This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Proactive Controls"

From OWASP
Jump to: navigation, search
m (Overview)
(Corrected preventions for controls C7,C8,C9,C10)
Line 746: Line 746:
 
; A1-Injection
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A2-Broken Authentication and Session Management
 +
; A3 XSS
 
; A4-Insecure Direct Object  References
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A5-Security Misconfiguration
Line 771: Line 772:
 
; A1-Injection
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A2-Broken Authentication and Session Management
 +
; A3 XSS
 
; A4-Insecure Direct Object  References
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A5-Security Misconfiguration
Line 805: Line 807:
 
; A1-Injection
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A2-Broken Authentication and Session Management
 +
; A3 XSS
 
; A4-Insecure Direct Object  References
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A5-Security Misconfiguration
Line 831: Line 834:
 
; A1-Injection
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A2-Broken Authentication and Session Management
 +
; A3 XSS
 
; A4-Insecure Direct Object  References
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A5-Security Misconfiguration

Revision as of 23:28, 21 February 2015

Proactive-header.jpg

OWASP Proactive Controls

Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.

The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.

  • 1: Parameterize Queries
  • 2: Encode Data
  • 3: Validate All Inputs
  • 4: Implement Appropriate Access Controls
  • 5: Establish Identity and Authentication Controls
  • 6: Protect Data and Privacy
  • 7: Implement Logging, Error Handling and Intrusion Detection
  • 8: Leverage Security Features of Frameworks and Security Libraries
  • 9: Include Security-Specific Requirements
  • 10: Design and Architect Security In

For more information, see the complete document in the tab to the right.

Licensing

The OWASP Proactive Controls document is free to use under the Creative Commons ShareAlike 3 License.

What is This?

The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.

Presentation

Use the extensive project presentation that expands on the information in the document.

Project Leaders

Key Contributors

  • Cyrille Grandval @ (French Translation)
  • Frédéric Baillon @ (French Translation)
  • Danny Harris @
  • Stephen de Vries
  • Andrew Van Der Stock
  • Gaz Heyes
  • Colin Watson
  • Katy Anton

Related Projects

Quick Access

News and Events

  • [27 Jan 2015] Added Top Ten Mapping
  • [31 Oct 2014] Project presentation uploaded
  • [10 Mar 2014] Request for review
  • [04 Feb 2014] New Wiki Template!

Mailing List

Keep up-to-date, participate or ask questions via the Project Email List.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg