The Open Web Application Security Project (OWASP) is an organization that solely specializes in the knowledge of software security. OWASP uses their knowledge to create lists for top risks and proactive controls, application security standards, and prevention cheat sheets for remediating specific risks. The OWASP Top 10 Most Critical Web Application Security Risks is continuously updated to showcase the most critical application security risks. The risks are always used as a baseline to test against when conducting any vulnerability or penetration tests. On the other hand, the OWASP Top 10 Proactive Controls was created to assist in developing an application that is not vulnerable to any of the top risks identified.
What are the OWASP Top 10 Proactive Controls?
1. Define Security Requirements
Defining these requirements ensures that a foundation of security functionality is required during your development. OWASP once again has created a useful document to assist with this and it’s called the OWASP Application Security Verification Standard (ASVS).
2. Leverage Security Frameworks and Libraries
Third-party frameworks are essential in application development. jQuery, Bootstrap, and Angular amongst the ones most commonly used. As vulnerabilities are discovered in them, you need to ensure continuous updates are applied to them to reduce exposure.
3. Secure Database Access
Most applications use a database to store and obtain application data. The queries used to conduct the database calls must be properly sanitized to prevent SQL Injection attacks.
4. Encode and Escape Data
Encoding output prevents specific characters (e.g., greater than or less than brackets) from being reflected on the user side. These reflections can turn into client-side attacks such as Cross-Site Scripting (XSS). For example, the “<” character would encode into “<”.
Escaping is as simple as adding the special character “\” before the input is interpreted by the server. For example, the double quote “ can be escaped using \” to ensure it is interpreted as text and not as closing a string.
5. Validate All Inputs
Input validation is all about ensuring inputs are presented to the server in its expected form (e.g., an email can only be in email format). Client-side and server-side validation ensure that client-side data is never trusted, while blacklisting and whitelisting of input work to prevent attacks such as Cross-Site Scripting (XSS). Those are only some of the challenges to validating inputs. The full list and their challenges can be found within the OWASP standard.
6. Implement Digital Identity
Authentication is used to verify that a user is who they claim to be. Securing the entire flow of that process includes strong password requirements, a secure password recovery mechanism, and lastly, secure storage. Once the user is authenticated, the authorization of the data they’re allowed to access goes into effect. This includes the generation of the session token and browser cookies.
7. Enforce Access Controls
As the authorization controls are implemented, the assurance that a user can only do tasks within their role and only to themselves is required. This is done by restricting access to objects and resources. A role that has read should only be able to read, any deviation is a security risk.
8. Protect Data Everywhere
This includes classifying data based on sensitivity, encrypting the data in transit and at rest. Information such as tokens, credit cards, and other personally identifiable information
9. Implement Security Logging and Monitoring
In order to detect unauthorized or unusual behaviour, the application must log requests. Information logged can be to the discretion of the security team but can include requests that violate any server-side access controls. A full list can be found here.
10. Handle All Errors and Exceptions
Handling errors and exceptions properly ensures no backend information is disclosed to any attackers. For example, an SQL exception will disclose where in the SQL query the maliciously crafted input is and which type of database is being used.
To discover if your developers have properly implemented all of the above, an application security assessment is recommended that will test against all of the OWASP Top 10 Most Critical Web Application Security Risks. A static or dynamic assessment can be conducted to complete the test. Once you decide which test is required, you can contact us for more information on the testing.