📖
Typo Help Docs
  • Welcome
  • Getting Started
    • Onboarding
    • Integrations
      • Git
        • GitHub
        • GitLab
        • BitBucket
        • Azure Repos
        • Gitlab On-prem
      • Issue Tracker
        • JIRA
        • Linear
        • GitHub Issue
        • Shortcut
        • ClickUp
      • CI/CD Tool
        • Circle CI
        • Jenkins
        • Heroku
        • GitHub Actions
        • Azure DevOps
        • Custom Deployment Webhook
      • Slack
    • How Requestly setup Typo in a few days
  • Platform
    • Dev Analytics
      • DORA
      • Insights
        • Teams
        • Members
        • Sprints
        • Pull Requests
        • Deployments
      • Incident
      • Goals
      • Investment
      • Initiative
      • WorkLog
      • Custom Reports
      • Settings
        • Teams
        • Member
        • Repository
        • Projects
        • Manage Access
        • Notifications
    • Code Health
      • Code Review
      • Code Coverage
    • DevEx
  • Implementation Plan
    • Phase 1 - Setting Up Data Sources
    • Phase 2 - Metric Configuration
      • Dev360
      • Code Health
      • DevEx
    • Phase 3 - Team Rollout
  • Engineering Metrics
    • DORA
      • Cycle Time
      • Deployment PRs
      • Change Failure Rate
      • Mean Time to Restore
    • Pull Request Metrics
      • Avg. Commits During PR Review
      • Coding Days
      • Coding Time
      • Merge frequency
      • Merge Time
      • Pickup Time
      • PR Size
      • PRs Merged without Review
      • Review Time
      • Efficiency Score
    • Sprint Metrics
      • Carry over
      • Developer Workload
      • Issue Cycle Time
      • Issues At-Risk
      • Scope creep
      • Team Velocity
      • Work Breakup
      • Work Progress
    • Code Quality Metrics
      • OWASP Top 10
      • Vulnerability
      • Security
      • Performance
      • Duplication
      • Code Smell
    • Deployment Metrics
      • Deployment - Failure
      • Deployment - Frequency
      • Time to Build
    • Incident Metrics
      • Incident - Opened
      • Avg Resolution Time
    • DevEx Metrics
      • DevEx Score
      • Space mood
      • Response Rate
      • Manager Support
      • Developer Flow
      • Product Management
      • Development & Releases
      • Culture & Values
  • Configurations
    • Cycle Time
    • Deployment PRs
    • Change Failure Rate (CFR)
    • Mean Time To Restore (MTTR)
    • CI/CD - Deployment
    • Incident
    • Initiative
    • Investment Distribution
    • PR Labels
    • Code Health
    • Code Coverage
    • DevEx
    • Notifications
    • Manage Access
  • FAQ's
    • Data Security
      • GitHub App Permissions Details
      • Why does Typo need write permission to my code?
      • Does Typo has access to my code?
      • What data security guidelines does Typo follow?
    • Integrations
      • Can Typo application work with on-prem Gitlab?
      • How do I get Issue Tracker data?
      • How do I get Git data?
    • Pricing
      • How does the pricing work?
      • How do I upgrade my plan?
    • Access Management
      • My team member is not able to login to Typo
    • Metrics
      • How does Typo predict developer burnout?
      • Is there a way to change the branch that Deployment PRs are measured against?
      • Synchronize “CFR” & “MTTR” without incident management?
      • How quick does the pull-request page update? I closed a PR but the Typo still shows Awaiting Review
      • How do I add any new repo?
      • How to Configure Typo Code Health Checks to Block a PR Merge in Git
      • Can I exclude a person from metrics calculation?
      • Can I track the Cycle time based on the status of the JIRA tickets?
      • How do I unlink the JIRA tracker & integrate Linear?
      • How to exclude a PR from any metric calculation?
      • My data is not visible, I have synced the repo
    • Platform
      • Can I use your application on-premise?
    • Delete Account
      • How can I delete my account?
Powered by GitBook
On this page
  1. Engineering Metrics
  2. Code Quality Metrics

OWASP Top 10

PreviousCode Quality MetricsNextVulnerability

Last updated 9 months ago

The OWASP Top 10 represents a list of the most critical security risks for web applications, compiled by the Open Web Application Security Project (OWASP).

These issues highlight common vulnerabilities that attackers frequently exploit to compromise the security of web applications.

By addressing these vulnerabilities during code review and implementing appropriate security measures, developers can mitigate the risk of security breaches and protect web applications from potential threats.

The current OWASP Top 10 list

  1. Injection: Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. This can lead to the execution of unintended commands or SQL queries, allowing attackers to manipulate or access sensitive data.

  2. Broken Authentication: This vulnerability arises from improper implementation of authentication and session management. Attackers can exploit weaknesses in authentication mechanisms to compromise user accounts, gain unauthorized access, or impersonate users.

  3. Sensitive Data Exposure: Sensitive data exposure occurs when an application fails to adequately protect sensitive information such as passwords, credit card numbers, or personal data. Attackers can exploit this vulnerability to steal or misuse sensitive data.

  4. XML External Entities (XXE): XXE vulnerabilities occur when an application processes XML input from untrusted sources without proper validation. Attackers can exploit XXE to read files, perform port scans, or execute arbitrary code on the server.

  5. Broken Access Control: Broken access control vulnerabilities occur when restrictions on what authenticated users can access are not properly enforced. Attackers can exploit these flaws to gain unauthorized access to sensitive functionalities or data.

  6. Security Misconfigurations: Security misconfigurations happen when security settings are not properly configured, leaving the application vulnerable to attack. Common misconfigurations include default settings, unnecessary features enabled, or overly permissive access controls.

  7. Cross-Site Scripting (XSS): XSS vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, data theft, or unauthorized actions performed on behalf of the user.

  8. Insecure Deserialization: Insecure deserialization occurs when untrusted data is deserialized without proper validation. Attackers can exploit this vulnerability to execute arbitrary code, perform denial-of-service attacks, or tamper with application data.

  9. Using Components with Known Vulnerabilities: This vulnerability arises when an application uses third-party libraries, frameworks, or components with known security flaws. Attackers can exploit these vulnerabilities to compromise the application and its data.

  10. Insufficient Logging & Monitoring: Insufficient logging and monitoring make it difficult to detect and respond to security incidents. Effective logging and monitoring mechanisms are essential for identifying and mitigating security threats on time.

Addressing these OWASP Top 10 issues during the development lifecycle is critical for building secure web applications and protecting them from common security threats.