All experts blogs

OWASP Top Ten: That's how we increase website security

Unic has continuously invested in improving website application security by introducing new security measures. These include free Let’s Encrypt certificates, Web Application Firewalls, DDoS Protection, Vulnerabiltiy Scanning and many more. In this blog post, we’re showing how these security measures help mitigate the OWASP Top Ten.

For starters: What is OWASP Top Ten?

The Open Web Application Security Project (OWASP) is an open community dedicated to enable organizations to develop, purchase, and maintain applications and APIs that can be trusted. The first OWASP Top Ten list was published in 2013. Since then, the list has been regularly updated with the top ten most critical security risks to web applications. The list is curated based on broad consensus and community input. The goal is to raise awareness about application security by identifying some of the most critical risks facing organizations. Many standards, books, tools, and organizations reference the Top Ten project. These include MITRE, PCI DSS, Defense Information Systems Agency (DISA-STIG), the United States Federal Trade Commission (FTC), and many more. Although the original goal of the OWASP Top Ten project was simply to raise awareness amongst developers and managers, it has become the de facto application security standard. [1]

What's Unic's view on OWASP Top Ten?

At Unic, we see the regularly uptaded OWASP Top Ten list as a must-standard in customer requirements and RFI/RFP documents. Therefore, we have continuously invested in improving website application security introducing new features such as:

  • Free Let’s Encrypt Certificates
  • Web Application Firewall (WAF)
  • DDoS Protection
  • Vulnerability Scanning
  • ISO 27001 Certification
  • Content Security Policy Monitoring

In this table, you find an extract of our security measures on the left-hand row side and the OWASP Top Ten in the columns above. Y and N indicate if this measure helps mitigate a particular risk. The score on the right hand indicates how big the risk impact of a single measure is. The score at the bottom indicates how many measures address a single risk.

And how does Unic actually improve web application security?

It becomes clear, that low-level technical measures like WAF, Backup, BGP Monitoring and all measure related to DNS Security and TLS have a high overall impact on web application security. These findings are in line with the Unic Web Application Security Policy. The policy has been introduced in 2018 to ensure all new customer projects have a baseline security that can be continuously improved.

At Unic, everyone must apply the following requirements when developing solutions for our customers or internally: 

  • All websites must be delivered using TLS; no mixed content
  • All websites must implement the following security headers: "X-Frame-Options" (and corresponding "frame-ancestors" in CSP), "X-XSS-Protection", " X-Content-Type-Options" and "Strict-Transport-Security"
  • All forms must be protected from spam and bots (i.e. using CAPTCHA or other suitable methods)
  • TLS Configuration and Certificates must at least have grade "A" on ssllabs.com
  • Weak encryption algorithms and ciphers must be disabled
  • SSLv2 and SSLv3 must be disabled
  • SRI must be used for websites that load JavaScript or stylesheets from foreign origins

Furthermore, TLSv1.0 has to be disabled when developing solutions for our customers or internally. And all websites should implement the following security headers:

  • Referrer-policy
  • Feature-Policy

We are aware these settings do not provide the highest security settings possible, and might not be suitable for web applications containing sensitive information. But they are a good baseline, a starting point to improve upon. 

Using this policy, we significantly increased website security of our customer projects. We will continue to regularly review our policies to make data and web applications more secure.

Sources:

[1] owasp.org

How to create an effective IT Strategy

One of the key challenges in IT is that not every system is created equal. Therefore, when developing services we try to harmonize the way we manage IT systems and the applications provided by them.