OWASP Top Ten: That's how we increase website security
For starters: What is OWASP Top Ten?
The Open Web Application Security Project (OWASP) is an open community dedicated to enable organizations to develop, purchase, and maintain applications and APIs that can be trusted. The first OWASP Top Ten list was published in 2013. Since then, the list has been regularly updated with the top ten most critical security risks to web applications. The list is curated based on broad consensus and community input. The goal is to raise awareness about application security by identifying some of the most critical risks facing organizations. Many standards, books, tools, and organizations reference the Top Ten project. These include MITRE, PCI DSS, Defense Information Systems Agency (DISA-STIG), the United States Federal Trade Commission (FTC), and many more. Although the original goal of the OWASP Top Ten project was simply to raise awareness amongst developers and managers, it has become the de facto application security standard. 
What's Unic's view on OWASP Top Ten?
At Unic, we see the regularly uptaded OWASP Top Ten list as a must-standard in customer requirements and RFI/RFP documents. Therefore, we have continuously invested in improving website application security introducing new features such as:
Free Let’s Encrypt Certificates
Web Application Firewall (WAF)
ISO 27001 Certification
Content Security Policy Monitoring
In this table, you find an extract of our security measures on the left-hand row side and the OWASP Top Ten in the columns above. Y and N indicate if this measure helps mitigate a particular risk. The score on the right hand indicates how big the risk impact of a single measure is. The score at the bottom indicates how many measures address a single risk.
And how does Unic actually improve web application security?
It becomes clear, that low-level technical measures like WAF, Backup, BGP Monitoring and all measure related to DNS Security and TLS have a high overall impact on web application security. These findings are in line with the Unic Web Application Security Policy. The policy has been introduced in 2018 to ensure all new customer projects have a baseline security that can be continuously improved.At Unic, everyone must apply the following requirements when developing solutions for our customers or internally:
All websites must be delivered using TLS; no mixed content
All websites must implement the following security headers: "X-Frame-Options" (and corresponding "frame-ancestors" in CSP), "X-XSS-Protection", " X-Content-Type-Options" and "Strict-Transport-Security"
All forms must be protected from spam and bots (i.e. using CAPTCHA or other suitable methods)
TLS Configuration and Certificates must at least have grade "A" on ssllabs.com
Weak encryption algorithms and ciphers must be disabled
SSLv2 and SSLv3 must be disabled
Furthermore, TLSv1.0 has to be disabled when developing solutions for our customers or internally. And all websites should implement the following security headers:
We are aware these settings do not provide the highest security settings possible, and might not be suitable for web applications containing sensitive information. But they are a good baseline, a starting point to improve upon. Using this policy, we significantly increased website security of our customer projects. We will continue to regularly review our policies to make data and web applications more secure.
Contact for your Digital SolutionBook an appointment
Are you keen to talk about your next project? We will be happy exchange ideas with you: Melanie Klühe, Stefanie Berger, Stephan Handschin and Philippe Surber (clockwise).
Contact for your Digital Solution with UnicBook an appointment
Are you keen too discuss your digital tasks with us? We would be happy to exchange ideas with you: Jörg Nölke and Gerrit Taaks (from left to right).