OWASP Testing

OWASP Top 10 Automated Testing

What is OWASP Top 10 Automated Testing?

The purpose of OWASP (Open Web Application Security Project) Scanning is to test your website against the most common vulnerabilities. OWASP Tests are automated scans that scan your website against the vulnerabilities, and lets you know where your website stands.

The Top 10 vulnerabilities are chosen from security experts all over the world.

“OWASP refers to the Top 10 as an ‘awareness document’ and recommends that all organisations incorporate the report into their processes in order to mitigate security risks. One thing to remember, it is not a standard. Organisations can define the matrix based on their own environment. This also means that it’s not just OWASP who defines Top10 but takes data from so many people, organisations and then opens it up for us to post the feedback. Analysis is very interesting and actually got Top 10 a total of forty-three CWE.” – owasp.org

Click here to watch the video on the OWASP Spotlight series

It's important to note that the automated testing is very basic, and is not a guarantee that if there are no vulnerabilities found in the test, that your site is not vulnerable. For a higher level of assurance, a manual pen test is the way to go.

ASVS Levels

Here's some information regarding ASVS levels according to owasp.orgs OWASP Application Security Verification Standard 4.0.3 English (PDF)

ASVS has two main goals:

• to help organizations develop and maintain secure applications.

• to allow security service vendors, security tools vendors, and consumers to align their requirements and offerings.

ASVS Level 1 is for low assurance levels, and is completely penetration testable

ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps

ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.

Each ASVS level contains a list of security requirements. Each of these requirements can also be mapped to security-specific features and capabilities that must be built into software by developers.

CyberSecure Canada Certification

Did you know that OWASP Scanning is part of the CyberSecure Canada Certification requirements?

To pass the “Secure Websites” security control, your organization must test your website against the OWASP Top 10 vulnerabilities, and provide documentation demonstrating that your organization understands the ASVS levels and which level would apply to your organization’s websites.

Explore Our Blog Post >>