This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Education Track: What Developers Should Know on Web Application Security"

From OWASP
Jump to: navigation, search
(Table of Contents)
 
(5 intermediate revisions by one other user not shown)
Line 18: Line 18:
 
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.  
 
The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.  
  
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min)
+
* [[Education Module Why WebAppSec Matters|Why WebAppSec matters]] (20 min) ([http://www.owasp.org/images/5/58/Education_Module_Why_WebAppSec_Matters.ppt direct link])
 
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
 
:This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
 
:*What goes wrong
 
:*What goes wrong
 
:*WebAppSec Defined
 
:*WebAppSec Defined
 
:*Current trends
 
:*Current trends
*OWASP Top 10 Introduction & Remedies (90 min)
+
* [[Education_Module_OWASP_Top_10_Introduction_and_Remedies|OWASP Top 10 Introduction & Remedies]] (90 min) ([http://www.owasp.org/images/b/b8/Education_Module_OWASP_Top_10_Introduction_and_Remedies.ppt direct link])
 
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
 
:The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
 
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
 
:*[[Education Module Cross Site Scripting (XSS)|Cross Site Scripting (XSS)]]
Line 35: Line 35:
 
:*Insecure Communications
 
:*Insecure Communications
 
:*Failure to Restrict URL Access
 
:*Failure to Restrict URL Access
*Embed within SDLC (People, Processes & Tools) (20 min)
+
*[[Education Module Embed within SDLC|Embed within SDLC]] (People, Processes & Tools) (20 min) ([http://www.owasp.org/images/f/f2/Education_Module_Embed_within_SDLC.ppt direct link])
 
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 
:There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
 
:*People Awareness and Education
 
:*People Awareness and Education
Line 41: Line 41:
 
:*Deployment WebAppSec Controls
 
:*Deployment WebAppSec Controls
 
:*WebAppSec Tools
 
:*WebAppSec Tools
*Good Secure Development Practices (70 min)
+
*[[Education Module Good Secure Development Practices|Good Secure Development Practices]] (70 min) ([http://www.owasp.org/images/5/57/Education_Module_Good_Secure_Development_Practices.ppt direct link])
:Some best practices, covering e.g.
+
:Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
:*Validating User Input
+
:*Validating User Input  
:*Appropriate use of HTTP vs. HTTPS
+
:*Authentication
:*Hiding Sensitive information from Error Messages (500 Errors)
+
:*Authorization
:*Appropriate use of GET vs. POST
+
:*Session Management
:*Limitation of resources and privilege (anti-DoS)
+
:*Using Interpreters
:*Providing Session/Data Persistence (Leak another user's data into your session)
+
:*Crypto
:*Limited # of login attempts before temporary (15-30min) account lock
+
:*Catching Errors
:*Secure Connection to Database (prevent compromise web host and attack database)
+
:*File System
:*Throttling on a per-session basis to prevent DoS from single host.
+
:*Configuration
:*How to prevent CSRF
+
:*Web 2.0
*Testing for Vulnerabilities (20 min)
+
*[[Education Module Testing for Vulnerabilities|Testing for Vulnerabilities]] (20 min) ([http://www.owasp.org/images/4/49/Education_Module_Testing_for_Vulnerabilities.ppt direct link])
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with one WebGoat test case.
+
:One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
 
:*Testing for application vulnerabilities
 
:*Testing for application vulnerabilities
 
:*The OWASP Testing Guide
 
:*The OWASP Testing Guide
 
:*WebGoat demonstrated
 
:*WebGoat demonstrated
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min)
+
*[[Education Module Good WebAppSec Resources|Good WebAppSec Resources]] (not limited to OWASP) (10 min) ([http://www.owasp.org/images/f/fe/Education_Module_Good_WebAppSec_Resources.ppt direct link])
 
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 
:This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
 
:*Hard Copy
 
:*Hard Copy
Line 67: Line 67:
  
 
[[Category:OWASP Education Project]]
 
[[Category:OWASP Education Project]]
 +
[[Category:OWASP_Education_Project_New]]

Latest revision as of 21:32, 18 March 2009

Track Overview

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.

Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or re mediated. A secure coding initiative must deal with all stages of a program’s life cycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Particularly for developers good secure development practices are covered in a separate topic. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

Track Audience

The track audience is web application developers who are unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET.

We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours.

Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

Table of Contents

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

This part is the introduction of the track. It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
  • What goes wrong
  • WebAppSec Defined
  • Current trends
The primary aim of the OWASP Top 10 is to educate developers, designers, architects and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities.
  • Cross Site Scripting (XSS)
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access
There is no silver bullet when it comes to securing web applications. This problem has to be addressed from different angles, covering the involved actors, processes: development as well as deployment and Technologies.
  • People Awareness and Education
  • Development WebAppSec Controls
  • Deployment WebAppSec Controls
  • WebAppSec Tools
Next to the Top 10 remedies this module provides some good secure development practices from the OWASP Guide, covering e.g.
  • Validating User Input
  • Authentication
  • Authorization
  • Session Management
  • Using Interpreters
  • Crypto
  • Catching Errors
  • File System
  • Configuration
  • Web 2.0
One important aspect is to test for application vulnerabilities. During this short module an introduction is provided together with some WebGoat test cases.
  • Testing for application vulnerabilities
  • The OWASP Testing Guide
  • WebGoat demonstrated
This 4 hour education track in only the beginning of your journey. Web application security is a moving target. New vulnerabilities and threats are discovered regularly. Web application security controls are becoming mature. The following resources should provide you with enough pointers to serve both as reference and for further research.
  • Hard Copy
  • Web Sites
  • Mailing lists
  • Blogs
  • Roundup (10 min)
Retrieved from "https://wiki.owasp.org/index.php?title=Education_Track:_What_Developers_Should_Know_on_Web_Application_Security&oldid=56946"