As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way.
Requirements can be drawn from industry standards, applicable laws, and a history of past vulnerabilities. A good place to start a search for requirements is the OWASP Application Security Verification Standard (ASVS), a catalog of security requirements and verification criteria. The checklists that follow are general lists that are categorised to follow the controls listed in the
OWASP Top 10 Proactive Controls project. These checklists provide suggestions that certainly should be tailored to
an individual project’s requirements and environment; they are not meant to be followed in their entirety. In the Snyk app, as we deal with data of our users and our own, it is crucial that we treat our application with the out-most care in terms of its security and privacy, protecting it everywhere needed.
Leverage security frameworks and libraries
As software becomes the foundation of our digital—and sometimes even physical—lives, software security is increasingly important. But developers have a lot on their plates and asking them to become familiar with every single vulnerability category under the sun isn’t always feasible. Even for security practitioners, it’s overwhelming to keep up with every new vulnerability, attack vector, technique, and mitigation bypass. Developers are already wielding new languages and libraries at the speed of DevOps, agility, and CI/CD. OWASP Top 10 Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project. The Top 10 Proactive Controls are by developers for developers to assist those new to secure development.
This document is intended to provide initial awareness around building secure software. This document will also provide a good foundation of topics to help drive introductory software security developer training. These controls should be used consistently and thoroughly throughout all applications. However, this document should be seen as a starting point rather than a comprehensive set of techniques and practices. In order to achieve secure software, developers must be supported and helped by the organization they author code for.
Link to the OWASP Top 10 Project
You do this through passwords, multi-factor authentication, or cryptography. Use these techniques to prevent injection and cross-site scripting vulnerabilities as well as client-side injection vulnerabilities. Just as you’d often leverage the typing system, like TypeScript, to ensure expected and valid variables are passed around your code, you should also be validating the input you received matches your expectations or models of that data. Make sure you track the use of open source libraries and maintain an inventory of versions, their licenses and vulnerabilities such as OWASP’s top 10 vulnerabilities using tools like OWASP’s Dependency Check or Snyk. Discover tips, technical guides, and best practices in our monthly newsletter for developers.
- Just as functional requirements are the basis of any project and something we need to do before writing the first line of code, security requirements are the foundation of any secure software.
- Instead, you build proper controls in the presentation layer, such as the browser, to escape any data provided to it.
It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game. This approach owasp top 10 proactive controls is suitable for adoption by all developers, even those who are new to software security. The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important.