This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Proactive Controls"

From OWASP
Jump to: navigation, search
m (QP edit)
m (Translations)
 
(549 intermediate revisions by 14 users not shown)
Line 1: Line 1:
= Project About =
+
= Main =  
{{:Projects/OWASP_Proactive_Controls}}
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Proactive-header.jpg|link=]]</div>
  
= OWASP Top Ten Proactive Controls =
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 +
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
  
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
+
== OWASP Top 10 Proactive Controls 2018 ==
  
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It’s also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it’s comes to web security, developers are often set up to lose the security game.  
+
Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.
  
This document was written by developers, for developers to assist those new to secure development.  It aims to guide developers and other software development professionals down the path of secure web application software development.
+
The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.
  
This document is neither scientific nor complete. In fact it’s a bit misguided.  There are more than 10 issues that developers need to be aware of.  Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
+
# Define Security Requirements
+
# Leverage Security Frameworks and Libraries
The number of people who influenced or contributed to this document in some way is to numerous to mentioned. I would like to especially thank Andrew van der Stock for starting this project. I would also like to thank the entire cheat-sheet series team whose content has been pulled from liberally for this document.  
+
# Secure Database Access
 +
# Encode and Escape Data
 +
# Validate All Inputs
 +
# Implement Digital Identity
 +
# Enforce Access Controls
 +
# Protect Data Everywhere
 +
# Implement Security Logging and Monitoring
 +
# Handle All Errors and Exceptions
  
Introducing the OWASP Top Ten and one half Proactive Controls 2013.
 
  
== 1) Secure Requirements ==
+
For more information, see the complete document in the tab to the right.
- Core requirements for any project (technical)
 
- Business logic requirements (project specific)
 
  
== 2) Secure Architecture and Design ==
+
==Licensing==
- When to use request, session or database for data flow
 
  
== 3) Leverage secure coding frameworks and libraries ==
+
<span id="8:_Implement_Logging_and_Intrusion_Detection"></span>
- Shiro
+
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].
- ESAPI
 
  
== 4) Identity and Authentication ==
+
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
- Password Storage
 
- Forgot Password Workflow
 
- Multi-Factor AuthN
 
  
== 5) Access Control ==
+
== What is This? ==
- Permission based access control
 
- Limits of RBAC
 
  
== 6) Query Parametrization ==
+
The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.
  
There have been many high visibility attacks against web applications that can be traced back to a SQL injection attack. SQL Injection is perhaps one of the most dangerous web application risk due to the fact that SQL Injection is both easy to exploit and can deliver an impact to your application that is quite devastating. Businesses, governments and social network sites have all fallen victim to this attack making it a fairly universal problem. Various statistical studies has shown that between 7 to 10% of all websites still contain SQL Injection. While many cite the problem of SQL injection as a vendor issue, process issues or issue that is impossible to fix, ultimately it’s a developer programming issue that can be quite simple to fix in comparison to other security issues that we will discuss below.
+
== Presentation ==
  
The simple insertion of malicious SQL code into your web application – and the entire database could potentially be stolen, wiped, modified. The web application can even be used to run dangerous operating system commands against the operating system hosting your database.  
+
Use the extensive [[media:OWASP_Top_Ten_Proactive_Controls_v3.pptx|project presentation]] that expands on the information in the document.
  
To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. The best way to do this to stop SQL Injection is with the programming technique known as Query Parameterization.
+
== Project Leaders ==
  
Here is an example of query parameterization in Java:
+
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:[email protected] @]
 +
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:[email protected] @]
 +
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:[email protected] @]
  
String newName = request.getParameter("newName");
+
== Key Contributors ==
String id = request.getParameter("id");
+
* [[User:Taras Ivashchenko|Taras Ivashchenko]] [mailto:[email protected] @] (Russian Translation)
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?")
+
* Jay Zudilin (Russian Translation)
pstmt.setString(1, newName);
+
* Danny Harris [mailto:danny.[email protected] @]
pstmt.setString(2, id);
+
* Hiroaki Kuramochi (Japanese Translation)
 +
* Hiroshi Fujimoto (Japanese Translation)
 +
* Hidenori Nagai (Japanese Translation)
 +
* [https://www.owasp.org/index.php/User:Riotaro_OKADA Riotaro OKADA] [mailto:riotaro@owasp.org @] (Japanese Translation)
 +
* Robert Dracea (Japanese Translation)
 +
* Koichiro Watanabe (Japanese Translation)
 +
* Tony Hsu Hsiang Chih (Chinese Translation)
 +
* Abdessamad Temmar
 +
* [https://www.linkedin.com/in/eyalestrin Eyal Estrin] [mailto:eyal.estrin@gmail.com @] (Hebrew Translation)
 +
* [https://www.owasp.org/index.php/User:Cyrille_Grandval Cyrille Grandval] [mailto:cyrille.[email protected] @] (French Translation)
 +
* Frédéric Baillon [mailto:fbaillon@darkmira.com @] (French Translation)
 +
* Danny Harris [mailto:[email protected] @]
 +
* Stephen de Vries
 +
* Andrew Van Der Stock
 +
* Gaz Heyes
 +
* Colin Watson
 +
* Jason Coleman
 +
* Cassio Goldschmidt
  
Here is an example of query parameterization in PHP:
+
== Related Projects ==
  
$email  = $_REQUEST[‘email’];
+
* [[OWASP Top Ten Project]]
$ id’= $_REQUEST[‘id’];
+
* [[OWASP Mobile Security Project]]
$stmt = $dbh->prepare(”update users set email=:new_email where id=:user_id”);
+
* [[Cheat Sheets]]
$stmt->bindParam(':new_email', $email);
 
$stmt->bindParam(':user_id', $id);
 
  
== 7) Validation ==
+
| valign="top" style="padding-left:25px;width:200px;" |
- Whitelist Validation (struggles with internationalization)
 
- URL validation (as part of redirect features)
 
- HTML Validation (as part of untrusted content from features like TinyMCE)
 
  
== 8) Encoding ==
+
== Quick Access ==
- Output encoding for XSS
 
- Query Parameterization
 
- Other encodings for LDAP, XML construction and OS Command injection resistance
 
  
== 9) Data Protection ==
+
* Top 10 Proactive Controls 2018 PDF:  [[Media:OWASP_Top_10_Proactive_Controls_V3.pdf|EN]] | [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PL]]  | [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|Ru]]
- At rest and in transit
 
- Secure number generation
 
- Certificate pinning
 
- Proper use of AES (CBC/IV Management)
 
  
== 10) Logging, Error Handling and Intrusion Detection ==
+
* Top 10 Proactive Controls 2018 [[Media:OWASP_Top_Ten_Proactive_Controls_v3.pptx|PPT Download]]
- Information leakage avoidance
+
* Top 10 Proactive Controls 2018 [[Media:OWASP_Top_10_Proactive_Controls_V3.docx|DOCX Download]]
- Attack detection
+
* Mapping to other OWASP and IEEE Top 10 Lists [[Media:Owasp-pc-ieee-ott-omtt-ssdf.pdf|PDF Download]]
- Proper error handling workflow
 
  
= Project Roadmap =
+
== Translations ==
  
Welcome to the OWASP Top 10 Proactive Controls Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source.  
+
* Top 10 Proactive Controls 2018 Chinese [[Media:OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2018 Russian [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2018 Polish [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Traditional Chinese Translation [[Media:OWASPTop10ProactiveControls2016-Chinese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Simplified Chinese Translation [[Media:OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Japanese Translation [[Media:OWASPTop10ProactiveControls2016-Japanese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Hebrew Translation [[Media:OWASP_Proactive_Controls_2-Hebrew.pdf|PDF Download]]
  
== Status ==
+
== Latest News and Events ==
 +
* [Aug 2018] 3.0 Polish Translation Released!
 +
* [May 2018] 3.0 Released!
 +
* [June 2016] Featured in [http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf A Transformative Approach to Secure Systems Delivery]
 +
* [June 2016] Featured in [http://www.oreilly.com/webops-perf/free/devopssec.csp DevOpsSec]
 +
 
 +
Please see the  [{{SERVER}}/index.php/OWASP_Proactive_Controls?refresh=123#tab=News News] tab for more.
 +
 
 +
== Archive ==
 +
* [{{SERVER}}/index.php/OWASP_Proactive_Controls_2014 Proactive Controls 2014]
 +
* [{{SERVER}}/index.php/OWASP_Proactive_Controls_2016 Proactive Controls 2016]
 +
 
 +
== Mailing List ==
 +
 
 +
Keep up-to-date, participate or ask questions via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List].
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] 
 +
  |-
 +
  | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
 +
  |-
 +
  | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
= OWASP Proactive Controls 2018 =
 +
 
 +
OWASP Proactive Controls 2018 is currently available in the following formats. 
 +
* Top 10 Proactive Controls 2018 [{{SERVER}}/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf PDF version]
 +
* Top 10 Proactive Controls 2018 [{{SERVER}}/images/1/13/OWASP_Top_Ten_Proactive_Controls_v3.pptx PPT download].
 +
* Top 10 Proactive Controls 2018 [{{SERVER}}/images/7/79/OWASP_Top_10_Proactive_Controls_V3.docx DOCX download].
 +
 
 +
Wiki version- is currently work in progress .
 +
 
 +
= News =
 +
* [ July 2019] Featured in Coursera course from UCDavies [https://www.coursera.org/directory/videos?courseId=V1k0pBtIEemZRAqH7m9oGA Identifying Security Vulnerabilities]
 +
* [23 June 2019] Featured on HackerCombat: [https://hackercombat.com/implement-owasp-proactive-controls-to-work/ Implement OWASP Proactive Controls to Work]
 +
* [7 June 2019] Feature on OWASP DevSlop Show [https://www.youtube.com/watch?v=Jdb3qweDc_Q  Proactive Controls]
 +
* [15 May 2019] Featured in TechBeacon: [https://techbeacon.com/security/put-owasp-top-10-proactive-controls-work Put OWASP Top 10 Proactive Controls to work]
 +
* [2 Mar 2019] Webinar: [https://www.youtube.com/watch?v=ldXe8f5yVq8 The OWASP Top Ten Proactive Controls with Jim Manico]
 +
* [Dec 2018] Featured as the resource for Security “Shifting to the Left”!  in the  ISC2 course:  "DevSecOps: Integrating Security into DevOps”
 +
* [20 Sep 2018 Featured in TechBeacon: [https://techbeacon.com/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure OWASP Top 10 Proactive Controls 2018: How it makes your code more secure]
 +
* [17 Sep 2018] Binary Blogger Podcast Episodes: [https://binaryblogger.com/2018/09/17/owasp-top-10-proactive-controls-podcast-episodes/ OWASP Top 10 Proactive Controls Podcast Episodes]
 +
* [9 May 2018]  Featured in [https://techbeacon.com/developer-secure-code-starter-kit-resources Developer's security guide: 50 online resources to shift left]
 +
* [7 May 2018] 3.0 released!
 +
* [11 Aug 2017] Presented at  [https://northeastphp2017.sched.com/event/B6uo/owasp-top-10-proactive-controls-2016 Northeast PHP Conference]
 +
* [25 July 2017] Podcast about at [https://www.appsecpodcast.org/2017/07/25/the-owasp-top-10-proactive-controls/ OWASP Top 10 Proactive Controls]
 +
* [12 May 2017] Presented at [https://appseceurope2017.sched.com/event/A652/the-path-of-secure-software AppSec EU'17 - Belfast]
 +
* [14 Feb 2017] Featured in [http://wwpi.com/2017/02/14/managing-cloud-infrastructure-to-prevent-security-gaps/ Managing Cloud Infrastructure to Prevent Security Gaps]
 +
* [Feb 2017 ] Featured in "[http://assets.unisys.com/Documents/Global/POVPapers/POV_170062_ApplicationSecurityProgramProtectAgainstDataBreaches.pdf Application Security Program: Protect Against Data Breaches]"
 +
* [ 1 Oct 2016] Presented at [http://conference.phpnw.org.uk/phpnw16/speakers/katy-anton/ PHPNW16]
 +
* [5 July 2016] Featured in [https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams Incorporating Security Best Practices into Agile Teams]
 +
* [June 2016 ] Featured in [http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf A Transformative Approach to Secure Systems Delivery]
 +
* [2 June 2016] Featured in [http://www.oreilly.com/webops-perf/free/devopssec.csp DevOpsSec - Securing Software through Continuous Delivery]
 +
* [30 Apr 2016] Added Hebrew Translation for 2016 version
 +
* [28 Apr 2016] Added Chinese Translations for 2016 version
 +
* [12 Apr 2016] Added Hebrew translation for 2016 version
 +
* [29 Feb 2016] Added [https://www.owasp.org/images/a/a8/OWASPTop10ProactiveControls2016-Japanese.pdf Japanese Translation]
 +
* [14 Jan 2016] 2.0 released!
 +
* [5 Dec 2015] Began final edit process for 2.0
 +
* [29 Mar 2015] Added Hebrew Translation
 +
* [27 Jan 2015] Added Top Ten Mapping
 +
* [31 Oct 2014] Project presentation uploaded
 +
* [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review]
 +
* [04 Feb 2014] New Wiki Template!
 +
 
 +
= Users =
 +
 
 +
* Michael Leung - Management consultant with Canadian Cybersecurity Inc.
 +
: ''"Giving developers guidance that was practical was challenging. The OWASP Top 10 Proactive Controls helped a lot."''
 +
 
 +
 
 +
'''Disclaimer'''
 +
 
 +
Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP.
 +
 
 +
'''How to get listed'''
 +
 
 +
Please let us know how your organization is using OWASP Top 10 Proactive Controls. Include your name, organization's name, and brief description of how you use the project. The project lead can be reached  [mailto:[email protected] here].
 +
 
 +
= Formal Numbering =
 +
 
 +
== 2018 Numbering ==
 +
* OWASP-2018-C1: Define Security Requirements
 +
* OWASP-2018-C2: Leverage Security Frameworks and Libraries
 +
* OWASP-2018-C3: Secure Database Access
 +
* OWASP-2018-C4: Encode and Escape Data
 +
* OWASP-2018-C5: Validate All Inputs
 +
* OWASP-2018-C6: Implement Digital Identity
 +
* OWASP-2018-C7: Enforce Access Controls
 +
* OWASP-2018-C8: Protect Data Everywhere
 +
* OWASP-2018-C9: Implement Security Logging and Monitoring
 +
* OWASP-2018-C10: Handle All Errors and Exceptions
 +
 
 +
== 2016 Numbering ==
 +
* OWASP-2016-C1: Verify for Security Early and Often
 +
* OWASP-2016-C2: Parameterize Queries
 +
* OWASP-2016-C3: Encode Data
 +
* OWASP-2016-C4: Validate All Inputs
 +
* OWASP-2016-C5: Implement Identity and Authentication Controls
 +
* OWASP-2016-C6: Implement Appropriate Access Controls
 +
* OWASP-2016-C7: Protect Data
 +
* OWASP-2016-C8: Implement Logging and Intrusion Detection
 +
* OWASP-2016-C9: Leverage Security Frameworks and Libraries
 +
* OWASP-2016-C10: Error and Exception Handling
 +
 
 +
== 2014 Numbering ==
 +
* OWASP-2014-C1: Parameterize Queries
 +
* OWASP-2014-C2: Encode Data
 +
* OWASP-2014-C3: Validate All Inputs
 +
* OWASP-2014-C4: Implement Appropriate Access Controls
 +
* OWASP-2014-C5: Establish Identity and Authentication Controls
 +
* OWASP-2014-C6: Protect Data and Privacy
 +
* OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
 +
* OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries
 +
* OWASP-2014-C9: Include Security-Specific Requirements
 +
* OWASP-2014-C10: Design and Architect Security In
 +
 
 +
= Translations =
 +
 
 +
 
 +
== 2018 Version ==
 +
* Top 10 Proactive Controls 2018 Russian Translation: [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2018 Polish Translation:  [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PDF Download]] 
 +
 
 +
== 2016 Version ==
 +
* Top 10 Proactive Controls 2016 Traditional Chinese Translation [[Media:OWASPTop10ProactiveControls2016-Chinese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Simplified Chinese Translation [[Media:OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Japanese Translation [[Media:OWASPTop10ProactiveControls2016-Japanese.pdf|PDF Download]]
 +
* Top 10 Proactive Controls 2016 Hebrew Translation [[Media:OWASP_Proactive_Controls_2-Hebrew.pdf|PDF Download]]
 +
 
 +
== 2014 Version ==
 +
* Hebrew and French translations of the Top 10 Proactive Controls 2014 can be found on the 2014 archive tab.
 +
 
 +
= Roadmap =
 +
 
 +
Welcome to the OWASP Top 10 Proactive Controls Project!
 +
 
 +
== 2018 Roadmap ==
 +
 
 +
* Create new PowerPoint and other artifacts for 2018 version (done)
 +
* Create wiki for  2018 version (work in progress)
  
: We are currently seeking volunteers who will help developing stub/empty articles listed bellow and bring it up to a production level of quality. Join us now to take part in this historic effort, just drop a line to  [mailto:[email protected] Jim Manico] and [mailto:[email protected] Andrew van der Stock]!
+
== 2016 Roadmap ==
  
== What's In It? ==
+
* Create new PowerPoint and other artifacts for 2016 version (done)
 +
* Proactive Control Mapping to Cheatsheet (done)
  
=== Original list from Andrew ===
+
== Status ==
  
# Security Architecture (including incorporating agile ideas)
+
* February 21, 2014 Moved 2014 info to archive tab
# Use a (more) secure development frameworks and leverage enterprise frameworks (UAG, etc)
+
* January 15, 2016: 2016 Proactive Controls Released!
# Input validation
+
* August 6, 2015: Kickoff for 2.0 effort, in progress
# Output Encoding
+
* March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br />
# Identity: Authentication and Session Management
+
* February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.
# Access Control (service / controller, data, URL, function / CSRF, presentation, etc)
 
# Data Protection (Data at rest, including in cloud)
 
# Audit, Logging and Error Handling
 
# Secure Configuration
 
# Secure Communications (Data in transit)
 
  
=== Suggested changes by Jim ===
 
  
# Identity: Authentication and Session Management (same as you)
 
# Access Control: (service / controller, data, URL, function / CSRF, presentation, etc) (same as you)
 
# Query Parametrization: (this is not encoding or validation, but is essentially a per-compiled query plan into tabular data)
 
# Input validation (same)
 
# Output Encoding (same)
 
# Data Protection: (Data at rest, including in cloud, data in transport)
 
# Leverage secure development frameworks and libraries (Shiro, ESAPI, etc)
 
# Secure Requirements
 
# Secure Design and Architecture
 
# Audit, Logging, Error handling and Intrusion Detection
 
  
__NOTOC__  
+
__NOTOC__ <headertabs></headertabs>
<headertabs />
 
  
[[Category:OWASP Project]]
+
[[Category:OWASP Project|OWASP Proactive Controls]]
 +
[[Category:OWASP_Builders]]
 +
[[Category:OWASP_Defenders]]
 +
[[Category:OWASP_Document]]

Latest revision as of 07:32, 30 November 2019

Proactive-header.jpg

OWASP Top 10 Proactive Controls 2018

Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.

The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.

  1. Define Security Requirements
  2. Leverage Security Frameworks and Libraries
  3. Secure Database Access
  4. Encode and Escape Data
  5. Validate All Inputs
  6. Implement Digital Identity
  7. Enforce Access Controls
  8. Protect Data Everywhere
  9. Implement Security Logging and Monitoring
  10. Handle All Errors and Exceptions


For more information, see the complete document in the tab to the right.

Licensing

The OWASP Proactive Controls document is free to use under the Creative Commons ShareAlike 3 License.

What is This?

The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.

Presentation

Use the extensive project presentation that expands on the information in the document.

Project Leaders

Key Contributors

  • Taras Ivashchenko @ (Russian Translation)
  • Jay Zudilin (Russian Translation)
  • Danny Harris @
  • Hiroaki Kuramochi (Japanese Translation)
  • Hiroshi Fujimoto (Japanese Translation)
  • Hidenori Nagai (Japanese Translation)
  • Riotaro OKADA @ (Japanese Translation)
  • Robert Dracea (Japanese Translation)
  • Koichiro Watanabe (Japanese Translation)
  • Tony Hsu Hsiang Chih (Chinese Translation)
  • Abdessamad Temmar
  • Eyal Estrin @ (Hebrew Translation)
  • Cyrille Grandval @ (French Translation)
  • Frédéric Baillon @ (French Translation)
  • Danny Harris @
  • Stephen de Vries
  • Andrew Van Der Stock
  • Gaz Heyes
  • Colin Watson
  • Jason Coleman
  • Cassio Goldschmidt

Related Projects

Quick Access

  • Top 10 Proactive Controls 2018 PDF: EN | PL | Ru

Translations

  • Top 10 Proactive Controls 2018 Chinese PDF Download
  • Top 10 Proactive Controls 2018 Russian PDF Download
  • Top 10 Proactive Controls 2018 Polish PDF Download
  • Top 10 Proactive Controls 2016 Traditional Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Simplified Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Japanese Translation PDF Download
  • Top 10 Proactive Controls 2016 Hebrew Translation PDF Download

Latest News and Events

Please see the News tab for more.

Archive

Mailing List

Keep up-to-date, participate or ask questions via the Project Email List.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

OWASP Proactive Controls 2018 is currently available in the following formats.

Wiki version- is currently work in progress .

  • Michael Leung - Management consultant with Canadian Cybersecurity Inc.
"Giving developers guidance that was practical was challenging. The OWASP Top 10 Proactive Controls helped a lot."


Disclaimer

Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP.

How to get listed

Please let us know how your organization is using OWASP Top 10 Proactive Controls. Include your name, organization's name, and brief description of how you use the project. The project lead can be reached here.

2018 Numbering

  • OWASP-2018-C1: Define Security Requirements
  • OWASP-2018-C2: Leverage Security Frameworks and Libraries
  • OWASP-2018-C3: Secure Database Access
  • OWASP-2018-C4: Encode and Escape Data
  • OWASP-2018-C5: Validate All Inputs
  • OWASP-2018-C6: Implement Digital Identity
  • OWASP-2018-C7: Enforce Access Controls
  • OWASP-2018-C8: Protect Data Everywhere
  • OWASP-2018-C9: Implement Security Logging and Monitoring
  • OWASP-2018-C10: Handle All Errors and Exceptions

2016 Numbering

  • OWASP-2016-C1: Verify for Security Early and Often
  • OWASP-2016-C2: Parameterize Queries
  • OWASP-2016-C3: Encode Data
  • OWASP-2016-C4: Validate All Inputs
  • OWASP-2016-C5: Implement Identity and Authentication Controls
  • OWASP-2016-C6: Implement Appropriate Access Controls
  • OWASP-2016-C7: Protect Data
  • OWASP-2016-C8: Implement Logging and Intrusion Detection
  • OWASP-2016-C9: Leverage Security Frameworks and Libraries
  • OWASP-2016-C10: Error and Exception Handling

2014 Numbering

  • OWASP-2014-C1: Parameterize Queries
  • OWASP-2014-C2: Encode Data
  • OWASP-2014-C3: Validate All Inputs
  • OWASP-2014-C4: Implement Appropriate Access Controls
  • OWASP-2014-C5: Establish Identity and Authentication Controls
  • OWASP-2014-C6: Protect Data and Privacy
  • OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
  • OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries
  • OWASP-2014-C9: Include Security-Specific Requirements
  • OWASP-2014-C10: Design and Architect Security In

2018 Version

  • Top 10 Proactive Controls 2018 Russian Translation: PDF Download
  • Top 10 Proactive Controls 2018 Polish Translation: PDF Download

2016 Version

  • Top 10 Proactive Controls 2016 Traditional Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Simplified Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Japanese Translation PDF Download
  • Top 10 Proactive Controls 2016 Hebrew Translation PDF Download

2014 Version

  • Hebrew and French translations of the Top 10 Proactive Controls 2014 can be found on the 2014 archive tab.

Welcome to the OWASP Top 10 Proactive Controls Project!

2018 Roadmap

  • Create new PowerPoint and other artifacts for 2018 version (done)
  • Create wiki for 2018 version (work in progress)

2016 Roadmap

  • Create new PowerPoint and other artifacts for 2016 version (done)
  • Proactive Control Mapping to Cheatsheet (done)

Status

  • February 21, 2014 Moved 2014 info to archive tab
  • January 15, 2016: 2016 Proactive Controls Released!
  • August 6, 2015: Kickoff for 2.0 effort, in progress
  • March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.
  • February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Proactive_Controls&oldid=256202"