This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Proactive Controls"

From OWASP
Jump to: navigation, search
(Licensing)
m
Line 694: Line 694:
 
* [https://github.com/diy1/aspirator Aspirator] - A simple checker for exception handler bugs
 
* [https://github.com/diy1/aspirator Aspirator] - A simple checker for exception handler bugs
  
= Top 10 Mapping 2016 =
 
  
== Overview ==
 
 
OWASP Top 10 Proactive Controls is a developer centric list of security techniques that should be included in every software development project. Each control helps preventing one or more of the  OWASP Top Ten, the most critical web application security vulnerabilities. 
 
 
This documents presents a summary of the mapping between the OWASP Top 10 Proactive Controls and each of the OWASP Top 10 helps to mitigate.
 
 
{| width="100%" cellpadding="7" cellspacing="0" <col width="325"><col width="316">
 
! ead |
 
|- valign="top"
 
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Proactive Controls'''
 
| width="“50%”" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Prevented''' 
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C1: Verify for Security Early and Often'''
 
 
<font size="2" style="font-size: 9pt”">
 
Incorporate security testing as integral part of software engineering practice. Consider [[OWASP_Application_Security_Verification_Standard_Project |OWASP ASVS]] as a guide to define security requirements and testing.
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt">
 
*  [[Top_10_2013-A1-Injection | A1-Injection]]
 
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
 
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
 
* [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
 
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
 
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
 
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
 
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
 
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C2: Parameterize Queries'''
 
 
<font size="2" style="font-size: 9pt">
 
The Parameterized queries are a way to leverage to Data Access Abstraction Layer how parameters are interpreted before executing an SQL query. It provides SQL injection protection.
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C3: Encode Data'''
 
 
<font size="2" style="font-size: 9pt">
 
Encode data before use in a parser  ( JS, CSS , XML )
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)  (in part)]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C4: Validate All Inputs'''
 
 
<font size="2" style="font-size: 9pt">
 
Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt”">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]  (in part)
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]  (in part)
 
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C5: Identity and Authentication Controls '''
 
 
<font size="2" style="font-size: 9pt”">
 
Authentication is the process of verifying that an individual or an entity is who it claims to be while identity management is a broader topic which not only includes authentication, session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C6: Implement Access Controls'''
 
 
<font size="2" style="“font-size:9pt&quot;">
 
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied.
 
The following "positive" access control design requirements should be considered at the initial stages of application development:
 
* Force all requests to go through access control checks
 
* Deny by default
 
* Avoid hard-coded policy-based access control checks in code
 
* Check on the server when each function is accessed
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt”">
 
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
 
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C7: Protect Data'''
 
 
<font size="2" style="font-size: 9pt">
 
Data encryption at rest or transit
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt”">
 
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''C8: Implement Logging and Intrusion Detection'''
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]
 
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
 
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
 
* [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
 
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
 
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
 
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
 
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
 
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”bgcolor=&quot;#ffffff&quot;" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C9: Leverage Security Features and Libraries'''
 
 
<font size="2" style="font-size: 9pt">Starting from scratch when it comes to developing security controls leads to wasted time and massive security holes.  Secure coding libraries help developers guard against security-related design and implementation flaws.
 
It is critical to keep these frameworks and libraries up to date.
 
 
For example:
 
* Choose a good database ORM
 
* Choose a framework with already build-in good access control
 
* Choose a framework that already has integrated CSRF
 
</font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]
 
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
 
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
 
* [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
 
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
 
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
 
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
 
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
 
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
 
</font>
 
 
|- valign="top"
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''C10: Error and Exception Handling'''
 
 
<font size="2" style="font-size: 9pt"></font>
 
 
| width="“50%”" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' 
 
<font size="2" style="font-size: 9pt">
 
* [[Top_10_2013-A1-Injection | A1-Injection]]
 
* [[Top_10_2013-A2-Broken_Authentication_and_Session_Management | A2-Broken Authentication and Session Management]]
 
* [[Top_10_2013-A3-Cross-Site_Scripting_(XSS) | A3-Cross Site Scripting (XSS)]]
 
* [[Top_10_2013-A4-Insecure_Direct_Object_References | A4-Insecure Direct Object References]]
 
* [[Top_10_2013-A5-Security_Misconfiguration | A5-Security Misconfiguration]]
 
* [[Top_10_2013-A6-Sensitive_Data_Exposure | A6-Sensitive Data Exposure]]
 
* [[Top_10_2013-A7-Missing_Function_Level_Access_Control | A7-Missing Function Level Access Control]]
 
* [[Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) | A8-Cross-Site Request Forgery (CSRF)]]
 
* [[Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities | A9-Using Components with Known Vulnerabilities]]
 
* [[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards | A10-Unvalidated Redirects and Forwards]]
 
</font>
 
 
|}
 
 
[[Image:OWASP-Top-10-Mapping-2016-600.png]]
 
  
 
= News =
 
= News =

Revision as of 12:43, 7 May 2018

Proactive-header.jpg

OWASP Top 10 Proactive Controls 2016

Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.

The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.

  1. Verify for Security Early and Often
  2. Parameterize Queries
  3. Encode Data
  4. Validate All Inputs
  5. Implement Identity and Authentication Controls
  6. Implement Appropriate Access Controls
  7. Protect Data
  8. Implement Logging and Intrusion Detection
  9. Leverage Security Frameworks and Libraries
  10. Error and Exception Handling

For more information, see the complete document in the tab to the right.

Licensing

The OWASP Proactive Controls document is free to use under the Creative Commons ShareAlike 3 License.

What is This?

The OWASP Top Ten Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.

Presentation

Use the extensive project presentation that expands on the information in the document.

Project Leaders

Key Contributors

  • Danny Harris @
  • Hiroaki Kuramochi (Japanese Translation)
  • Hiroshi Fujimoto (Japanese Translation)
  • Hidenori Nagai (Japanese Translation)
  • Riotaro OKADA @ (Japanese Translation)
  • Robert Dracea (Japanese Translation)
  • Koichiro Watanabe (Japanese Translation)
  • Tony Hsu Hsiang Chih (Chinese Translation)
  • Abdessamad Temmar
  • Eyal Estrin @ (Hebrew Translation)
  • Cyrille Grandval @ (French Translation)
  • Frédéric Baillon @ (French Translation)
  • Danny Harris @
  • Stephen de Vries
  • Andrew Van Der Stock
  • Gaz Heyes
  • Colin Watson
  • Jason Coleman
  • Cassio Goldschmidt

Related Projects

Quick Access

Translations

  • Top 10 Proactive Controls 2016 Traditional Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Simplified Chinese Translation PDF Download
  • Top 10 Proactive Controls 2016 Japanese Translation PDF Download
  • Top 10 Proactive Controls 2016 Hebrew Translation PDF Download

Latest News and Events

Please see the News tab for more.

Archive

Proactive Controls 2014

Mailing List

Keep up-to-date, participate or ask questions via the Project Email List.

Classifications

Owasp-incubator-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg