What is the difference between a NCSC-report and OWASP Top 10-report?

The main difference between the two reporting forms is that an NCSC report is more extensive than an OWASP Top 10 report. In addition to the identified vulnerabilities, it describes which components were found to be in order. An NCSC report is suitable for certification purposes and audits for acquiring RPM-statements and is mostly standard for extensive pentests.

What is an NCSC report?

An NCSC report is drawn up from the National Cyber ​​Security Center's "ICT Security Guidelines for Web Applications" (version 2015). The NCSC guidelines provide guidance on safer development, management and provision of web applications and associated infrastructure. See https://www.ncsc.nl/actueel/whitepapers/ict-beveiligingsrichtlijnen-voor-webapplicaties.html for more information.

The NCSC guidelines are drafted by the government, which usually makes this a good check. Also for certification or audits (such as DigiD, ISO Certification, Mandatory Data Protection, AVG and Personal Data Protection), an NCSC report serves as a good pollinator for the quality of security.

This report also has a management summary and comprehensive overview of all test results (including both vulnerabilities and secure findings).

Note: this report form is only available in Dutch.

What is an OWASP Top 10 report?

An OWASP Top 10-report is compiled from the OWASP Top 10 Application Security Risks (version 2017) of the Open Web Application Security Project (OWASP). For more information, see: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project. The Open Web Application Security Project continuously works on a list of the top ten security risks for web applications. The first Top 10 appeared in 2003 and is intended to raise awareness about the importance of web application security. As the field evolves, this list is also updated regularly (almost annually).

The OWASP Top 10 report delivered with a pentest is a shorter variant than the NCSC report and contains mostly technical content.