This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Proactive Controls Mapped To Top Ten Vulnerabilities"

From OWASP
Jump to: navigation, search
(Initial version)
 
Line 1: Line 1:
 
 
 
== OWASP Top Ten Risks -> OWASP Top Ten Proactive Controls mapping ==
 
  
 
== Overview  ==
 
== Overview  ==

Revision as of 22:30, 13 January 2015

Overview

Most developers have heard about the OWASP Top Ten, the list of the 10 Most Critical Web Application Security vulnerabilities which should be avoided in web applications. However, in order to avoid them, developers must be aware of the pro-active controls in order to incorporate from the early stages of software development lifecycle.

This documents starts from the OWASP Top Ten Proactive Controls, shortly describes them, and then provides a mapping to the OWASP Top Ten vulnerabilities each of them will address.

OWASP Top 10 Proactive Controls Which OWASP Top 10 Vulnerabilities will prevent?


OWASP-C1: Parameterize Queries

The Parameterized queries are a way to leverage to Data Access Abstraction Layer how parameters are interpreted before executing an SQL query. It provides SQL injection protection.

Prevents :

A1 Injection
Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.

OWASP-C2: Encode Data

Encode data before use in a parser ( JS, CSS , XML )

Prevents :

A1 Injection
Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query.
A3 XSS
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites

OWASP-C3: Validate All Inputs

Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.

Prevents :

A1 Injection
Injection flaws, such as SQL injection occur when untrusted data is sent to an interpreter as part of a command or query
A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A3 XSS
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites
A10-Unvalidated Redirects and Forwards

OWASP-C4: Implement Appropriate Access Controls

Authorization (Access Control) is the process where requests to access a particular feature or resource should be granted or denied.


The following "positive" access control design requirements should be considered at the initial stages of application development:

  • Force all requests to go through access control checks
  • Deny by default
  • Avoid hard-coded policy-based access control checks in code
  • Check on the server when each function is accessed

Prevents:

A4-Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
A7-Missing Function Level Access Control
Applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization

OWASP-C5: Establish Identity and Authentication Controls

Authentication is the process of verifying that an individual or an entity is who it claims to be while identity management is a broader topic which not only includes authentication, session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more

Prevents:

A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

OWASP-C6: Protect Data and Privacy

Data encryption at rest or transit

Prevents:

A6-Sensitive Data Exposure
Sensitive data needs extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

OWASP-C7: Implement Logging, Error Handling and Intrusion Detection


Prevents:

A1-Injection
A2-Broken Authentication and Session Management
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards

OWASP-C8: Leverage Security Features of Frameworks and Security Libraries

Starting from scratch when it comes to developing security controls leads to wasted time and massive security holes. Secure coding libraries help developers guard against security-related design and implementation flaws. It is critical to keep these frameworks and libraries up to date.

For example:

  • Choose a good database ORM
  • Choose a framework with already build-in good access control
  • Choose a framework that already has integrated CSRF

Prevents:

A1-Injection
A2-Broken Authentication and Session Management
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards

OWASP-C9: Include Security-Specific Requirements

Is important to consider security requirements from early stages of software development lifecycle. There are two types of security requirements:

  • Functional Requirements ( Visible and QA testable feature in the application )
  • Non-functional requirements (Invisible/non-testable by QA staff

Security Requirements include:

  • Confidentiality requirements
  • Integrity requirements
  • Authentication & authorization requirements
  • Auditing and logging requirements
  • Session management requirements
  • Errors and exception management requirements
  • Configuration parameters requirements
  • Archiving requirements
  • Legal and Compliance Constraints

Prevents:

A1-Injection
A2-Broken Authentication and Session Management
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards

OWASP-C10:Design and Architect Security In

Design considerations :

  • Confidentiality
  • Availability
  • Authentication
  • Auditing/Logging
  • Least privilege
  • Separation of duties
  • Defence of depth
  • Fail secure
Prevents:

A1-Injection
A2-Broken Authentication and Session Management
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control
A8-Cross-Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Unvalidated Redirects and Forwards