OWASP Top Ten 2021 Mapping
OWASP TOP Ten is a ranking of critical threats to common Web applications that are published and periodically updated by the Open Worldwide Application Security Project (OWASP). The following table shows a mapping of the requirements specified in this standard to the 2021 version of the OWASP Top 10 which is fully covered by TSS-WEB.
| OWASP Top Ten Control | Relevant TSS-WEB Requirement |
|---|---|
| A01:2021-Broken Access Control | Verification of every sensitive object access (on both functional and object layer) as well as the implementation of indirections (see section B.8 - Authorization). |
| A02:2021-Cryptographic Failures | Covered in section B.10 - Data Security |
| A03:2021-Injection | Primary: (1) Parametrization / ORM frameworks (SQL Injection) and (2) use of encoding APIs (see B.4 - Output Validation & Encoding. Secondary: restrictive input validation (see B.2 - Input Validation) |
| A04:2021-Insecure Design | Covered in sections A.2.3 Secure Design and B.1 - Secure Design Principles |
| A05:2021-Security Misconfiguration | Perform server hardening (see A.5.2 System Hardening) |
| A06:2021-Vulnerable and Outdated Components | Keep your 3rd party components updates and perform SCA assessments in build pipeline. Covered in A.2.6 Securing Third-Party Dependencies. |
| A07:2021-Identification and Authentication Failures | Covered in B.5 - Secure User Registration & Authentication and B.12 - API Security |
| A08:2021-Software and Data Integrity Failures | Covered in B.10 - Data Security and A.2.5 Secure Build & Deployment |
| A09:2021-Security Logging and Monitoring Failures | Covered in B.9 - Error Handling and Logging and A.5.8 Security Monitoring and Alerting |
| A10:2021-Server-Side Request Forgery | Covered in B.2.1 General Requirements |