Developers writing an app from scratch often don’t have the time, knowledge, or budget to implement security properly. Using secure coding libraries and software frameworks owasp top 10 proactive controls can help address the security goals of a project. For example, an application may allow a user to select a four-digit “account ID” to perform some kind of operation.
If user input at any point of time will be part of the response to user, then it should be encoded. If proper output encoding has been implemented, then even if malicious input was sent, it will not be executed and will be shown as plain text on the client side. OWASP ProActive Controls is a document prepared for developers who are developing or are new to developing software/application with secure software development. This OWASP project lists 10 controls that can help a developer implement secure coding and better security inside the application while it is being developed. Following these secure application development controls ensures that the key areas of the development cycle have secure coding along with traditional coding practices. Security requirements provide a foundation of vetted security functionality for an application.
Access Control Design Principles¶
Secure access to databases can help thwart injection attacks, which are on the OWASP Top 10 list, and weak server-side control flaws, which are on the OWASP Mobile Top 10 list of vulnerabilities. Access to all data stores, including relational and NoSQL, should be secure. Take care to prevent untrusted input from being recognized as part of an SQL command. Turn on security settings of database management systems if those aren’t on by default. Next, you review how the application stacks up against the security requirements and document the results of that review.
To solve this problem, access control or authorization checks should always be centralized. All user requests to access some page or database or any information should pass through the central access control check only. One of the most important ways to build a secure web application is to restrict what type of input a user is allowed to submit. Input validation means validating what type of input is acceptable and what is not. Input validation is important because it restricts the user to submit data in a particular format only, no other format is acceptable. This is beneficial to an application, because a valid input cannot contain malicious data and can be further processed easily.
The OWASP ASVS¶
Exception handling can be important in intrusion detection, too, because sometimes attempts to compromise an app can trigger errors that raise a red flag that an app is under attack. When you’ve protected data properly, you’re helping to prevent sensitive data exposure vulnerabilities and insecure data storage problems. Strong authentication can prevent vulnerabilities such as broken authentication and session management, and poor authentication and authorization. Although there’s a movement to eliminate passwords, they remain, and probably will remain, an important component of authentication. You need to create policies for password length, composition, and shelf life, you must store them securely, and you must make provisions for resetting them when users forget them or if they’re compromised.
For example, if a user logs out from his/her account, but he/she is redirected to some page, but session is not invalidated properly, a post-login page is opened without asking for re-authentication. Another example can be a session cookie for pre- and post-login being same. Depending upon the programming language a developer uses to build an application, regular expression can easily be implemented in it. Another advantage of regular expressions is that there are many industry tested regular expressions for all popular input types. So you don’t have to write one from scratch and then get it security tested.