This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Proactive Controls Mapped To Top Ten Vulnerabilities"

From OWASP
Jump to: navigation, search
(Redirected page to OWASP Proactive Controls)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
+
#REDIRECT [[OWASP_Proactive_Controls]]
== Overview  ==
 
Most developers have heard about the OWASP Top Ten, the list of the 10 Most Critical Web Application Security vulnerabilities which should be avoided in web applications. 
 
However, in order to avoid them, developers must be aware of the pro-active controls in order to incorporate from the early stages of software development lifecycle.
 
 
This documents starts from the OWASP Top Ten Proactive Controls, shortly describes them, and then provides a mapping to the OWASP Top Ten vulnerabilities each of them will address. 
 
 
 
{| width="100%" cellpadding="7" cellspacing="0"<col width="325"><col width="316">
 
! ead |
 
|- valign="top"
 
| width="50%" bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP Top 10 Proactive Control'''s
 
| width=“50%” bgcolor="#d9d9d9" style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Which OWASP Top 10 Vulnerabilities will prevent?''' 
 
 
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C1: Parameterize Queries'''
 
 
 
<font size="2" style="font-size: 9pt">
 
The Parameterized queries are a way to leverage to Data Access Abstraction Layer how parameters are interpreted before executing an SQL query. It provides SQL injection protection.
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
<font size="3" style="font-size: 12pt">'''Prevents :'''  </font>
 
<font size="2" style="font-size: 9pt">
 
; A1 Injection 
 
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.''
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C2: Encode Data'''
 
 
 
<font size="2" style="font-size: 9pt">Encode data before use in a parser  ( JS, CSS , XML )
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents :'''
 
 
 
<font size="2" style="font-size: 9pt">
 
; A1 Injection 
 
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.''
 
; A3 XSS
 
: ''XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites''
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C3: Validate All Inputs'''
 
 
 
<font size="2" style="font-size: 9pt">
 
Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents :'''
 
 
 
<font size="2" style="font-size: 9pt">
 
; A1 Injection 
 
: ''Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query''
 
; A2-Broken Authentication and Session Management
 
: ''Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.''
 
; A3 XSS
 
: ''XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites''
 
; A10-Unvalidated Redirects and Forwards
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C4: Implement Appropriate Access Controls'''
 
 
 
<font size="2" style="font-size: 9pt">
 
Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied.
 
 
 
 
 
The following "positive" access control design requirements should be considered at the initial stages of application development:
 
* Force all requests to go through access control checks
 
* Deny by default
 
* Avoid hard-coded policy-based access control checks in code
 
* Check on the server when each function is accessed
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
 
 
<font size="2" style="font-size: 9pt">
 
; A4-Insecure Direct Object References
 
: ''A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data''.
 
; A7-Missing Function Level Access Control
 
: ''Applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization''
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
 
 
'''OWASP-C5: Establish Identity and Authentication Controls'''
 
 
 
<font size="2" style="font-size:9pt">
 
Authentication is the process of verifying that an individual or an entity is who it claims to be while identity management is a broader topic which not only includes authentication, session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
 
 
<font size="2" style="font-size: 9pt">
 
; A2-Broken Authentication and Session Management
 
: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C6: Protect Data and Privacy'''
 
 
 
<font size="2" style="font-size: 9pt">Data encryption at rest or transit
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
<font size="2" style="font-size: 9pt">
 
; A6-Sensitive Data Exposure
 
: ''Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.''
 
</font>
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP-C7: Implement Logging, Error Handling and Intrusion Detection'''
 
 
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
<font size="2" style="font-size: 9pt">
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A6-Sensitive Data Exposure
 
; A7-Missing Function Level Access Control
 
; A8-Cross-Site Request Forgery (CSRF)
 
; A9-Using Components with Known Vulnerabilities
 
; A10-Unvalidated Redirects and Forwards
 
</font>
 
|- valign="top"
 
| width=“50%”bgcolor="#ffffff" style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C8: Leverage Security Features of Frameworks and Security Libraries'''
 
 
 
<font size="2" style="font-size: 9pt">Starting from scratch when it comes to developing security controls leads to wasted time and massive security holes.  Secure coding libraries help developers guard against security-related design and implementation flaws.
 
It is critical to keep these frameworks and libraries up to date.
 
 
 
For example:
 
* Choose a good database ORM
 
* Choose a framework with already build-in good access control
 
* Choose a framework that already has integrated CSRF
 
</font>
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
<font size="2" style="font-size: 9pt">
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A6-Sensitive Data Exposure
 
; A7-Missing Function Level Access Control
 
; A8-Cross-Site Request Forgery (CSRF)
 
; A9-Using Components with Known Vulnerabilities
 
; A10-Unvalidated Redirects and Forwards
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" |
 
'''OWASP-C9: Include Security-Specific Requirements'''
 
 
 
<font size="2" style="font-size: 9pt">Is important to consider security requirements from early stages of software development lifecycle.
 
There are two types of security requirements:
 
* Functional Requirements ( Visible and QA testable feature in the application )
 
* Non-functional requirements (Invisible/non-testable by QA staff
 
</font>
 
 
 
<font size="2" style="font-size: 9pt">Security Requirements include:
 
* Confidentiality requirements
 
* Integrity requirements
 
* Authentication & authorization requirements
 
* Auditing and logging requirements
 
* Session management requirements
 
* Errors and exception management requirements
 
* Configuration parameters requirements 
 
* Archiving requirements 
 
* Legal and Compliance Constraints
 
</font>
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:''' 
 
<font size="2" style="font-size: 9pt">
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A6-Sensitive Data Exposure
 
; A7-Missing Function Level Access Control
 
; A8-Cross-Site Request Forgery (CSRF)
 
; A9-Using Components with Known Vulnerabilities
 
; A10-Unvalidated Redirects and Forwards
 
</font>
 
 
 
|- valign="top"
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''OWASP-C10:Design and Architect Security In'''
 
 
 
<font size="2" style="font-size: 9pt">Design considerations :
 
* Confidentiality
 
* Availability
 
* Authentication
 
*  Auditing/Logging
 
* Least privilege
 
* Separation of duties
 
* Defence of depth
 
* Fail secure
 
 
 
| width=“50%” style="border: 1.00pt solid #000001; padding: 0.18cm" | '''Prevents:'''
 
<font size="2" style="font-size: 9pt">
 
; A1-Injection
 
; A2-Broken Authentication and Session Management
 
; A4-Insecure Direct Object  References
 
; A5-Security Misconfiguration
 
; A6-Sensitive Data Exposure
 
; A7-Missing Function Level Access Control
 
; A8-Cross-Site Request Forgery (CSRF)
 
; A9-Using Components with Known Vulnerabilities
 
; A10-Unvalidated Redirects and Forwards
 
</font>
 
|}
 

Latest revision as of 17:55, 27 January 2015