Skip to content

slortz/www-project-mobile-top-10

 
 

Repository files navigation

Project OWASP Mobile Top-10 2023

OWASP logo

OWASP Mobile Top 10 Methodology

Overview

This methodology report outlines the process we follow to update the OWASP Mobile Top 10 list of application security vulnerabilities using a data-based approach and unbiased sources.

To achieve this, we collect data from various sources such as incident reports, vulnerability databases, and security assessments, analyze the data, evaluate the sources for reliability and consistency, prioritize the vulnerabilities based on their impact and likelihood of occurrence, validate the results through consultation with experts and stakeholders, and create the final OWASP Top 10 list.

This report highlights the importance of following a comprehensive and unbiased approach to ensure the list reflects the most common and impactful mobile application security vulnerabilities, which can be used as a reference to improve the security of mobile applications.

Update History

Author Date Update
Alaeddine Mesbahi Apr 13, 2023 First Draft
Milan Singh Thakur Apr 14, 2023 Review
Kunwar Atul Apr 14, 2023 Review
Mohamed Benchikh Apr 14, 2023 Review
Mohammad Junaid Apr 14, 2023 Review

Methodology

Data Collection

To update the OWASP Top 10, we start by collecting data on the most common and impactful mobile application security vulnerabilities. We gather information from various sources such as incident reports, vulnerability databases, and security assessments. It's essential to collect data from diverse sources to ensure that the data is comprehensive and unbiased. Some of the sources that can be used to collect data include:

  • Incident reports from companies, organizations, and government agencies
  • Vulnerability reports from security vendors and researchers
  • Publicly available datasets on mobile application security vulnerabilities
  • Surveys of security professionals or application developers

Analysis

Once we have collected the data, the next step is to analyze it. We categorize the vulnerabilities, identify trends, and determine the severity of their impact. To analyze the data, we use statistical methods, data visualization, and machine learning algorithms. Some of the metrics that can be used to analyze the data include:

  • Frequency of occurrence
  • Severity of impact
  • Complexity of exploitation
  • Prevalence in specific industries or regions

Evaluate Sources

To ensure an unbiased approach, it's important to evaluate the sources of the data used in the analysis. We evaluate the sources for reliability, consistency, and relevance by:

  • Checking the credibility and reputation of the sources
  • Evaluating the quality of the data
  • Verifying the data with multiple sources
  • Checking for potential biases in the data

Prioritization

Once we have analyzed the data, we prioritize the vulnerabilities based on their impact and likelihood of occurrence. This involves assigning a risk score to each vulnerability based on the following factors:

  • Severity of impact
  • Likelihood of occurrence
  • Difficulty of remediation
  • Prevalence in specific industries or regions

Validation

To validate the results, we consult with experts in the field, review existing research and literature, and gather feedback from stakeholders. This can be done through surveys, focus groups, or interviews. Some of the questions we can ask to validate the results include:

  • Are the vulnerabilities identified in the list consistent with real-world incidents?
  • Do the vulnerabilities pose a significant threat to mobile applications?
  • Are there any vulnerabilities that are missing from the list?
  • Is the prioritization of the vulnerabilities appropriate?

Finalization

Based on the analysis, prioritization, and validation, we create the final OWASP Top 10 list. The list includes the most impactful and prevalent mobile application security vulnerabilities, along with information on how to detect and mitigate them. The OWASP Top 10 list can be used as a reference for application developers, security professionals, and auditors to improve the security of their mobile applications.

Progress Report

Category Date Description
Data Collection Apr 12, 2023 Collection of vulnerabilities metrics from Public reports on HackerOne, Ostorlab and CVEs.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HTML 100.0%