Developing secure software: how to implement the OWASP top 10 Proactive Controls

For example, when pulling data from the database in a multi-tenant SaaS application, where you need to ensure that data isn’t accidentally exposed for different users. Another example is the question of who is authorized to hit APIs that your web application provides. The list goes on from injection attacks protection to authentication, secure cryptographic APIs, storing sensitive data, and so on. Once authentication is taken care of, authorization should be applied to make sure that authenticated users have the permissions to perform any actions they need but nothing beyond those actions is allowed. In this post, you’ll learn more about the different types of access control and the main pitfalls to avoid.

This lesser-known OWASP project aims to help developers prevent vulnerabilities from being introduced in the first place. When an application encounters an error, exception handling will determine how the app reacts to it. Proper handling of exceptions and errors is critical to making code reliable and secure.

What Can We Do Differently About App Security?

Exception handling can be important in intrusion detection, too, because sometimes attempts to compromise an app can trigger errors that raise a red flag that an app is under attack. That’s why you need to protect data needs everywhere it’s handled and stored. Digital identity, authentication, and session management can be very challenging, so it’s wise to have your best engineering talent working on your identity systems. Nevertheless, input validation can reduce the attack surface of an application and can make attacks on an app more difficult. Probably the best advice on checklists is given by the Application Security Verification Standard (ASVS). The ASVS can be used to provide a framework for an initial checklist, according to the security verification level,
and this initial ASVS checklist can then be expanded using the following checklist sections.

  • First, you need to find and choose the requirements for your software.
  • Use the extensive project presentation that expands on the information in the document.
  • This document is intended to provide initial awareness around building secure software.
  • Two great examples of secure defaults in most web frameworks are web views that encode output by default (providing XSS attack defenses) as well as built-in protection against Cross-Site Request Forgeries.
  • These include things such as injection, broken authentication and access control, security misconfigurations, and components with known vulnerabilities.
  • Strong authentication can prevent vulnerabilities such as broken authentication and session management, and poor authentication and authorization.

Strong authentication can prevent vulnerabilities such as broken authentication and session management, and poor authentication and authorization. Although there’s a movement to eliminate passwords, they remain, and probably will remain, an important component of authentication. You need to create policies for password length, composition, and shelf life, you must store them securely, and you must make provisions for resetting them when users forget them or if they’re compromised. According to OWASP, a security requirement is a statement of needed functionality that satisfies many different security properties of software.

Proactive Controls

First, you need to find and choose the requirements for your software. Next, you review how the application stacks up against the security requirements and document the results of that review. Finally, create test cases to confirm the requirements have been implemented. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.

If there’s one habit that can make software more secure, it’s probably input validation. Here’s how to apply OWASP Proactive Control C5 (Validate All Inputs) to your code. Database injections are probably one of the best-known security vulnerabilities, and many injection vulnerabilities are reported every year. In this owasp top 10 proactive controls blog post, I’ll cover the basics of query parameterization and how to avoid using string concatenation when creating your database queries. Secure frameworks and libraries can provide protection against a wide range of web application vulnerabilities, but they must be kept current so known vulnerabilities are patched.