Skip to content

OWASP/www-project-mobile-top-10

Repository files navigation

OWASP logo

OWASP Mobile Top 10 Methodology

Overview

This methodology report outlines the process we follow to update the OWASP Mobile Top 10 list of application security vulnerabilities using a data-based approach and unbiased sources.

To achieve this, we collect data from various sources such as incident reports, vulnerability databases, and security assessments, analyze the data, evaluate the sources for reliability and consistency, prioritize the vulnerabilities based on their impact and likelihood of occurrence, validate the results through consultation with experts and stakeholders, and create the final OWASP Top 10 list.

This report highlights the importance of following a comprehensive and unbiased approach to ensure the list reflects the most common and impactful mobile application security vulnerabilities, which can be used as a reference to improve the security of mobile applications.

Update History

Author Date Update
Alaeddine Mesbahi July 26, 2023 Initial Release
Kunwar Atul July 26, 2023 Initial Release
Mohamed Benchikh July 26, 2023 Initial Release
Mohammed Junaid Tariq July 26, 2023 Initial Release
Steffen Lortz July 26, 2023 Initial Release
Milan Singh Thakur Aug 02, 2023 Final Review

Methodology

Data Collection

To update the OWASP Top 10, we start by collecting data on the most common and impactful mobile application security vulnerabilities. We gather information from various sources such as incident reports, vulnerability databases, and security assessments. It's essential to collect data from diverse sources to ensure that the data is comprehensive and unbiased. Some of the sources that can be used to collect data include:

  • Incident reports from companies, organizations, and government agencies
  • Vulnerability reports from security vendors and researchers
  • Publicly available datasets on mobile application security vulnerabilities
  • Surveys of security professionals or application developers

Analysis

Once we have collected the data, the next step is to analyze it. We categorize the vulnerabilities, identify trends, and determine the severity of their impact. To analyze the data, we use statistical methods, data visualization, and machine learning algorithms. Some of the metrics that can be used to analyze the data include:

  • Frequency of occurrence
  • Severity of impact
  • Complexity of exploitation
  • Prevalence in specific industries or regions

Evaluate Sources

To ensure an unbiased approach, it's important to evaluate the sources of the data used in the analysis. We evaluate the sources for reliability, consistency, and relevance by:

  • Checking the credibility and reputation of the sources
  • Evaluating the quality of the data
  • Verifying the data with multiple sources
  • Checking for potential biases in the data

Prioritization

Once we have analyzed the data, we prioritize the vulnerabilities based on their impact and likelihood of occurrence. This involves assigning a risk score to each vulnerability based on the following factors:

  • Severity of impact
  • Likelihood of occurrence
  • Difficulty of remediation
  • Prevalence in specific industries or regions

Validation

To validate the results, we consult with experts in the field, review existing research and literature, and gather feedback from stakeholders. This can be done through surveys, focus groups, or interviews. Some of the questions we can ask to validate the results include:

  • Are the vulnerabilities identified in the list consistent with real-world incidents?
  • Do the vulnerabilities pose a significant threat to mobile applications?
  • Are there any vulnerabilities that are missing from the list?
  • Is the prioritization of the vulnerabilities appropriate?

Finalization

Based on the analysis, prioritization, and validation, we create the final OWASP Top 10 list. The list includes the most impactful and prevalent mobile application security vulnerabilities, along with information on how to detect and mitigate them. The OWASP Top 10 list can be used as a reference for application developers, security professionals, and auditors to improve the security of their mobile applications.

Progress Report

Category Date Description
Data Collection Apr 12, 2023 Collection of vulnerabilities metrics from Public reports on HackerOne, Ostorlab and CVEs.
Alpha Release Jun 8, 2023 Alpha version of the OWASP Mobile Top 10 pending feedback and comments.
Beta Release Jul 2, 2023 Beta version of the OWASP Mobile Top 10 pending final comments.
Initial Release Aug 2, 2023 Official initial release of the OWASP Mobile Top 10.