OWASP testing framework

The Open Web Application Security Project (OWASP) testing framework is defined as a low-level penetrating-testing guide for common web application and security services issues. It was developed as a best-practice penetration-testing framework for anyone to implement within their organization.

The OWASP Testing Framework outlines five phases:

• Phase 1: Before Development Begins
  • Define a System Development Life Cycle (SDLC)
  • Review Policies
  • Developing Measurement and Metrics Criteria and Ensuring the trace

• Phase 2: During Definition and Design
  • Review the Security Requirements
  • Review the Design and Architecture
  • Creat and Review UML Models
  • Create and Review Threat Models

• Phase 3: During Development
  • Code Walkthrough
  • Code Reviews

• Phase 4: During Deployment
  • Application Penetration Testing
  • Configuration-management Testing

• Phase 5: Maintenance and Operations
  • Conduct Operational Management Reviews
  • Conduct Periodic Health Checks
  • Ensure Change-verification

Furthermore, OWASP has been continuously engaged in providing web security awareness globallly and methods on improving web security. Their OWASP Top 10 is a list of the most critical security risks in web applications.

The following is the OWASP Top 10 – 2017 list of critical security risks to web applications:

• A1:2017-Injection
• A2:2017-Broken Authentication
• A3:2017-Sensitive Data Exposure
• A4:2017-XML External Entities (XXE)
• A5:2017-Broken Access Control
• A6:2017-Security Misconfiguration
• A7:2017-Cross-Site Scripting (XSS)
• A8:2017-Insecure Deserialization
• A9:2017-Using Components with Known Vulnerabilities
• A10:2017-Insufficient Logging & Monitoring