This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Proactive Controls"
m |
m (→Translations) |
||
(362 intermediate revisions by 12 users not shown) | |||
Line 3: | Line 3: | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
− | | valign="top" | + | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | |
− | == OWASP Proactive Controls == | + | == OWASP Top 10 Proactive Controls 2018 == |
− | Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be inherent | + | Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game. |
− | The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development. | + | The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development. |
− | + | # Define Security Requirements | |
− | + | # Leverage Security Frameworks and Libraries | |
− | + | # Secure Database Access | |
− | + | # Encode and Escape Data | |
− | + | # Validate All Inputs | |
− | + | # Implement Digital Identity | |
− | + | # Enforce Access Controls | |
− | + | # Protect Data Everywhere | |
− | + | # Implement Security Logging and Monitoring | |
− | + | # Handle All Errors and Exceptions | |
− | For more information, see the | + | |
+ | For more information, see the complete document in the tab to the right. | ||
==Licensing== | ==Licensing== | ||
+ | <span id="8:_Implement_Logging_and_Intrusion_Detection"></span> | ||
The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License]. | The OWASP Proactive Controls document is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License]. | ||
− | | valign="top" | + | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" | |
== What is This? == | == What is This? == | ||
− | The OWASP Top Ten Proactive Controls describes the | + | The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project. |
+ | |||
+ | == Presentation == | ||
+ | |||
+ | Use the extensive [[media:OWASP_Top_Ten_Proactive_Controls_v3.pptx|project presentation]] that expands on the information in the document. | ||
== Project Leaders == | == Project Leaders == | ||
Line 38: | Line 44: | ||
* [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:[email protected] @] | * [https://www.owasp.org/index.php/User:Jmanico Jim Manico] [mailto:[email protected] @] | ||
* [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:[email protected] @] | * [https://www.owasp.org/index.php/User:Jim_Bird Jim Bird] [mailto:[email protected] @] | ||
+ | * [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:[email protected] @] | ||
== Key Contributors == | == Key Contributors == | ||
− | + | * [[User:Taras Ivashchenko|Taras Ivashchenko]] [mailto:[email protected] @] (Russian Translation) | |
+ | * Jay Zudilin (Russian Translation) | ||
+ | * Danny Harris [mailto:[email protected] @] | ||
+ | * Hiroaki Kuramochi (Japanese Translation) | ||
+ | * Hiroshi Fujimoto (Japanese Translation) | ||
+ | * Hidenori Nagai (Japanese Translation) | ||
+ | * [https://www.owasp.org/index.php/User:Riotaro_OKADA Riotaro OKADA] [mailto:[email protected] @] (Japanese Translation) | ||
+ | * Robert Dracea (Japanese Translation) | ||
+ | * Koichiro Watanabe (Japanese Translation) | ||
+ | * Tony Hsu Hsiang Chih (Chinese Translation) | ||
+ | * Abdessamad Temmar | ||
+ | * [https://www.linkedin.com/in/eyalestrin Eyal Estrin] [mailto:[email protected] @] (Hebrew Translation) | ||
+ | * [https://www.owasp.org/index.php/User:Cyrille_Grandval Cyrille Grandval] [mailto:[email protected] @] (French Translation) | ||
+ | * Frédéric Baillon [mailto:[email protected] @] (French Translation) | ||
* Danny Harris [mailto:[email protected] @] | * Danny Harris [mailto:[email protected] @] | ||
* Stephen de Vries | * Stephen de Vries | ||
Line 46: | Line 66: | ||
* Gaz Heyes | * Gaz Heyes | ||
* Colin Watson | * Colin Watson | ||
+ | * Jason Coleman | ||
+ | * Cassio Goldschmidt | ||
== Related Projects == | == Related Projects == | ||
Line 53: | Line 75: | ||
* [[Cheat Sheets]] | * [[Cheat Sheets]] | ||
− | | valign="top" | + | | valign="top" style="padding-left:25px;width:200px;" | |
== Quick Access == | == Quick Access == | ||
− | * Top | + | * Top 10 Proactive Controls 2018 PDF: [[Media:OWASP_Top_10_Proactive_Controls_V3.pdf|EN]] | [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PL]] | [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|Ru]] |
− | == News and Events == | + | * Top 10 Proactive Controls 2018 [[Media:OWASP_Top_Ten_Proactive_Controls_v3.pptx|PPT Download]] |
− | * [ | + | * Top 10 Proactive Controls 2018 [[Media:OWASP_Top_10_Proactive_Controls_V3.docx|DOCX Download]] |
− | * [ | + | * Mapping to other OWASP and IEEE Top 10 Lists [[Media:Owasp-pc-ieee-ott-omtt-ssdf.pdf|PDF Download]] |
+ | |||
+ | == Translations == | ||
+ | |||
+ | * Top 10 Proactive Controls 2018 Chinese [[Media:OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2018 Russian [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2018 Polish [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Traditional Chinese Translation [[Media:OWASPTop10ProactiveControls2016-Chinese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Simplified Chinese Translation [[Media:OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Japanese Translation [[Media:OWASPTop10ProactiveControls2016-Japanese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Hebrew Translation [[Media:OWASP_Proactive_Controls_2-Hebrew.pdf|PDF Download]] | ||
+ | |||
+ | == Latest News and Events == | ||
+ | * [Aug 2018] 3.0 Polish Translation Released! | ||
+ | * [May 2018] 3.0 Released! | ||
+ | * [June 2016] Featured in [http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf A Transformative Approach to Secure Systems Delivery] | ||
+ | * [June 2016] Featured in [http://www.oreilly.com/webops-perf/free/devopssec.csp DevOpsSec] | ||
+ | |||
+ | Please see the [{{SERVER}}/index.php/OWASP_Proactive_Controls?refresh=123#tab=News News] tab for more. | ||
+ | |||
+ | == Archive == | ||
+ | * [{{SERVER}}/index.php/OWASP_Proactive_Controls_2014 Proactive Controls 2014] | ||
+ | * [{{SERVER}}/index.php/OWASP_Proactive_Controls_2016 Proactive Controls 2016] | ||
== Mailing List == | == Mailing List == | ||
− | Keep up-to-date via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List]. | + | Keep up-to-date, participate or ask questions via the [https://lists.owasp.org/mailman/listinfo/owasp_proactive_controls Project Email List]. |
==Classifications== | ==Classifications== | ||
Line 71: | Line 115: | ||
{| width="200" cellpadding="2" | {| width="200" cellpadding="2" | ||
|- | |- | ||
− | | align="center" valign="top" width="50% | + | | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]] |
− | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] |
|- | |- | ||
− | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]] | + | | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]] |
|- | |- | ||
− | | colspan="2" align="center" | + | | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] |
|- | |- | ||
− | | colspan="2" align="center" | + | | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] |
|} | |} | ||
|} | |} | ||
− | = OWASP | + | = OWASP Proactive Controls 2018 = |
− | + | OWASP Proactive Controls 2018 is currently available in the following formats. | |
+ | * Top 10 Proactive Controls 2018 [{{SERVER}}/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf PDF version] | ||
+ | * Top 10 Proactive Controls 2018 [{{SERVER}}/images/1/13/OWASP_Top_Ten_Proactive_Controls_v3.pptx PPT download]. | ||
+ | * Top 10 Proactive Controls 2018 [{{SERVER}}/images/7/79/OWASP_Top_10_Proactive_Controls_V3.docx DOCX download]. | ||
− | + | Wiki version- is currently work in progress . | |
− | + | = News = | |
− | + | * [ July 2019] Featured in Coursera course from UCDavies [https://www.coursera.org/directory/videos?courseId=V1k0pBtIEemZRAqH7m9oGA Identifying Security Vulnerabilities] | |
− | + | * [23 June 2019] Featured on HackerCombat: [https://hackercombat.com/implement-owasp-proactive-controls-to-work/ Implement OWASP Proactive Controls to Work] | |
+ | * [7 June 2019] Feature on OWASP DevSlop Show [https://www.youtube.com/watch?v=Jdb3qweDc_Q Proactive Controls] | ||
+ | * [15 May 2019] Featured in TechBeacon: [https://techbeacon.com/security/put-owasp-top-10-proactive-controls-work Put OWASP Top 10 Proactive Controls to work] | ||
+ | * [2 Mar 2019] Webinar: [https://www.youtube.com/watch?v=ldXe8f5yVq8 The OWASP Top Ten Proactive Controls with Jim Manico] | ||
+ | * [Dec 2018] Featured as the resource for Security “Shifting to the Left”! in the ISC2 course: "DevSecOps: Integrating Security into DevOps” | ||
+ | * [20 Sep 2018 Featured in TechBeacon: [https://techbeacon.com/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure OWASP Top 10 Proactive Controls 2018: How it makes your code more secure] | ||
+ | * [17 Sep 2018] Binary Blogger Podcast Episodes: [https://binaryblogger.com/2018/09/17/owasp-top-10-proactive-controls-podcast-episodes/ OWASP Top 10 Proactive Controls Podcast Episodes] | ||
+ | * [9 May 2018] Featured in [https://techbeacon.com/developer-secure-code-starter-kit-resources Developer's security guide: 50 online resources to shift left] | ||
+ | * [7 May 2018] 3.0 released! | ||
+ | * [11 Aug 2017] Presented at [https://northeastphp2017.sched.com/event/B6uo/owasp-top-10-proactive-controls-2016 Northeast PHP Conference] | ||
+ | * [25 July 2017] Podcast about at [https://www.appsecpodcast.org/2017/07/25/the-owasp-top-10-proactive-controls/ OWASP Top 10 Proactive Controls] | ||
+ | * [12 May 2017] Presented at [https://appseceurope2017.sched.com/event/A652/the-path-of-secure-software AppSec EU'17 - Belfast] | ||
+ | * [14 Feb 2017] Featured in [http://wwpi.com/2017/02/14/managing-cloud-infrastructure-to-prevent-security-gaps/ Managing Cloud Infrastructure to Prevent Security Gaps] | ||
+ | * [Feb 2017 ] Featured in "[http://assets.unisys.com/Documents/Global/POVPapers/POV_170062_ApplicationSecurityProgramProtectAgainstDataBreaches.pdf Application Security Program: Protect Against Data Breaches]" | ||
+ | * [ 1 Oct 2016] Presented at [http://conference.phpnw.org.uk/phpnw16/speakers/katy-anton/ PHPNW16] | ||
+ | * [5 July 2016] Featured in [https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams Incorporating Security Best Practices into Agile Teams] | ||
+ | * [June 2016 ] Featured in [http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf A Transformative Approach to Secure Systems Delivery] | ||
+ | * [2 June 2016] Featured in [http://www.oreilly.com/webops-perf/free/devopssec.csp DevOpsSec - Securing Software through Continuous Delivery] | ||
+ | * [30 Apr 2016] Added Hebrew Translation for 2016 version | ||
+ | * [28 Apr 2016] Added Chinese Translations for 2016 version | ||
+ | * [12 Apr 2016] Added Hebrew translation for 2016 version | ||
+ | * [29 Feb 2016] Added [https://www.owasp.org/images/a/a8/OWASPTop10ProactiveControls2016-Japanese.pdf Japanese Translation] | ||
+ | * [14 Jan 2016] 2.0 released! | ||
+ | * [5 Dec 2015] Began final edit process for 2.0 | ||
+ | * [29 Mar 2015] Added Hebrew Translation | ||
+ | * [27 Jan 2015] Added Top Ten Mapping | ||
+ | * [31 Oct 2014] Project presentation uploaded | ||
+ | * [10 Mar 2014] [http://lists.owasp.org/pipermail/owasp-leaders/2014-March/011047.html Request for review] | ||
+ | * [04 Feb 2014] New Wiki Template! | ||
− | + | = Users = | |
+ | * Michael Leung - Management consultant with Canadian Cybersecurity Inc. | ||
+ | : ''"Giving developers guidance that was practical was challenging. The OWASP Top 10 Proactive Controls helped a lot."'' | ||
− | |||
− | + | '''Disclaimer''' | |
− | + | Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP. | |
− | + | '''How to get listed''' | |
− | + | Please let us know how your organization is using OWASP Top 10 Proactive Controls. Include your name, organization's name, and brief description of how you use the project. The project lead can be reached [mailto:[email protected] here]. | |
− | + | = Formal Numbering = | |
− | |||
− | |||
− | |||
− | |||
− | + | == 2018 Numbering == | |
+ | * OWASP-2018-C1: Define Security Requirements | ||
+ | * OWASP-2018-C2: Leverage Security Frameworks and Libraries | ||
+ | * OWASP-2018-C3: Secure Database Access | ||
+ | * OWASP-2018-C4: Encode and Escape Data | ||
+ | * OWASP-2018-C5: Validate All Inputs | ||
+ | * OWASP-2018-C6: Implement Digital Identity | ||
+ | * OWASP-2018-C7: Enforce Access Controls | ||
+ | * OWASP-2018-C8: Protect Data Everywhere | ||
+ | * OWASP-2018-C9: Implement Security Logging and Monitoring | ||
+ | * OWASP-2018-C10: Handle All Errors and Exceptions | ||
− | + | == 2016 Numbering == | |
− | + | * OWASP-2016-C1: Verify for Security Early and Often | |
− | + | * OWASP-2016-C2: Parameterize Queries | |
− | + | * OWASP-2016-C3: Encode Data | |
− | + | * OWASP-2016-C4: Validate All Inputs | |
+ | * OWASP-2016-C5: Implement Identity and Authentication Controls | ||
+ | * OWASP-2016-C6: Implement Appropriate Access Controls | ||
+ | * OWASP-2016-C7: Protect Data | ||
+ | * OWASP-2016-C8: Implement Logging and Intrusion Detection | ||
+ | * OWASP-2016-C9: Leverage Security Frameworks and Libraries | ||
+ | * OWASP-2016-C10: Error and Exception Handling | ||
− | + | == 2014 Numbering == | |
− | * | + | * OWASP-2014-C1: Parameterize Queries |
− | * | + | * OWASP-2014-C2: Encode Data |
+ | * OWASP-2014-C3: Validate All Inputs | ||
+ | * OWASP-2014-C4: Implement Appropriate Access Controls | ||
+ | * OWASP-2014-C5: Establish Identity and Authentication Controls | ||
+ | * OWASP-2014-C6: Protect Data and Privacy | ||
+ | * OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection | ||
+ | * OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries | ||
+ | * OWASP-2014-C9: Include Security-Specific Requirements | ||
+ | * OWASP-2014-C10: Design and Architect Security In | ||
+ | = Translations = | ||
− | |||
− | + | == 2018 Version == | |
+ | * Top 10 Proactive Controls 2018 Russian Translation: [[Media:Owasp-top-10-proactive-controls-2018-russian.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2018 Polish Translation: [[Media:OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf|PDF Download]] | ||
− | + | == 2016 Version == | |
+ | * Top 10 Proactive Controls 2016 Traditional Chinese Translation [[Media:OWASPTop10ProactiveControls2016-Chinese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Simplified Chinese Translation [[Media:OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Japanese Translation [[Media:OWASPTop10ProactiveControls2016-Japanese.pdf|PDF Download]] | ||
+ | * Top 10 Proactive Controls 2016 Hebrew Translation [[Media:OWASP_Proactive_Controls_2-Hebrew.pdf|PDF Download]] | ||
− | + | == 2014 Version == | |
+ | * Hebrew and French translations of the Top 10 Proactive Controls 2014 can be found on the 2014 archive tab. | ||
− | + | = Roadmap = | |
− | + | Welcome to the OWASP Top 10 Proactive Controls Project! | |
− | + | == 2018 Roadmap == | |
− | + | * Create new PowerPoint and other artifacts for 2018 version (done) | |
− | + | * Create wiki for 2018 version (work in progress) | |
− | |||
− | |||
− | + | == 2016 Roadmap == | |
− | + | * Create new PowerPoint and other artifacts for 2016 version (done) | |
+ | * Proactive Control Mapping to Cheatsheet (done) | ||
− | + | == Status == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | * February 21, 2014 Moved 2014 info to archive tab | |
+ | * January 15, 2016: 2016 Proactive Controls Released! | ||
+ | * August 6, 2015: Kickoff for 2.0 effort, in progress | ||
+ | * March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.<br /> | ||
+ | * February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | __NOTOC__ <headertabs /> | + | __NOTOC__ <headertabs></headertabs> |
− | [[Category: | + | [[Category:OWASP Project|OWASP Proactive Controls]] |
+ | [[Category:OWASP_Builders]] | ||
+ | [[Category:OWASP_Defenders]] | ||
+ | [[Category:OWASP_Document]] |
Latest revision as of 07:32, 30 November 2019
OWASP Top 10 Proactive Controls 2018Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game. The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.
LicensingThe OWASP Proactive Controls document is free to use under the Creative Commons ShareAlike 3 License. |
What is This?The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project. PresentationUse the extensive project presentation that expands on the information in the document. Project LeadersKey Contributors
Related Projects |
Quick Access
Translations
Latest News and Events
Please see the News tab for more. ArchiveMailing ListKeep up-to-date, participate or ask questions via the Project Email List. Classifications |
OWASP Proactive Controls 2018 is currently available in the following formats.
- Top 10 Proactive Controls 2018 PDF version
- Top 10 Proactive Controls 2018 PPT download.
- Top 10 Proactive Controls 2018 DOCX download.
Wiki version- is currently work in progress .
- [ July 2019] Featured in Coursera course from UCDavies Identifying Security Vulnerabilities
- [23 June 2019] Featured on HackerCombat: Implement OWASP Proactive Controls to Work
- [7 June 2019] Feature on OWASP DevSlop Show Proactive Controls
- [15 May 2019] Featured in TechBeacon: Put OWASP Top 10 Proactive Controls to work
- [2 Mar 2019] Webinar: The OWASP Top Ten Proactive Controls with Jim Manico
- [Dec 2018] Featured as the resource for Security “Shifting to the Left”! in the ISC2 course: "DevSecOps: Integrating Security into DevOps”
- [20 Sep 2018 Featured in TechBeacon: OWASP Top 10 Proactive Controls 2018: How it makes your code more secure
- [17 Sep 2018] Binary Blogger Podcast Episodes: OWASP Top 10 Proactive Controls Podcast Episodes
- [9 May 2018] Featured in Developer's security guide: 50 online resources to shift left
- [7 May 2018] 3.0 released!
- [11 Aug 2017] Presented at Northeast PHP Conference
- [25 July 2017] Podcast about at OWASP Top 10 Proactive Controls
- [12 May 2017] Presented at AppSec EU'17 - Belfast
- [14 Feb 2017] Featured in Managing Cloud Infrastructure to Prevent Security Gaps
- [Feb 2017 ] Featured in "Application Security Program: Protect Against Data Breaches"
- [ 1 Oct 2016] Presented at PHPNW16
- [5 July 2016] Featured in Incorporating Security Best Practices into Agile Teams
- [June 2016 ] Featured in A Transformative Approach to Secure Systems Delivery
- [2 June 2016] Featured in DevOpsSec - Securing Software through Continuous Delivery
- [30 Apr 2016] Added Hebrew Translation for 2016 version
- [28 Apr 2016] Added Chinese Translations for 2016 version
- [12 Apr 2016] Added Hebrew translation for 2016 version
- [29 Feb 2016] Added Japanese Translation
- [14 Jan 2016] 2.0 released!
- [5 Dec 2015] Began final edit process for 2.0
- [29 Mar 2015] Added Hebrew Translation
- [27 Jan 2015] Added Top Ten Mapping
- [31 Oct 2014] Project presentation uploaded
- [10 Mar 2014] Request for review
- [04 Feb 2014] New Wiki Template!
- Michael Leung - Management consultant with Canadian Cybersecurity Inc.
- "Giving developers guidance that was practical was challenging. The OWASP Top 10 Proactive Controls helped a lot."
Disclaimer
Organizations listed are not accredited by OWASP. Neither their products or services have been endorsed by OWASP.
How to get listed
Please let us know how your organization is using OWASP Top 10 Proactive Controls. Include your name, organization's name, and brief description of how you use the project. The project lead can be reached here.
2018 Numbering
- OWASP-2018-C1: Define Security Requirements
- OWASP-2018-C2: Leverage Security Frameworks and Libraries
- OWASP-2018-C3: Secure Database Access
- OWASP-2018-C4: Encode and Escape Data
- OWASP-2018-C5: Validate All Inputs
- OWASP-2018-C6: Implement Digital Identity
- OWASP-2018-C7: Enforce Access Controls
- OWASP-2018-C8: Protect Data Everywhere
- OWASP-2018-C9: Implement Security Logging and Monitoring
- OWASP-2018-C10: Handle All Errors and Exceptions
2016 Numbering
- OWASP-2016-C1: Verify for Security Early and Often
- OWASP-2016-C2: Parameterize Queries
- OWASP-2016-C3: Encode Data
- OWASP-2016-C4: Validate All Inputs
- OWASP-2016-C5: Implement Identity and Authentication Controls
- OWASP-2016-C6: Implement Appropriate Access Controls
- OWASP-2016-C7: Protect Data
- OWASP-2016-C8: Implement Logging and Intrusion Detection
- OWASP-2016-C9: Leverage Security Frameworks and Libraries
- OWASP-2016-C10: Error and Exception Handling
2014 Numbering
- OWASP-2014-C1: Parameterize Queries
- OWASP-2014-C2: Encode Data
- OWASP-2014-C3: Validate All Inputs
- OWASP-2014-C4: Implement Appropriate Access Controls
- OWASP-2014-C5: Establish Identity and Authentication Controls
- OWASP-2014-C6: Protect Data and Privacy
- OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
- OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries
- OWASP-2014-C9: Include Security-Specific Requirements
- OWASP-2014-C10: Design and Architect Security In
2018 Version
- Top 10 Proactive Controls 2018 Russian Translation: PDF Download
- Top 10 Proactive Controls 2018 Polish Translation: PDF Download
2016 Version
- Top 10 Proactive Controls 2016 Traditional Chinese Translation PDF Download
- Top 10 Proactive Controls 2016 Simplified Chinese Translation PDF Download
- Top 10 Proactive Controls 2016 Japanese Translation PDF Download
- Top 10 Proactive Controls 2016 Hebrew Translation PDF Download
2014 Version
- Hebrew and French translations of the Top 10 Proactive Controls 2014 can be found on the 2014 archive tab.
Welcome to the OWASP Top 10 Proactive Controls Project!
2018 Roadmap
- Create new PowerPoint and other artifacts for 2018 version (done)
- Create wiki for 2018 version (work in progress)
2016 Roadmap
- Create new PowerPoint and other artifacts for 2016 version (done)
- Proactive Control Mapping to Cheatsheet (done)
Status
- February 21, 2014 Moved 2014 info to archive tab
- January 15, 2016: 2016 Proactive Controls Released!
- August 6, 2015: Kickoff for 2.0 effort, in progress
- March 10, 2014: We released an early beta of this document to the OWASP leaders list for review and commentary.
- February 3, 2014: We are currently working towards a beta release of this document and have begun working with a designer for the final release PDF.