Part of Data Security Standard 9 - IT protection
OWASP Top 10 vulnerabilities (9.3.1, 9.3.3, 9.3.7)
The primary aim of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities is to educate developers, designers, architects, managers, and organisations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high-risk problem areas and provides guidance on where to go from here.
The Top 10 list is revisited and renewed over time. OWASP publish a number of release candidates until they have a final release. For example, at the time of writing the OWASP Top 10 2017 is the current latest official release.
Only the official release of this Top 10 should be followed as part of the toolkit.
You should ensure your web applications are protected against the common security vulnerabilities and the OWASP top 10 represents a good starting point. However, it is not a replacement for specific NHS Cyber alerts, as described in the Data Security Standard 6, which you should still action.
The OWASP Top 10 is quite technical and will require liaising with your web site developers to assure compliance.
You will also need to ensure that all your web servers or sites are covered by a penetration test and remediations are followed through and overseen by your Senior Information Risk Owner (SIRO).
National cyber security centre Web Check
As well as manually checking against OWASP you should use a web check service. The National Cyber Security Centre's Web Check is highly recommended for public sector bodies.
For those in the private sector there are commercial and free services such as Sucuri, which offer a free website security check and malware scanner.
Last edited: 27 September 2022 2:53 pm