OWASP Top 10 Proactive Controls 2018: How it makes your code more secure
The OWASP list of the top 10 critical security risks to web applications does a good job of identifying prominent cybersecurity risks faced by organizations, but it doesn’t offer developers much practical guidance on how to make their applications more secure. That’s where OWASP’s Top 10 Proactive Controls come in.
One big advantage is that they’re “written for developers instead of security specialists,” explained Jim Bird, one of the leaders of the controls project and co-founder and CTO of the New York-based Alternative Trading System, a system for secure and confidential institutional stock trading.
The items on the top 10 provide actionable guidance on how to deal with important security risks. They include links to open-source libraries, tools that developers can use, and pointers to other projects from the Open Web Application Security Project (OWASP)—such as the Cheat Sheet series—where they can dig deeper into specific areas.
Ken Prole, chief technology officer for Code Dx said, “…the new recommendations speaks the language of developers and makes it easy to understand what they should be worrying about when creating secure applications.”
Here’s what your app sec team needs to know about OWASP Top 10 Proactive Controls 2018.
10 suggestions for more secure apps
The controls, introduced in 2014, have filled a gap for practitioners preaching the gospel of security to developers. Michael Leung, a management consultant with Canadian Cybersecurity Inc., used to manage security training for developers at a large financial institution in Canada. He is also a member of ISACA’s CISO Forums Working Group.
Version 3.0 of the controls, released earlier this year, looks like this:
1. Define security requirements
Security requirements provide a foundation of vetted security functionality for an application, the OWASP team explained in a document on the project. Instead of creating a custom approach to security for every application, standard security requirements allow developers to reuse the definition of security controls and best practices.
2. Leverage security frameworks and libraries
Using secure coding libraries and software frameworks with embedded security helps software developers guard against security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features.
3. Secure database access
Ensure that the security controls available from the DBMS and hosting platform are enabled and properly configured. All access to the database should also be properly authenticated.
4. Encode and escape data
These are defensive techniques meant to stop injection attacks.
5. Validate all inputs
Input validation ensures that only properly formatted data may enter a software system component.
6. Implement digital identity
This control is the unique representation of a subject as it engages in an online transaction. It also includes authentication (verifying that an individual or entity is who they claim to be) and session management (helping a server maintain the state of a user’s authentication so they may continue to use the system without repeating authentication).
7. Enforce access controls
Also called authorization, this determines if a request by a user, program, or process should be granted or denied.
8. Protect data everywhere
Data needs to be protected in transit and at rest. It also needs to be classified so each piece of data receives the level of protection it deserves.
9. Implement security logging and monitoring
By having an application generate data for security, you can provide valuable information for intrusion detection systems and forensic analysis, as well as help your organization meet compliance requirements.
10. Handle all errors and exceptions
Applications that mishandle errors can expose an organization to all kinds of trouble, from data leakage to the compromise of data in transit to denial of service and system shutdowns.