Getting started in application security
Application security is simply the process of developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them.
As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.
If you're wondering if your code has vulnerabilities...
If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do a security review of a few of your applications. The review should analyze all the major security areas by using a combination of application vulnerability scanning, security code review, application penetration testing, and static code analysis. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.
If you already know you're vulnerable...
If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what organizational improvements are most likely to improve your ability. One popular place to start is developer security training, as it is relatively inexpensive and has immediate effects. However, you may want to consider doing a capability appraisal of your organization to find out what changes are likely to e the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.
About threats, vulnerabilities, and countermeasures
A good way to start learning about application security is by understanding software threats, vulnerabilities, and countermeasures. A good overview of the most critical of these is the OWASP Top Ten awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed WebGoat to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. WebScarab is a powerful web application penetration testing tool that can use to test applications. For further reference, you can read all about each of the vulnerabilities on the OWASP website to learn more.
What are the root causes of application vulnerabilities?
Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right activities in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes.
Improving application security in your project
A writeup of how application security fits into the software development lifecycle. The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
Security Requirements Threat Modeling Architecture Review Code Review Penetration Testing Vulnerability Scanning Project Responsibility and Roles Budget
Improving application security across your organization
The discussion would link to templates, tools, additional reading. (This is not intended to be a complete list (yet))
Training and Awareness Application Security Teams (Infosec, Audit, Appsec, CSO) Metrics Policies Templates Standard Tools Legal Community of Interest Executive Responsibility and Roles Organizational Budget