This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top 10 2007-Where to Go From Here

From OWASP
Revision as of 08:22, 27 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/galeach/new98.html 1960s american asian civil in right ] [http://s1.shard.jp/galeach/new92.html asian escort independent london ] [http://s1.shard.jp/galeach/new194.html adventure asia international ] [http://s1.shard.jp/losaul/online-clothing.html drug law in australia ] australia jeri survivor african american extreme sports automobile accident report form page [http://s1.shard.jp/galeach/new75.html asian style home design ] [http://s1.shard.jp/olharder/autoimmune-hashimotos.html automatic coupler jaw ] [http://s1.shard.jp/olharder/chery-automobile.html duplicate automobile title ] http [http://s1.shard.jp/losaul/polo-photography.html kenyan high commission australia ] [http://s1.shard.jp/bireba/norotn-antivirus.html norton antivirus internet security order ] [http://s1.shard.jp/olharder/auto-buy-com.html canta autores ] [http://s1.shard.jp/olharder/canadian-auto.html voyager auto sales ] [http://s1.shard.jp/bireba/nod-antivirus.html openantivirus ] links [http://s1.shard.jp/frhorton/t23vzwbje.html south africa provinces maps ] [http://s1.shard.jp/olharder/automobile-accident.html automatistic behavior ] [http://s1.shard.jp/losaul/china-export-to.html hocking stewart australia ] [http://s1.shard.jp/losaul/rolling-stones.html management accountants australia ] [http://s1.shard.jp/losaul/australia-installation.html spearfishing australia ] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html dating sites in australia ] [http://s1.shard.jp/olharder/montana-auto-shipping.html automotive air bag ] links [http://s1.shard.jp/galeach/new132.html wall street journal asia edition ] [http://s1.shard.jp/olharder/ch-futterautomat.html auto recyclers ontario canada ] [http://s1.shard.jp/olharder/rockies-auto-colorado.html dollar thrifty automotive group inc. ] automotive suspension types [http://s1.shard.jp/olharder/colorado-auto.html memory lane autos ] manually updating norton antivirus site roedean south africa [http://s1.shard.jp/olharder/auto-hydrogene.html html auto redirect code ] [http://s1.shard.jp/galeach/new91.html 1570711429 amazon.com asian exec obidos ] [http://s1.shard.jp/frhorton/jp87fttqi.html african american first names ] [http://s1.shard.jp/frhorton/whhjm2ac8.html african fact book ] [http://s1.shard.jp/olharder/art-auto-ltd.html building automation systems compatible with johnson controls ] [http://s1.shard.jp/bireba/antivirus-small.html comparaison antivirus ] [http://s1.shard.jp/losaul/tents-australia.html boating supplies australia ] page [http://s1.shard.jp/olharder/auto-wrap-graphics.html auto party private sales used ] [http://s1.shard.jp/bireba/avg-antivirus.html symantics antivirus ] [http://s1.shard.jp/losaul/australia-from.html health insurers australia ] [http://s1.shard.jp/olharder/autofill-slush.html texas auto insurance law ] [http://s1.shard.jp/bireba/avg-antivirus-software.html how to uninstall norton antivirus 2005 ] [http://s1.shard.jp/galeach/new89.html asian dragon pet water ] [http://s1.shard.jp/frhorton/sprmxlc9l.html marraco africa ] [http://s1.shard.jp/losaul/australian-photography.html catholic dioceses in australia ] url [http://s1.shard.jp/olharder/kragen-auto.html automountservers ] [http://s1.shard.jp/galeach/new126.html asian ts pics ] [http://s1.shard.jp/bireba/symantec-antivirus.html dansguardian antivirus ] [http://s1.shard.jp/bireba/disable-norton.html panda titanium antivirus 2004 crack ] african and indian elephants [http://s1.shard.jp/galeach/new4.html asiadragon.com ] [http://s1.shard.jp/losaul/music-therapy-courses.html itil australia ] [http://s1.shard.jp/losaul/australian-music.html australian company corporation law limited proprietary ] [http://s1.shard.jp/bireba/norton-antivirus.html grisofts avg antivirus ] site [http://s1.shard.jp/bireba/g-data-antivirus.html panda antivirus platinum 7.05.03 crack ] [http://s1.shard.jp/bireba/ macafee antivirus update ] [http://s1.shard.jp/bireba/mac-antivirus.html symentec antivirus updates ] [http://s1.shard.jp/bireba/antivirus2003.html kaspersky antivirus file server 5.0.40 key ] [http://s1.shard.jp/frhorton/yvqavqw7n.html african american heritage museum of southern ] [http://s1.shard.jp/galeach/new40.html philadelphia asian massage parlor reviews ] [http://s1.shard.jp/bireba/innoculate-antivirus.html download pc cillin antivirus ] [http://s1.shard.jp/losaul/quoin-int-australia.html australia veterans affairs ] domain [http://s1.shard.jp/losaul/alice-springs.html australian job search engines ] asian and black single [http://s1.shard.jp/frhorton/k7b9qt4bf.html african news articles ] noton antivirus 2005 product key [http://s1.shard.jp/olharder/aaa-auto-sales.html auto barn of evanston ] [http://s1.shard.jp/losaul/desert-map-of-australia.html australia info job personal remember search ] [http://s1.shard.jp/galeach/new15.html totts asian diner tempe ] [http://s1.shard.jp/galeach/new84.html asian formula 3 ] [http://s1.shard.jp/frhorton/o5mgjok5p.html making african drums for lesson plan ] links [http://s1.shard.jp/galeach/new137.html clean air initiatives asia ] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus 2005 download warez ] [http://s1.shard.jp/olharder/autocad-2005-serial.html auto part wide world ] [http://s1.shard.jp/losaul/real-estate-for.html sydney australia street map ] [http://s1.shard.jp/frhorton/fhojtfuuj.html african hair styles ] links asian mens haircut [http://s1.shard.jp/galeach/new13.html air asia budget airline ] lisa lopez autopsy [http://s1.shard.jp/losaul/car-importers-australia.html skate parks in australia ] [http://s1.shard.jp/bireba/antivirus-stop.html types of antivirus softwares ] page [http://s1.shard.jp/losaul/time-difference.html nova hotels australia ] [http://s1.shard.jp/olharder/download-autoroute.html advance auto aprts ] asian scat picture [http://s1.shard.jp/galeach/new130.html asia airways ] http://www.textorpaschilim.com

«««« Main
() 		»»»»


The OWASP Top 10 is just the beginning of your web application security journey.

The world's six billion people can be divided into two groups: group one, who know why every good software company ships products with known bugs; and group two, who don't. Those in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group two …who is shocked that any software company would ship a product before every last bug is fixed. Eric Sink, Guardian May 25, 2006

Most of your users and customers are in group two. How you deal with this problem is an opportunity to improve your code and the state of web application security in general. Billions of dollars are lost every year, and many millions of people suffer identity theft and fraud due to the vulnerabilities discussed in this document.

For Architects and Designers

To properly secure your applications, you must know what you are securing (asset classification), know the threats and risks of insecurity, and address these in a structured way. Designing any non-trivial application requires a good dose of security.

  • Ensure that you apply "just enough" security based upon threat risk modeling and asset classification. However, as compliance laws (SOX, HIPAA, Basel, etc.) place increasing burdens, it may be appropriate to invest more time and resources than satisfies the minimum today, particularly if best practice is well known and is considerably tougher than the minimum
  • Ask questions about business requirements, particularly missing non-functional requirements
  • Work through the OWASP Secure Software Contract Annex with your customer
  • Encourage safer design – include defense in depth and simpler constructs through using threat modeling (see [HOW1] in the book references)
  • Ensure that you have considered confidentiality, integrity, availability , and non-repudiation
  • Ensure your designs are consistent with security policy and standards, such as COBIT or PCI DSS 1.1

For Developers

Many developers already have a good handle on web application security basics. To ensure effective mastery of the web application security domain requires practice. Anyone can destroy (i.e. perform penetration testing) – it takes a master to build secure software. Aim to become a master.

  • Consider joining OWASP and attending local chapter meetings
  • Ask for secure code training if you have a training budget. Ask for a training budget if you don’t have one
  • Design your features securely – consider defense in depth and simplicity in design
  • Adopt coding standards which encourage safer code constructs
  • Refactor existing code to use safer constructs in your chosen platform, such as parameterized queries
  • Review the OWASP Development Guide and start applying selected controls to your code. Unlike most security guides, it is designed to help you build secure software, not break it
  • Test your code for security defects and make this part of your unit and web testing regime
  • Review the book references, and see if any of them are applicable to your environment

For Open Source Projects

Open source is a particular challenge for web application security. There are literally millions of open source projects, from one developer personal projects through to major projects such as Apache, Tomcat, and large scale web applications, such as PostNuke.

  • Consider joining OWASP and attending local chapter meetings
  • If your project has more than 4 developers, consider making at least one developer a security person
  • Design your features securely – consider defense in depth and simplicity in design
  • Adopt coding standards which encourage safer code constructs
  • Adopt the responsible disclosure policy to ensure that security defects are handled properly
  • Review the book references, and see if any of them are applicable to your environment

For Application Owners

Application owners in commercial settings are often time and resource constrained. Application owners should:

  • Work through the OWASP Secure Software Contract Annex with the software producers
  • Ensure business requirements include non-functional requirements (NFRs) such as security requirements
  • Encourage designs which include secure by default features, defense in depth and simplicity in design
  • Employ (or train) developers who have a strong security background
  • Test for security defects throughout the project: design, build, test, and deployment
  • Allow resources, budget and time in the project plan to remediate security issues

For C-level Executives

Your organization must have a secure development life cycle (SDLC) in place that suits your organization. Vulnerabilities are much cheaper to fix in development than after your product ships. A reasonable SDLC not only includes testing for the Top 10, it includes:includes:

  • For off the shelf software, ensure purchasing policies and contracts include security requirements
  • For custom code, adopt secure coding principles in your policies and standards
  • Train your developers in secure coding techniques and ensure they keep these skills up to date
  • Include security-relevant code analysis tools in your budget
  • Notify your software producers of the importance of security to your bottom line
  • Train your architects, designers, and business people in web application security fundamentals
  • Consider using third-party code auditors, who can provide an independent assessment
  • Adopt responsible disclosure practices and build a process to properly respond to vulnerability reports for your products


«««« Main
() 		»»»»
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10_2007-Where_to_Go_From_Here&oldid=62154"