Education Track: What Developers Should Know on Web Application Security

Revision as of 13:24, 26 July 2007 by Sdeleersnyder (Talk | contribs)

Jump to: navigation, search

Track Overview

Application security is an essential component of any successful project; this includes web applications, open source PHP applications, web services and proprietary business web sites.

Web application security education and awareness is needed throughout the entire development and deployment organization. Each area and level of development or deployment organizations have specific needs and requirements regarding web application security education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

The OWASP Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

This Education Track provides in a 4 hour session covering what developers should know on web application security. It starts with an explanation of web application security and why it is important. Then the OWASP Top 10 is used to explain the nastiest vulnerabilities and how these can be prevented or remediated. A secure coding initiative must deal with all stages of a program’s lifecycle. Secure web applications are only possible when a secure SDLC is used. The SDLC is explained from the standpoint of people, processes and tools. Finally the track finishes with an exhaustive list of web application security resources for web application developers.

Track Audience

The track audience is web application developers unaware there are security issues with contemporary web applications. No prior knowledge of web application security is assumed nor necessary. This track is independent of the coding language or web frameworks used; like PHP, JSF, Java EE or .NET.

We must realize that web application developers are only one link - albeit an important one - of the chain that represents the security of a web application. This track aims to make that link as secure as possible, given the constraint of 4 hours.

Another important aspect is that web application security should be tailored to the risk profile of an organization and the specific development environment of that organization.

Table of Contents Proposal

The challenge is to cover web application security in 4 hours to a web application developer. This is presented in such a way that the developers will be able to recognize and correct web application vulnerabilities in their projects.

  • Why WebAppSec matters
  • What goes wrong
  • WebAppSec Defined
  • Current trends
  • OWASP Top 10 Introduction & Remedies
  • Cross Site Scripting (XSS)
  • Injection Flaws
  • Malicious File Execution
  • Insecure Direct Object Reference
  • Cross Site Request Forgery (CSRF)
  • Information Leakage and Improper Error Handling
  • Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL Access
  • Embed within SDLC (People, Processes & Tools)
  • People Awareness and Education
  • Development WebAppSec Controls
  • Deployment WebAppSec Controls
  • WebAppSec Tools
  • Good WebAppSec Resources (not limited to OWASP)
  • Hard Copy
  • Web Sites
  • Mailing lists
  • Blogs
  • RoundUp