OpenText brings decades of expertise to help you unlock data, connect people and processes, and fuel AI with trust
Unify data seamlessly across your enterprise to eliminate silos, improve collaboration, and reduce risks
Get AI-ready and transform your data into structured, accessible, optimized information
Meet regulatory and compliance requirements and protect your information throughout its lifecycle
OpenText helps people manage content, automate work, use AI, and collaborate to boost productivity
See how thousands of companies around the world are succeeding with innovative solutions from OpenText™
Our people are our greatest asset; they are the life of the OpenText brand and values
Learn how we aspire to advance societal goals and accelerate positive change
Find a highly skilled OpenText partner with the right solution to enable digital transformation
Explore scalable and flexible deployment options for global organizations of any size
Local control. Global scale. Trusted AI
Your cloud, your control
Free up resources, optimize performance and rapidly address issues
Run anywhere and scale globally in the public cloud of your choice
See information in new ways
AI that understands your business, your data, and your goals
Say hello to faster decisions. Your secure personal AI assistant is ready to get to work
Gain better insights with generative AI for supply chains
Power work with AI content management and an intelligent AI content assistant
Improve your security posture with AI cybersecurity and agile threat detection
Enable faster app delivery, development, and automated software testing
Elevate customer communications and experiences for customer success
Empower users, service agents, and IT staff to find the answers they need
See information in new ways
AI that understands your business, your data, and your goals
Say hello to faster decisions. Your secure personal AI assistant is ready to get to work
Gain better insights with generative AI for supply chains
Power work with AI content management and an intelligent AI content assistant
Improve your security posture with AI cybersecurity and agile threat detection
Enable faster app delivery, development, and automated software testing
Elevate customer communications and experiences for customer success
Empower users, service agents, and IT staff to find the answers they need
Predict, act, and win with real-time analytics on a smarter data platform
Give users access to the answers they need, faster and easier, with multi-repository AI-based search that lets you contextualize everything from clicks to conversations
Connect once, reach anything with a secure B2B integration platform
Reimagine knowledge with AI-ready content management solutions
Supercharge intelligent workspaces with AI to modernize work
Integrated cybersecurity solutions for enterprise protection
Purpose built data protection and security solutions
Reinvent threat hunting to improve security posture with the power of agile AI
Ship better software—faster—with AI-driven DevOps automation, testing, and quality
Reimagine conversations with unforgettable customer experiences
Get the clarity needed to cut the cost and complexity of IT operations
Redefine Tier 1 business support functions with self-service capabilities from private generative AI
Build custom applications using proven OpenText Information Management technology
Build it your way with OpenText Cloud APIs that create the real-time information flows that enable custom applications and workflows
Protect what matters, recover when it counts
Get greater visibility and sharper insights from AI-driven information management. Ready to see how?
Break free from silos, streamline processes, and improve customer experiences with secure information management for AI
Improve efficiency, security, and customer satisfaction with OpenText
Run processes faster and with less risk
Achieve digital transformation with guidance from certified experts
Modernize your information management with certified experts
Unlock the full potential of your information management solution
Turn support into your strategic advantage
Extend IT teams with certified OpenText application experts
Discover training options to help users of all skill levels effectively adopt and use OpenText products
Modernize your information management with certified experts
Unlock the full potential of your information management solution
Turn support into your strategic advantage
Extend IT teams with certified OpenText application experts
Discover training options to help users of all skill levels effectively adopt and use OpenText products
Information is the heartbeat of every organization. We build information management software so you can build the future
OpenText partners with leading cloud infrastructure providers to offer the flexibility to run OpenText solutions anywhere
OpenText partners with top enterprise app providers to unlock unstructured content for better business insights
Discover flexible and innovative offerings designed to add value to OpenText solutions
Discover the resources available to support and grow Partner capabilities
Get expert product and service support to accelerate issue resolution and keep business flows running efficiently
Explore detailed services and consulting presentations, briefs, documentation and other resources
The Open Web Application Security Project (OWASP) is an open source application security community with the goal to improve the security of software. The OWASP Top 10 is an industry standard guideline that lists the most critical application security risks to help developers better secure the applications they design and deploy.
Since security risks are constantly evolving, the OWASP Top 10 list is revised periodically to reflect these changes. In the latest version of OWASP Top 10 released in 2021, some types of vulnerabilities which no longer represent a serious threat were replaced with ones most likely to pose a significant risk.
While the OWASP Top 10 is a great place to start securing applications, it certainly should not be considered as an end goal, since some of the most-cited vulnerabilities didn’t make it into the OWASP Top 10 2021. To guard against software weakness, defenders need to look more broadly across their information-technology stack. This means IT security professionals need to focus across the entire software ecosystem and look beyond the ‘traditional’ sources of vulnerabilities.
Injection flaws can be introduced whenever an untrusted data source is sent to an interpreter. Examples are often found in SQL, LDAP, XPath or NoSQL dynamic database queries with user supplied input. Attackers inject code into the user input, tricking the query interpreter into executing malicious commands.
What makes an application vulnerable to injection flaws?
What’s the impact of injection flaws?
How can Fortify help with injection flaws?
Broken authentication can be introduced when managing identity or session data in stateful applications. Examples are often found when registration, credential recovery, and API pathways are vulnerable to unexpired session tokens, brute forcing, or account enumeration. Attackers assume the identity of legitimate users, taking control of accounts and compromising data, processes, or systems.
What makes an application vulnerable to broken authentication?
What’s the impact of broken authentication?
How can Fortify help?
Sensitive data exposure issues can be introduced when applications access unencrypted data, particularly personally identifiable information (PII) and other regulated data types. Examples are often found when weak cryptographic cyphers are used in legacy applications, secure transport protocols are implemented incorrectly, or data-centric security is not in use. Attackers gain access to sensitive user data that gives them control in real life.
What makes an application vulnerable sensitive data exposure?
What’s the impact of sensitive data exposure?
How can Fortify help with sensitive data exposure?
XML External Entity issues can be introduced when an XML input containing a reference to an external entity is processed by a weakly configured parser. Examples are often found in applications that parse XML input from untrusted sources, when Document Type Definitions (DTDs) are enabled, or that use unpatched frameworks like SOAP 1.0. XML is everywhere—from SVG and image files to networking protocols and document formats such as PDF and RSS. Attackers reference external entities in XML input that results in processors exploited to extract data, execute code remotely, or impact network services.
What makes an application vulnerable to XML external entities?
What’s the impact of XML external entities?
How can Fortify help with XML external entities?
Access control issues can be introduced when code and environmental restrictions overlap incompletely or are defined in multiple places for similar functionality. Examples are often found when security-by-obscurity is broken through forceful browsing to restricted pages, or when the application defines complex methods for access control in multiple ways and locations. Attackers can compromise access boundaries to steal sensitive data or disrupt operations.
What makes an application vulnerable to broken access control?
What’s the impact from broken access control?
How can Fortify help with broken access control?
Security misconfiguration flaws can be introduced during the configuration of the application or its underlying environment. Misconfiguration can happen at any level of an application stack—from network services and application servers to containers and storage. Examples are often found in default accounts and configurations, "leaky" error messaging, or unpatched frameworks and services. Attackers can gain deployment information and access to privileged data to disrupt operations.
What makes an application vulnerable to security misconfiguration?
What’s the impact of security misconfiguration?
Impact can vary from information disclosure to complete system compromise.
How can Fortify help with security misconfiguration?
Cross-Site Scripting (XSS) flaws can be introduced when untrusted, un-sanitized user input is executed as part of the HTML, or when users can be influenced to interact with malicious links. Examples are often found when familiar code constructs from languages such as JavaScript or Flash are accepted from untrusted sources or stored for later display by another user agent. Attackers can perform remote code execution on the user's machine, steal credentials, or deliver malware from redirect sites.
What makes an application vulnerable to cross-site scripting (XSS)?
There are three forms of XSS, usually targeting user agents such as browsers:
What’s the impact of cross-site scripting (XSS)?
How can Fortify help with cross-site scripting (XSS)?
Unsafe deserialization flaws can be introduced when languages and frameworks allow untrusted serialized data to be expanded into an object, often when web applications are communicating user or saving application state. Examples are often found when developers place no restrictions on methods that can self-execute during the deserialization process. Attackers leverage these "gadget chains" called outside of the application logic leverage to remotely execute code, deny service, or gain unauthorized access.
What makes an application vulnerable to insecure deserialization?
What’s the impact of insecure deserialization?
How can Fortify help with insecure deserialization?
These flaws can be introduced when open source or third-party frameworks and libraries are introduced into an application and run with the same privileges. Examples are often found where component-based development results in a lack of understanding of the risks associated with dependencies and components or systems are difficult or impossible to patch. Attackers have leveraged vulnerable components for some of the largest breaches in history, though vulnerabilities can range from application compromise to remote code execution.
What makes an application vulnerable to open source or third-party frameworks and libraries?
What’s the impact of using components with known vulnerabilities?
While some known vulnerabilities lead to only minor impacts, some of the largest known breaches, such as Heartbleed and Shellshock, have relied on exploiting known vulnerabilities in shared components. Using components with known code vulnerabilities can result in remote code execution on the affected server, giving the attacker total control of the machine.
How can Fortify help with open source security?
Insufficient logging and monitoring flaws can be introduced when attack vectors or application misbehavior is not well understood or best practices of monitoring for indicators of compromise are not followed. Examples are often found in legacy systems without logging capabilities, when logs of application penetration testing go unexamined, or when logs do not provide sufficient detail for understanding what attackers did. Attackers rely on an average of around 200 days for detection that is typically discovered externally to establish persistence and pivot to additional vulnerable systems.
What makes an application vulnerable to insufficient logging and monitoring?
What’s the impact of insufficient logging and monitoring?
Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploits. Attackers may establish persistence, backdooring applications and operating systems, stealing data, or otherwise gaining unnoticed, unauthorized control of systems. If security critical information is not recorded or stored appropriately, there will be no trail for forensic analysis to discover the source of attack. Understanding that there is a problem at all may become more difficult, or impossible, if the attacker maintains control of logging capabilities.
How can Fortify help with insufficient logging and monitoring?
While it has only been four years since the last top 10 was released in 2017, there have been many changes in the cyber security industry which has made us think twice about top priority concerns or which new ones to add.
Three new categories were introduced:
A04:2021
Insecure Design: This category focuses on design flaws. This is needed because the movement for shifting left in development requires a shift left for threat modeling as well.
A08:2021
Software and Data Integrity Failures: Focuses on assumptions around software updates, critical data, and the CI/CD pipeline without verifying the integrity they can impact. This also incorporates the A08:2017 – Insecure Deserialization.
A10:2021
Server-Side Request Forgery (SSRF): This category is mostly in the top 10 from the community survey. They really stressed this vulnerability because of the above average exploitability and impact.
Other changes
The other categories either had name changes, moved ranks, or were consolidated into other categories:
Want to see how Fortify can help your organization? Start Your Free 15-Day Trial of Fortify on Demand by OpenText™ Now
Fortify lets you build secure software fast with an application security platform that automates testing throughout the CI/CD pipeline to enable developers to quickly resolve issues.
Unlock security testing, vulnerability management, and tailored expertise and support
Find and fix security issues early with the most accurate results in the industry
Identify vulnerabilities in deployed web applications and services
Defend with precision, secure with confidence