OWASP, el “mecanismo” de defensa contra las amenazas web

OWASP, the defense “mechanism” against web threats

March 12, 2025 Iñigo Ladrón Morales

All computer products and services for software and hardware inaccuracies, problems, bugs, loopholes security or security agujeros, or vulnerabilities.

Taking advantage of these flaws, carrying out tasks of exploiting vulnerabilities in services, systems, applications and computer networks is the order of the day and is the main objective of cyber attackers and cybercriminals, knowing that it is an “easy” way to penetrate these holes, gain access, obtain privileges and achieve their objectives.

A vulnerability is, therefore, a weakness or flaw in a system that can be exploited by a cyber attacker to compromise the security of said system, thus affecting the integrity, availability or confidentiality of the information. These vulnerabilities can exist at various layers of the technological infrastructure, from the network level to the application level. Some of the most vulnerable areas include web applications, operating systems, databases, network devices, and any other type of software.

Vulnerabilities can be classified into several categories, each with its own set of effects and exploitation methods:

Injection Vulnerabilities. Some of the best known are SQL injection (SQL code injection) and XSS (Cross-Site Scripting) , which allow attackers to execute unauthorized code on the attacked system and access or modify sensitive data within a computer system.
Authentication and Access Control Vulnerabilities. These allow cyber attackers to bypass the authentication and user identification models and systems, or to achieve unrestricted access with privileges to unauthorized functions or data.

Session Management Vulnerabilities. They allow cyber attackers to hijack and hijack legitimate user sessions to perform actions on behalf of the user, without anyone being aware of it.

Insecure Configuration Vulnerabilities. Simply based on configuration error since they occur when a system is parameterized incorrectly, thus exposing sensitive data or functionalities.

Sensitive Data Exposure Vulnerabilities. They involve the exposure of confidential information, such as passwords or sensitive and confidential personal data, to unauthorized persons.

Information Leakage Vulnerabilities. These vulnerabilities allow the unauthorized disclosure of sensitive information.

Denial of Service (DoS / DDoS) Vulnerabilities. This type of vulnerabilities can lead to a service crash or to resource saturation of the system, affecting the availability. > of the system and to business continuity.

To combat these types of threats, a deep understanding of the existing vulnerabilities in all our computer systems is required, as well as an effective strategy with which they are appropriately managed.

This is where OWASP (Open Web Application Security Project) comes in, which is nothing more than a global community dedicated to improving software security . Specifically, it is a global, non-profit community that focuses on providing resources, tools, guides and open source projects to help companies understand, identify and mitigate vulnerabilities in web applications and web services and build secure applications and services.

Vulnerability management involves identifying , classifying and remediating security weaknesses in a computer system. Companies use vulnerability scanning tools and frameworks such as CVE (Common Vulnerabilities and Exposures) and CVSS (Common Vulnerability Scoring System) , to catalog and evaluate the risk associated with each discovered vulnerability (whether it is known or a Zero Day of imminent appearance). ).

Both pentesting (intrusion testing) and intrusion testing, although they seem the same, are not. These are techniques used to evaluate the security of a computer system, but they differ in their approach and scope. Pentesting focuses on simulating a real attack against a single specific system (or subsystem). For its part, the penetration test has a broader character and scope, since it evaluates the security of a complete infrastructure, including all systems, subsystems, networks and security policies.

OWASP provides the necessary guidelines and tools to be used in both pentesting and penetration testing , in order to identify and mitigate vulnerabilities in an individual system or an entire infrastructure. For example, OWASP ZAP (Zed Attack Proxy) tools are widely used by cybersecurity professionals to identify vulnerabilities in web applications during penetration testing .

In addition to OWASP , there are other organizations such as MITER (MITRE ATT&CK, or matrix of attack techniques) and ICS2 (ICS2, or International Information System Security Certification Consortium) are other organizations that focus on cybersecurity , but have focuses and areas of interest different from those of OWASP .

MITRE is a non-profit organization that focuses on research and development of technologies and standards in the field of cybersecurity.

ICS2 focuses on the certification and training of cybersecurity professionals.

In any case, among all of them, OWASP, MITREand ICS2, there are overlaps and superpositions in various areas of action, although OWASP stands out for its specific focus on software cybersecurity and web application cybersecurity.

OWASP has a TOP 10 of vulnerabilities that evolves over time. This is a list of the 10 most critical vulnerabilities in web applications. These are classified based on the experience of recognized cybersecurity experts.

Currently, the latest existing version is the2021 OWASP Top 10 . Some of its TOP vulnerabilities are those corresponding to code injection , incorrect/faulty authentication and exposure of sensitive data . Such vulnerabilities represent the most common and urgent risks that companies must address to ensure the security of their web applications.

But how are vulnerabilities detected, identified and named? This is a systematic, thorough and rigorous process that involves collecting information on the 2021 OWASP Top 10 , as well as analyzing its potential impact as well as available mitigation measures .

Vulnerabilities are named according to established standards in the cybersecurity industry, such as:

CVE (Common Vulnerabilities and Exposures) . It consists of a public dictionary, or vulnerability identification and nomenclature system used worldwide, which provides unique identifiers for each vulnerability , thus facilitating interoperability between security tools and collaboration between organizations.

CVSS (Common Vulnerability Scoring System) . Consisting of a scoring system that is used to numerically evaluate the risk/cyber risk associated with a vulnerability , taking into account factors such as its severity , its scope , the ease of exploitation , and the potential impact .

In conclusion, OWASP plays a fundamental role in improving the cybersecurity of software and web applications, providing resources and tools that help organizations identify, mitigate and remediate vulnerabilities, thus protecting digital assetsand the privacy of users.

With its community-focused and open source approach, OWASP continues to be a key player in the fight against cyber threats. strong> in constant evolution.

Of course, at Zerolynx we regularly use OWASP and all these globally standardized models and frameworks, when providing our Detection Services , such as:

- Hacking on CMS Platform (Pentest Web) .
- Internal and external Pentesting .
- The Web Security Audit .
- The Mobile Application Security Audit .
- Denial of Service (DoS) Testing .

We invite you to learn about all Zerolynx services .

But, if you also want us to inform you better and give you more details, in a more personalized way, do not hesitate to contact us .

Iñigo Ladrón Morales, Content Writer for Zerolynx.