Getting Started in Application Security
Application security is simply the process of developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them.
Application Security Overview
Drivers, market, business reasons. Links to articles about metrics, ROI, need for application security, what other companies are doing.
A good way to start learning about application security is by understanding software vulnerabilities. A good overview of the most critical application vulnerabilities is the OWASP Top Ten awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
One of the best ways to learn about vulnerabilities is to study some real vulnerabilities and learn how they work. OWASP has developed WebGoat to provide hands-on examples of application vulnerabilities to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. You can read all about each of the vulnerabilities on the OWASP website to learn more.
Keep in mind as you learn that there are different ways of organizing vulnerabilities. Attempts to force vulnerabilities into a strict taxonomy mostly fail, because there are so many dimensions to each vulnerability. At OWASP, we have adopted the "folksonomy" tagging approach, and simply tag vulnerabilities with labels that make sense. You can use these tags to help get different views into all the different types of vulnerabilities.
Some of the key attributes of a vulnerability are:
- The level of abstraction of the description (e.g. Category:Implementation Bug, Category:Design Flaw, Category:Business Problem)
- The associated security mechanism (e.g. Category:Authentication, Category:Access Control, Category:Input Validation, Category:Error Handling, Category:Logging, Category:Encryption, etc...)
- The business impact of a successful exploit (e.g. Category:Corruption, Category:Disclosure, Category:Denial of Service)
- The factors indicating likelihood of an exploit (e.g. Category:Attractiveness, Category:Expertise Required, etc...)
A writeup about application vulnerabilities and how to figure out their risk. This section would give people the background on the technologies and types of mistakes people make. Links to articles about:
Design flaws and Implementation Bugs Common areas (Top 10)
Root Causes of Vulnerabilities
A writeup of how vulnerabilities get created and left undiscovered. This section points out weaknesses in most software development lifecycles. At a project level, this section talks about problems in staffing, roles, responsibilities, budget, and technology. At the organizational level, this section links to information about management structure, how to raise global organizataion awareness, establishing metrics, and standardizing technologies to help.
A writeup of how application security fits into the software development lifecycle. The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
Security Requirements Threat Modeling Architecture Review Code Review Penetration Testing Vulnerability Scanning Project Responsibility and Roles Budget
The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
Training and Awareness Application Security Teams (Infosec, Audit, Appsec, CSO) Metrics Policies Templates Standard Tools Legal Community of Interest Executive Responsibility and Roles Organizational Budget