OWASP Dashboard

Web application security is a key concern for any organization that develops or uses web applications. The software security community created the Open Web Application Security Project (OWASP)  to help educate developers and security professionals on the latest web application security risks. This dashboard provides organizations the ability to monitor web applications by identifying the top 10 most critical web application security risks as described in the OWASP Top 10 Application Security Risks document.

The OWASP Application Security Risks document outlines several different categories of web-based security concerns, such as Cross-Site Scripting attacks (XSS), security misconfigurations, and sensitive data exposure. OWASP’s focus is to reduce risk across the most vulnerable business assets across the internet. Following these guidelines empowers organizations to reduce risk of organizational and consumer data theft.

Administrators need to ensure that their organization is not vulnerable to any of the attacks identified by OWASP. Compliance related issues, such as known vulnerable components and insufficient logging, are important to eliminate gaps in an organization’s security that are not directly tied to exploitable attacks.

By default, the Current OWASP Category Summary widget is the most recent summary widget, in this case from 2021. Organizations that want to see data based on an older OWASP year, can select the widget from the Widget Library when creating the dashboard.  Additionally, the Current OWASP Categories by WAS Plugin Family widget will need to be recreated as a custom widget using the Group By plugin family and the appropriate filter.

Widgets

Current OWASP Category Summary  – This widget displays current OWASP vulnerability counts, sorted into each one of the OWASP Top 10 categories. According to OWASP, “the Top 10 represents a broad consensus about the most critical security risks to web applications.” Identifying and fixing these issues provide organizations with a solid foundation for secure development. The requirements for this widget are: Tenable Web App Scanning. 

Current OWASP Categories by WAS Plugin Family – This widget displays vulnerability status counts for current OWASP vulnerabilities. The widget sorts vulnerabilities into known plugin families, displaying a count along with a bar graph of severity results. The requirements for this widget are: Tenable Web App Scanning. 

OWASP Versions by State – This widget displays the current and all previous OWASP versions along with a column displaying each state (New, Active, Resurfaced, Fixed).  This information assists organizations in identifying OWASP vulnerabilities that are new, currently active, have previously been mitigated and have resurfaced, or have been fixed, for each OWASP version. New indicates that Tenable Vulnerability Management detected the vulnerability one time or multiple times up to 14 days after the original detection. Active indicates that the vulnerability was detected more than one time, and that the first detection occurred more than 14 days ago. Fixed indicates the vulnerability was present on a host, but is no longer present. Note: Fixed vulnerabilities are only visible on dashboards or results if the state filter is used. Resurfaced indicates the vulnerability was previously marked as fixed on a host, but was detected again. When a vulnerability is Resurfaced, it remains in this state until a subsequent scan identifies the vulnerability as remediated, at which point the vulnerability returns to a Fixed state. The requirements for this widget are: Tenable Web App Scanning.

OWASP Versions by Severity – This widget displays the current and all previous OWASP Top Critical to Low. Each cell displays data on the count web application vulnerabilities associated with the OWASP Top 10 release, and severity level. This information assists organizations in identifying most severe OWASP vulnerabilities for the OWASP version in use. The requirements for this widget are: Tenable Web App Scanning.