data generated at the server side, avoiding exposure of critical data such as credit cards, etc. Hdiv guarantees integrity (no modification) of all data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, etc.). Thanks to this feature, Hdiv helps to eliminate vulnerabilities which can be exploited by parameter tampering.

covered RISK COVERED

A6

Security Misconfiguration

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the developer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

covered RISK COVERED

A7

XSS

The source of the problem of XSS risks is based on the generation of HTML output that uses non-escaped untrusted data. First of all, Hdiv minimizes the existence of untrusted data, thanks to the web information flow control system it implements. This minimizes the risk to new data generated legally from editable form elements.

In addition, Hdiv implements an internal system that detects XSS risks within source code.

covered RISK COVERED

A8

Insecure Deserialization

It is a technical risk that concerns how the application uses serialization either directly, or by using existing framework facilities. At a technical level, its philosophy relies primarily on a varietal of code injection that is surfaced when the affected piece of data is serialized.

Hdiv offers protection for Insecure Deserialization attacks by default, detecting any attack that tries to execute remote code based on this vulnerability.

covered RISK COVERED

A9

Using Components with Known Vulnerabilities

Although Hdiv can not update out of date versions of software used by the web applications, the web information flow control system impedes the exploitation of known and unknown vulnerabilities within the software. In many cases (see: Struts cancel vulnerability) risks are based on an unexpected use of a web application. Hdiv does not allow the original contract to be broken and so it is more difficult to exploit existing risks.

covered RISK COVERED

A10

Insufficient Logging & Monitoring

Hdiv gives a centralized monitoring web console providing real-time visibility into actual attacks. It logs actionable information about attacks and suspicious activity and sends alerts through several types of alert systems: email, syslog, Slack, etc. It is integrated with 3rd party systems, such as task management solutions (JIRA, Asana, EasyVista) and SIEM (Security Information and Event Management) systems, providing better management of detected incidents and a faster response to attacks.

covered RISK COVERED

Resources

VIDEO

Securing Android and iOS applications

Watch

VIDEO

Hdiv Protection (RASP) in the Production environment

Watch

VIDEO

OWASP WebGoat and Hdiv Protection (RASP)

Watch

VIDEO

Hdiv RASP protecting Spring REST APIs

Watch