|
|
Line 694: |
Line 694: |
| * [https://github.com/diy1/aspirator Aspirator] - A simple checker for exception handler bugs | | * [https://github.com/diy1/aspirator Aspirator] - A simple checker for exception handler bugs |
| | | |
− | = Top 10 Mapping 2016 =
| |
| | | |
− | == Overview ==
| |
− |
| |
− | OWASP Top 10 Proactive Controls is a developer centric list of security techniques that should be included in every software development project. Each control helps preventing one or more of the OWASP Top Ten, the most critical web application security vulnerabilities.
| |
− |
| |
− | This documents presents a summary of the mapping between the OWASP Top 10 Proactive Controls and each of the OWASP Top 10 helps to mitigate.
| |
− |
| |
− | {| width="100%" cellpadding="7" cellspacing="0" <col width="325"><col width="316">
| |
− | ! ead |
| |
− | |- valign="top"
| |
− | | width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Proactive Controls'''
| |
− | | width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Prevented'''
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C1: Verify for Security Early and Often'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt”">
| |
− | Incorporate security testing as integral part of software engineering practice. Consider [[OWASP_Application_Security_Verification_Standard_Project |OWASP ASVS]] as a guide to define security requirements and testing.
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | * [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
| |
− | * [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
| |
− | * [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
| |
− | * [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
| |
− | * [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
| |
− | * [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
| |
− | * [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C2: Parameterize Queries'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | The Parameterized queries are a way to leverage to Data Access Abstraction Layer how parameters are interpreted before executing an SQL query. It provides SQL injection protection.
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C3: Encode Data'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | Encode data before use in a parser ( JS, CSS , XML )
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS) (in part)]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C4: Validate All Inputs'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt”">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]] (in part)
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]] (in part)
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C5: Identity and Authentication Controls '''
| |
− |
| |
− | <font size="2" style="font-size: 9pt”">
| |
− | Authentication is the process of verifying that an individual or an entity is who it claims to be while identity management is a broader topic which not only includes authentication, session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C6: Implement Access Controls'''
| |
− |
| |
− | <font size="2" style="“font-size:9pt"">
| |
− | Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied.
| |
− | The following "positive" access control design requirements should be considered at the initial stages of application development:
| |
− | * Force all requests to go through access control checks
| |
− | * Deny by default
| |
− | * Avoid hard-coded policy-based access control checks in code
| |
− | * Check on the server when each function is accessed
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt”">
| |
− | * [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
| |
− | * [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C7: Protect Data'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | Data encryption at rest or transit
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt”">
| |
− | * [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''C8: Implement Logging and Intrusion Detection'''
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | * [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
| |
− | * [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
| |
− | * [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
| |
− | * [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
| |
− | * [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
| |
− | * [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
| |
− | * [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”bgcolor="#ffffff"" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C9: Leverage Security Features and Libraries'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt">Starting from scratch when it comes to developing security controls leads to wasted time and massive security holes. Secure coding libraries help developers guard against security-related design and implementation flaws.
| |
− | It is critical to keep these frameworks and libraries up to date.
| |
− |
| |
− | For example:
| |
− | * Choose a good database ORM
| |
− | * Choose a framework with already build-in good access control
| |
− | * Choose a framework that already has integrated CSRF
| |
− | </font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | * [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
| |
− | * [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
| |
− | * [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
| |
− | * [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
| |
− | * [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
| |
− | * [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
| |
− | * [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
| |
− | </font>
| |
− |
| |
− | |- valign="top"
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
| |
− | '''C10: Error and Exception Handling'''
| |
− |
| |
− | <font size="2" style="font-size: 9pt"></font>
| |
− |
| |
− | | width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
| |
− | <font size="2" style="font-size: 9pt">
| |
− | * [[Top_10_2013-A1-Injection | A1-Injection]]
| |
− | * [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
| |
− | * [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
| |
− | * [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
| |
− | * [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
| |
− | * [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
| |
− | * [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
| |
− | * [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
| |
− | * [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
| |
− | * [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
| |
− | </font>
| |
− |
| |
− | |}
| |
− |
| |
− | [[Image:OWASP-Top-10-Mapping-2016-600.png]]
| |
| | | |
| = News = | | = News = |