Awareness of OWASP Top 10

The OWASP Top 10 is a standard awareness document that represents a broad consensus about the most critical security risks to web applications. Security teams use it as a foundational benchmark to prioritize remediation efforts and educate developers on safe coding practices.

CyberSecure Canada Section 6.3.2.1 explicitly requires that the organization shall demonstrate awareness of the OWASP Top 10 risks. This establishes a baseline understanding of web application security for internal or outsourced development.

You can demonstrate awareness by presenting training records showing developers have completed courses on the OWASP Top 10. Additionally, providing secure development policies that reference the OWASP Top 10 serves as strong evidence. Tools like WatchDog Security's Compliance Center can centralize these artifacts and map them to CSC-06-018 to simplify assessment preparation.

Acceptable evidence includes documented training logs, certificates of completion for secure coding training, a formal secure development policy, and code review checklists that specifically call out OWASP Top 10 vulnerabilities. Tools like WatchDog Security's Policy Management and WatchDog Security's Security Awareness Training can help maintain policy version history and training completion logs in a consistent, reviewable format.

While general awareness meets the basic requirement, it is highly recommended that developers receive specific secure coding training. This ensures they have the practical knowledge to prevent OWASP Top 10 vulnerabilities during the development process.

Training should be conducted at least annually or during the onboarding of new developers. It should also be updated whenever a new version of the OWASP Top 10 list is published to cover emerging threats.

The organization should always align with the latest published edition of the OWASP Top 10. Staying current ensures protection against the most modern threats and demonstrates proactive compliance readiness.

Embed awareness by updating the secure development policy to mandate OWASP Top 10 risk mitigation. Additionally, integrate automated vulnerability scanning tools and peer review requirements tailored to these specific risks.

Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools are highly effective at identifying these vulnerabilities. Many commercial and open-source vulnerability scanners map their findings directly to the OWASP Top 10 categories. Tools like WatchDog Security's Vulnerability Management can aggregate findings from multiple scanners, support triage workflows, and retain remediation evidence aligned to OWASP categories.

Small teams can utilize the free resources provided directly by the OWASP Foundation, including documentation and community training videos. Incorporating these materials into onboarding and requiring developers to read the official guidelines is a low-cost way to demonstrate awareness.

To show awareness, assessors typically look for repeatable training, clear audience targeting (developers, QA, DevOps), and completion records you can produce on request. Tools like WatchDog Security's Security Awareness Training can assign role-based OWASP micro-courses and maintain completion tracking, while WatchDog Security's Compliance Center can organize the resulting evidence against CSC-06-018 for faster retrieval during assessments.

Awareness is stronger when it is embedded into a secure development policy and reinforced through approvals, version history, and staff acknowledgements of updates. Tools like WatchDog Security's Policy Management can maintain version control and acceptance tracking for OWASP-related policy changes, and WatchDog Security's Compliance Center can link the policy artifact and attestations directly to this control for audit-ready documentation.