Remediate OWASP Risks

The OWASP Top 10 is a standard awareness document outlining the most critical web application security risks. CyberSecure Canada requires remediation of these specific risks to ensure that publicly accessible marketing websites, which often serve as an attacker's first entry point, are protected against common exploits.

High and medium risks are typically identified by running automated Dynamic Application Security Testing (DAST) tools and periodic manual penetration tests against the live website. Vulnerability scanners often categorize findings directly to the OWASP Top 10 framework to simplify identification. For tracking and remediation at scale, tools like WatchDog Security's Vulnerability Management can consolidate findings from scanners and pentests, assign owners, and measure time-to-remediate.

A combination of approaches is best. Dynamic Application Security Testing (DAST) and manual penetration testing are highly effective for evaluating the running application, while Static Application Security Testing (SAST) and Software Composition Analysis (SCA) identify OWASP Top 10 vulnerabilities directly in the source code and third-party dependencies before deployment.

Vulnerability scanning and testing should occur at least annually, or whenever significant changes are introduced to the website's code or infrastructure. Continuous scanning is highly recommended to catch emerging OWASP Top 10 vulnerabilities promptly.

Remediation typically involves applying a code fix or configuration change to permanently eliminate the vulnerability. If a direct fix is not possible, implementing a compensating control (like a Web Application Firewall rule to mitigate the threat) or formally accepting the risk within the organization's risk tolerance level also satisfies the requirement.

The organization must define its risk tolerance in a formal risk management policy, typically approved by a senior official. This documentation outlines what severity of risk is acceptable based on business context, potential impact, and the cost or feasibility of implementing further controls.

Yes, risk can be accepted if a fix is unfeasible or breaks core functionality, provided the residual risk falls within the organization's acceptable risk tolerance level. This accepted risk must be documented in a risk register and formally authorized by a senior organizational leader.

The organization should retain vulnerability scan results showing identified issues, alongside evidence of remediation such as patch deployment records, before-and-after scan results, or IT tickets demonstrating the fix. For unresolved issues, a documented and approved risk acceptance form is required. Tools like WatchDog Security's Compliance Center can centralize scan reports, remediation tickets, and approval records into a single evidence set mapped to this control for audit readiness.

Remediation should be prioritized based on the severity of the vulnerability (starting with Critical and High findings) and the criticality of the affected web property. Primary marketing websites processing user data or forms should take precedence over static, non-interactive informational pages.

OWASP Top 10 risks from third parties are managed by implementing Software Composition Analysis (SCA) tools to detect known vulnerabilities in open-source dependencies and CMS plugins. The organization should keep all third-party components updated, strictly limit the use of unverified plugins, and monitor external scripts for malicious behavior.

Tracking OWASP remediation requires consistent ownership, due dates, and proof of closure across scanner results and pentest reports. Tools like WatchDog Security's Vulnerability Management can ingest findings from multiple sources, run triage workflows, and report MTTR analytics to show whether high/medium issues are being remediated within defined SLAs.

Risk acceptance should be an explicit decision with documented rationale, residual risk, compensating controls, and named approver aligned to risk tolerance. Tools like WatchDog Security's Risk Register can capture the risk treatment plan and approval trail, while WatchDog Security's Compliance Center can attach supporting evidence (scan results, tickets, WAF rules) to demonstrate the control is managed end-to-end.