The OWASP TOP 10 lists the 10 most commonly used practices by hackers to attack websites. These 10 practices cover 95% of the attacks recorded worldwide.
In September 2021, a new version was published.
With the number of cyberattacks constantly increasing, it is important to better understand the practices of hackers to strengthen our defenses.
This is why updating this guide seems important to us in order to be better protected.
More and more attacks…
Some figures…
Klee Group cybersecurity key figures 2022
Multiple attackers
Attacks are proliferating. But who is behind them?
Nowadays, there are multiple profiles of cyber attackers.
Individuals seek to demonstrate their abilities by challenging each other and then broadcasting their exploits. Groups of hackers act for political reasons by targeting institutions. Finally, some individuals or groups practice knowledge theft for industrial espionage or to extort money.
States that enter the game
Recently, the use of Pegasus (see the previous article, Pegasus, mass cyber espionage across the world ) has shown that states themselves participate in cyber espionage.
Some Eastern governments control hacker communities like APT21 or APT34. These communities, which act as hackers in the pay of governments, have considerable resources which makes attacks more and more effective and less and less detectable.
A broader awareness
According to Pegasus, some heads of state, including the French president, have been hacked. Cybersecurity has become a major issue over the past 2 years, as Emmanuel Macron highlighted in his speech on February 18, 2021, on cyberattacks in hospitals and the national strategy for cybersecurity:
"And it also affects all countries. We must be very clear: we are among the most advanced in the response and we are all discovering these new attacks. Some are state-based and are part of the new conflict between states. Other attacks are mafia-based. […]"
Source: https://www.vie-publique.fr/discours/27 ... ersecurite
A relentless reality
Numerous studies show a significant increase in cybercrimes worldwide.
According to the 2020 Forrester study , 90% of French companies have experienced at least one cyberattack that had an impact on their business in the last 12 months.
This phenomenon is only increasing, according to figures from the Senate the number of ransomware attacks has quadrupled between 2020 and 2021.
Prepare the defense!
Forgetting about cybersecurity means riding a motorcycle at 200 km/h without a helmet.
Guillaume Poupard, General Manager
National Agency for Security and Information Systems - ANSSI
Security must now be considered an essential element in the development of web applications.
The Security by design approach is an approach that addresses this challenge, by placing security at the heart of project development. The various procedures and best practices of this approach make it possible to better understand cyber risks in order to better contain them.
Fixing vulnerabilities in a web application increases data confidentiality, availability and integrity.
The OWASP TOP 10, a proven defense tool
Introducing OWASP
The Open Web Application Security Project (OWASP) is a non-profit organization that provides tools and recommendations for securing web applications.
Drawing on numerous stakeholders, both public and private, its OWASP TOP 10 guide lists the 10 most frequent attacks. This TOP 10 covers 95% of cyberattacks.
OWASP
Let’s discover the OWASP TOP 10…
This guide lists the top 10 security vulnerabilities affecting applications.
It is developed based on information provided by experts in the field of cybersecurity. From this ranking, companies can thus focus on the measures to be implemented to strengthen their systems and secure their applications.
A little vocabulary to understand the attacks
To better understand the subject, four key definitions will help lay the foundations for securing web applications. We have distinguished the concepts relating to the attack zone from those relating to the defense zone.
Injection (SQL injection, command injection, script injection or XSS…)
Area: Attack
Implementation: very widespread threat, because it can be automated via robots
A form of attack in which a hacker uses a piece of code to gain access to potentially uae telegram data important or confidential information.
Breakdown of access control (login/password, authentication, identification)
Area: Attack
Implementation: widespread threat, positioning itself at the entry point of applications
Damage: high, attack that can compromise an information system in its entirety.
A form of attack that allows confidential data to be recovered illegitimately.
Strong user authentication
Area: Defense
Implementation: requires technical skills and suitable organization.