The main difference between the two reporting formats is that an NCSC report is more comprehensive than an OWASP Top 10 report. In addition to the identified vulnerabilities, an NCSC report also describes which components were found to be secure. This report is generally suitable for certification processes and audits, such as obtaining an assurance report (TPM statement), and is used only in more extensive penetration tests.
What is an OWASP Top 10 report?
An OWASP Top 10 report is based on the OWASP Top 10 Application Security Risks (version 2021) from the Open Worldwide Application Security Project (OWASP). For more information, see the OWASP website.
OWASP periodically compiles a list of the ten biggest security risks for web applications and other systems. The first Top 10 was published in 2003 and aims to raise awareness about IT security. As the field continually evolves, this list is regularly updated.
This report is shorter and more technical, allowing developers to address the issues directly.
What is an NCSC report?
An NCSC report is based on the document "ICT Security Guidelines for Web Applications" (version 2019) from the National Dutch Cyber Security Centre (NCSC). These guidelines provide a framework for securely developing, managing, and offering web applications and their infrastructure. For more information, see the NCSC website.
The NCSC guidelines, established by the government, are seen as a solid check for web application security. They are valuable for certification processes or audits, such as DigiD, ISO27001, MedMij, AVG/GDPR, and NIS2 compliance.
An NCSC report also includes an executive summary and a detailed overview of all findings, including both vulnerabilities and components found to be secure.