Vulnerability research conducted by Contrast Labs was referenced in an article "What is OWASP and Why it Matters for AppSec." The Network World article, written by Michelle Drolet, discusses OWASP and why it proves the need for modern, well-funded application security programs.
Drolet notes in the article that organizations are not committing sufficient resources or attaching enough importance to software security. She states: "The importance of application security (AppSec) is widely understood, with 97 percent of respondents to the SANS Institute’s 2016 State of Application Security report revealing they have an AppSec program in place...
However, only 26 percent of respondents described their AppSec program as mature or very mature."
OWASP a Source of Impartial Advice
It can be difficult to find unbiased advice and practical information to help you develop your AppSec program. The competitive technology and services market has plenty to say, but much of it is designed to steer you toward a particular tool or service provider.
The Open Web Application Security Project (OWASP) was formed to offer genuinely impartial advice on AppSec best practices and to foster the creation of open standards.
Anyone may participate in and support OWASP. The materials and guidelines it offers are completely free of charge and available under an open software license.
Ignore the OWASP Top 10 at Your Peril
You might assume a free set of guidelines like this, developed by some of the best minds in worldwide software security, would serve as a standard framework for developers, but sadly that doesn’t seem to be the case.
Today, as many as 25% of web applications are vulnerable to eight of the OWASP Top 10, according to Contrast Labs, with 80% possessing at least one vulnerability. Contrast Labs found that sensitive data exposure topped the list, affecting 69% of applications tested. CSRF (Cross-Site Request Forgery) was second, affecting 55% of apps, and broken authentication and session management was third, affecting 41% of apps.
It’s clear organizations must implement more accurate, continuous and scalable solutions to tackling the application security challenge.