Intro: Why Bother "Explaning" the Top 10?
OWASP's reporting on the Top 10 vulnerabilities for software applications is a great piece. However, it's written for a large audience: governance-writers, policy-makers, ...oh, and developers. So it's wonderful information, but requires a little more to see how it applies to making our code secure.
I'll do my best to start with definitions and recommendations straight from OWASP, and then expand with code samples.
For more on the top 10 vulnerabilities, check out this link:
The Overlap of OWASP Top 10 Guidance§
A cool little note, OWASP also publishes a lits of proactive controls for how to defend against the "Top 10" vulnerabilities. It's important to note though, the top 10 vulns and controls do not line up one-to-one. So this sense of overlap begins to surface, and I'll try to cover that as well.
Technically speaking, if we’re defining vulnerability categories by CWE then there is no overlap. However, for conceptual understanding of how these things operate practically, the “overlap” is helpful to visualize.
This distinction helps explain why the “top 10” and the proactive controls do not line up one-to-one.
