Difference between revisions of "Getting Started"

From OWASP
Jump to: navigation, search
(Where Should I Start?)
(24 intermediate revisions by 7 users not shown)
Line 1: Line 1:
'''Getting Started in Application Security'''
+
==Getting started in application security==
  
Application security is simply the process of developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them.
+
Application security is simply everything involved in developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them. As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.
  
==Application Security Overview==
+
==Searching for application security information==
  
Drivers, market, business reasons. Links to articles about metrics, ROI, need for application security, what other companies are doing.
+
We are working hard to organize the world's application security information. But it's fair to say we have a very long way to go. There is a [[Special:Search|simple search engine]] built into the OWASP site, but it's not that great.  
  
==Where Should I Start?==
+
That's why we set up a [http://www.owasp.org/google/results.html custom Google search engine] that indexes not only OWASP, but dozens of websites. We've tagged the sites as being commercial, open-source, products, services, etc... so that you can filter the information about application security.
  
If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do a [[security review]] of a few of your applications. The review should analyze all the major security areas by using a combination of [[application vulnerability scanning]], [[security code review]], [[application penetration testing]], and [[static code analysis]]. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.
+
As a last resort, you can also just [[Special:Allpages|get a list]] of all the pages if you know a word in the title.
  
If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what [[:Category:Activities|organizational improvements]] are most likely to improve your ability. One popular place to start is [[developer security training]], as it is relatively inexpensive and has immediate effects. However, you may want to consider doing a [[capability appraisal]] of your organization to find out what changes are likely to e the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.
+
==Why is application security so hard?==
  
==About Threats, Vulnerabilities, and Countermeasures==
+
If you haven't read it lately, check out Fred Brooks' great article, "[http://www.cs.nott.ac.uk/~cah/G51ISS/Documents/NoSilverBullet.html No Silver Bullet]". In it, Brooks discusses both "accidental" and "essential" difficulties of producing software. We created the accidental difficulties ourselves, by making our languages, compilers, and environments more difficult than they need to be. But the essential difficulties are fundamental problems that will always be with us. Brooks considers four inherent properties of software that help explain the difficulty of software security - complexity, conformity, changeability, and invisibility.
  
A good way to start learning about application security is by understanding software threats, vulnerabilities, and countermeasures. A good overview of the most critical of these is the OWASP [[OWASP_Top_Ten_Project|Top Ten]] awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
+
==If you're wondering if your code has vulnerabilities...==
  
One of the best ways to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[OWASP_WebScarab_Project|WebScarab]] is a powerful web application penetration testing tool that can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.
+
If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do an [[CLASP_Best_Practices#Perform_application_assessments|application assessment]] of a few of your applications. The review should analyze all the major security areas by using a combination of [[Vulnerability Scanning|vulnerability scanning]], [[:Category:OWASP Code Review Project|code review]], [[:Category:OWASP Testing Project|penetration testing]], and [[Perform source-level security review|static analysis]]. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.
  
==The OWASP Folksonomy Approach to Organizing Application Security==
+
==If you already know your code is vulnerable...==
  
Keep in mind as you learn that there are different ways of organizing all the different aspects of application security. [[Attempts]] to force these topics into a strict taxonomy have failed because there are too many dimensions to the problem. At OWASP, we have adopted the [[folksonomy]] tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these category to help get different views into the complex, interconnected set of topics that is application security.
+
If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what [[:Category:Activity|organizational improvements]] are most likely to improve your ability. One popular place to start is [[CLASP_Best_Practices#Institute_awareness_programs|instituting an awareness program]] for developers and managers, as it is relatively inexpensive and has immediate effects. However, you may want to consider doing an [[:Category:OWASP CLASP Project|application security capability appraisal]] of your organization to find out what changes are likely to be the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.
  
Each article is tagged with as many of the following tags as reasonably apply:
+
==About threats, vulnerabilities, and countermeasures==
  
{| border="1" cellspacing="0" cellpadding="5" align="center"
+
A good way to start learning about application security is by understanding software [[:Category:Principle|principles]], [[:Category:Threat Agent|threats]], [[:Category:Attack|attack]], [[:Category:Vulnerability|vulnerabilities]], and [[:Category:Countermeasure|countermeasures]]. A good overview of the most critical of these is the [[OWASP_Top_Ten_Project|OWASP Top Ten]] awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
| Type of Article
+
| [[:Category:Threat|Threat]], [[:Category:Vulnerability|Vulnerability]], [[:Category:Countermeasure|Countermeasure]], [[:Category:Code Snippet|Code Snippet]], [[:Category:How To|How To]], [[:Category:Activity|Activity]]
+
|-
+
| Level of Abstraction
+
| [[:Category:Implementation|Implementation]], [[:Category:Design|Design]], [[:Category:Architecture|Architecture]], [[:Category:Business|Business]]
+
|-
+
| Related Countermeasures
+
| [[:Category:Authentication|Authentication]], [[:Category:Session Management|Session Management]], [[:Category:Access Control|Access Control]], [[:Category:Input Validation|Input Validation]], [[:Category:Error Handling|Error Handling]], [[:Category:Logging|Logging]], [[:Category:Encryption|Encryption]], [[:Category:Quotas|Quotas]]
+
|-
+
| Likelihood Factors
+
| [[:Category:Attractive|Attractive]], [[:Category:Tools Required|Tools Required]], [[:Category:Expertise Required|Expertise Required]]
+
|-
+
| Business Impact Factors
+
| [[:Category:Confidentiality|Confidentiality]], [[:Category:Integrity|Integrity]], [[:Category:Availability|Availability]]
+
|-
+
| Application Platforms
+
| [[:Category:Java|Java]], [[:Category:.NET|.NET]], [[:Category:PHP|PHP]], [[:Category:C|C/C++]]
+
|-
+
| Software Lifecycle Activites
+
| [[:Category:Planning|Planning]], [[:Category:Requirements|Requirements]], [[:Category:Architecture|Architecture]], [[:Category:Design|Design]], [[:Category:Implementation|Implementation]], [[:Category:Test|Test]],  [[:Category:Deployment|Deployment]], [[:Category:Operation|Operation]], [[:Category:Maintenance|Maintenance]]
+
|-
+
| Application Security Activites
+
| [[:Category:Threat Modeling|Threat Modeling]], [[:Category:Security Architecture|Security Architecture]], [[:Category:Security Requirements|Security Requirements]], [[:Category:Secure Coding|Secure Coding]], [[:Category:Penetration Testing|Penetration Testing]], [[:Category:Code Review|Code Review]], [[:Category:Secure Deployment|Secure Deployment]]
+
|-
+
| Other Application Security Categories
+
| [[:Category:Role|Role]], [[:Category:Tool|Tool]]
+
|}
+
  
==Do You Have Vulnerabilities in Your Applications?==
+
Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[:Category:OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[:Category:OWASP_WebScarab_Project|WebScarab]] is a powerful web application penetration testing tool that you can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.
  
A writeup about application vulnerabilities, how to find them,  and how to figure out their risk. This section would give people the background on the technologies and types of mistakes people make. Links to articles about:
+
==What are the root causes of application vulnerabilities?==
  Design flaws and Implementation Bugs
+
  Approaches to finding vulnerabilities
+
  Common areas (Top 10)
+
  
==What Are the Root Causes of Application Vulnerabilities?==
+
Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:OWASP CLASP Project|OWASP CLASP Project]].
  
A writeup of how vulnerabilities get created and left undiscovered. This section points out weaknesses in most software development lifecycles.  At a project level, this section talks about problems in staffing, roles, responsibilities, budget, and technology.  At the organizational level, this section links to information about management structure, how to raise global organizataion awareness, establishing metrics, and standardizing technologies to help.
+
__NOTOC__
 
+
==Improving Application Security In Your Project==
+
 
+
A writeup of how application security fits into the software development lifecycle. The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
+
  Security Requirements
+
  Threat Modeling
+
  Architecture Review
+
  Code Review
+
  Penetration Testing
+
  Vulnerability Scanning
+
  Project Responsibility and Roles
+
  Budget
+
 
+
==Improving Application Security Across Your Organization==
+
 
+
The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
+
  Training and Awareness
+
  Application Security Teams (Infosec, Audit, Appsec, CSO)
+
  Metrics
+
  Policies
+
  Templates
+
  Standard Tools
+
  Legal
+
  Community of Interest
+
  Executive Responsibility and Roles
+
  Organizational Budget
+

Revision as of 15:01, 13 September 2012

Getting started in application security

Application security is simply everything involved in developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them. As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.

Searching for application security information

We are working hard to organize the world's application security information. But it's fair to say we have a very long way to go. There is a simple search engine built into the OWASP site, but it's not that great.

That's why we set up a custom Google search engine that indexes not only OWASP, but dozens of websites. We've tagged the sites as being commercial, open-source, products, services, etc... so that you can filter the information about application security.

As a last resort, you can also just get a list of all the pages if you know a word in the title.

Why is application security so hard?

If you haven't read it lately, check out Fred Brooks' great article, "No Silver Bullet". In it, Brooks discusses both "accidental" and "essential" difficulties of producing software. We created the accidental difficulties ourselves, by making our languages, compilers, and environments more difficult than they need to be. But the essential difficulties are fundamental problems that will always be with us. Brooks considers four inherent properties of software that help explain the difficulty of software security - complexity, conformity, changeability, and invisibility.

If you're wondering if your code has vulnerabilities...

If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do an application assessment of a few of your applications. The review should analyze all the major security areas by using a combination of vulnerability scanning, code review, penetration testing, and static analysis. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.

If you already know your code is vulnerable...

If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what organizational improvements are most likely to improve your ability. One popular place to start is instituting an awareness program for developers and managers, as it is relatively inexpensive and has immediate effects. However, you may want to consider doing an application security capability appraisal of your organization to find out what changes are likely to be the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.

About threats, vulnerabilities, and countermeasures

A good way to start learning about application security is by understanding software principles, threats, attack, vulnerabilities, and countermeasures. A good overview of the most critical of these is the OWASP Top Ten awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.

Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed WebGoat to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. WebScarab is a powerful web application penetration testing tool that you can use to test applications. For further reference, you can read all about each of the vulnerabilities on the OWASP website to learn more.

What are the root causes of application vulnerabilities?

Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right activities in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the OWASP CLASP Project.