Difference between revisions of "Top 10 2007-Where to Go From Here"

From OWASP
Jump to: navigation, search
 
(2 intermediate revisions by one user not shown)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new98.html 1960s american asian civil in right
 
] [http://s1.shard.jp/galeach/new92.html asian escort independent london
 
] [http://s1.shard.jp/galeach/new194.html adventure asia international
 
] [http://s1.shard.jp/losaul/online-clothing.html drug law in australia
 
] [http://s1.shard.jp/losaul/australia-jeri.html australia jeri survivor] [http://s1.shard.jp/frhorton/mgsbz3g84.html african american extreme sports] [http://s1.shard.jp/olharder/automobile-accident.html automobile accident report form] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new75.html asian style home design
 
] [http://s1.shard.jp/olharder/autoimmune-hashimotos.html automatic coupler jaw
 
] [http://s1.shard.jp/olharder/chery-automobile.html duplicate automobile title
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/losaul/polo-photography.html kenyan high commission australia
 
] [http://s1.shard.jp/bireba/norotn-antivirus.html norton antivirus internet security order
 
] [http://s1.shard.jp/olharder/auto-buy-com.html canta autores
 
] [http://s1.shard.jp/olharder/canadian-auto.html voyager auto sales
 
] [http://s1.shard.jp/bireba/nod-antivirus.html openantivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/frhorton/t23vzwbje.html south africa provinces maps
 
] [http://s1.shard.jp/olharder/automobile-accident.html automatistic behavior
 
] [http://s1.shard.jp/losaul/china-export-to.html hocking stewart australia
 
] [http://s1.shard.jp/losaul/rolling-stones.html management accountants australia
 
] [http://s1.shard.jp/losaul/australia-installation.html spearfishing australia
 
] [http://s1.shard.jp/losaul/lawn-bowls-clubs.html dating sites in australia
 
] [http://s1.shard.jp/olharder/montana-auto-shipping.html automotive air bag
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/galeach/new132.html wall street journal asia edition
 
] [http://s1.shard.jp/olharder/ch-futterautomat.html auto recyclers ontario canada
 
] [http://s1.shard.jp/olharder/rockies-auto-colorado.html dollar thrifty automotive group inc.
 
] [http://s1.shard.jp/olharder/automotive-suspension.html automotive suspension types] [http://s1.shard.jp/olharder/colorado-auto.html memory lane autos
 
] [http://s1.shard.jp/bireba/manually-updating.html manually updating norton antivirus] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/frhorton/1tzcpt1xe.html roedean south africa] [http://s1.shard.jp/olharder/auto-hydrogene.html html auto redirect code
 
] [http://s1.shard.jp/galeach/new91.html 1570711429 amazon.com asian exec obidos
 
] [http://s1.shard.jp/frhorton/jp87fttqi.html african american first names
 
] [http://s1.shard.jp/frhorton/whhjm2ac8.html african fact book
 
] [http://s1.shard.jp/olharder/art-auto-ltd.html building automation systems compatible with johnson controls
 
] [http://s1.shard.jp/bireba/antivirus-small.html comparaison antivirus
 
] [http://s1.shard.jp/losaul/tents-australia.html boating supplies australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/olharder/auto-wrap-graphics.html auto party private sales used
 
] [http://s1.shard.jp/bireba/avg-antivirus.html symantics antivirus
 
] [http://s1.shard.jp/losaul/australia-from.html health insurers australia
 
] [http://s1.shard.jp/olharder/autofill-slush.html texas auto insurance law
 
] [http://s1.shard.jp/bireba/avg-antivirus-software.html how to uninstall norton antivirus 2005
 
 
[http://s1.shard.jp/galeach/new89.html asian dragon pet water
 
] [http://s1.shard.jp/frhorton/sprmxlc9l.html marraco africa
 
] [http://s1.shard.jp/losaul/australian-photography.html catholic dioceses in australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/kragen-auto.html automountservers
 
] [http://s1.shard.jp/galeach/new126.html asian ts pics
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html dansguardian antivirus
 
] [http://s1.shard.jp/bireba/disable-norton.html panda titanium antivirus 2004 crack
 
] [http://s1.shard.jp/frhorton/5hrrb99yl.html african and indian elephants] [http://s1.shard.jp/galeach/new4.html asiadragon.com
 
] [http://s1.shard.jp/losaul/music-therapy-courses.html itil australia
 
] [http://s1.shard.jp/losaul/australian-music.html australian company corporation law limited proprietary
 
] [http://s1.shard.jp/bireba/norton-antivirus.html grisofts avg antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/bireba/g-data-antivirus.html panda antivirus platinum 7.05.03 crack
 
] [http://s1.shard.jp/bireba/ macafee antivirus update
 
] [http://s1.shard.jp/bireba/mac-antivirus.html symentec antivirus updates
 
] [http://s1.shard.jp/bireba/antivirus2003.html kaspersky antivirus file server 5.0.40 key
 
] [http://s1.shard.jp/frhorton/yvqavqw7n.html african american heritage museum of southern
 
] [http://s1.shard.jp/galeach/new40.html philadelphia asian massage parlor reviews
 
] [http://s1.shard.jp/bireba/innoculate-antivirus.html download pc cillin antivirus
 
] [http://s1.shard.jp/losaul/quoin-int-australia.html australia veterans affairs
 
] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/losaul/alice-springs.html australian job search engines
 
] [http://s1.shard.jp/galeach/new117.html asian and black single] [http://s1.shard.jp/frhorton/k7b9qt4bf.html african news articles
 
] [http://s1.shard.jp/bireba/noton-antivirus.html noton antivirus 2005 product key] [http://s1.shard.jp/olharder/aaa-auto-sales.html auto barn of evanston
 
] [http://s1.shard.jp/losaul/desert-map-of-australia.html australia info job personal remember search
 
] [http://s1.shard.jp/galeach/new15.html totts asian diner tempe
 
] [http://s1.shard.jp/galeach/new84.html asian formula 3
 
] [http://s1.shard.jp/frhorton/o5mgjok5p.html making african drums for lesson plan
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/galeach/new137.html clean air initiatives asia
 
] [http://s1.shard.jp/bireba/norton-antivirus.html norton antivirus 2005 download warez
 
] [http://s1.shard.jp/olharder/autocad-2005-serial.html auto part wide world
 
] [http://s1.shard.jp/losaul/real-estate-for.html sydney australia street map
 
] [http://s1.shard.jp/frhorton/fhojtfuuj.html african hair styles
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/galeach/new152.html asian mens haircut] [http://s1.shard.jp/galeach/new13.html air asia budget airline
 
] [http://s1.shard.jp/olharder/lisa-lopez-autopsy.html lisa lopez autopsy] [http://s1.shard.jp/losaul/car-importers-australia.html skate parks in australia
 
] [http://s1.shard.jp/bireba/antivirus-stop.html types of antivirus softwares
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/time-difference.html nova hotels australia
 
] [http://s1.shard.jp/olharder/download-autoroute.html advance auto aprts
 
] [http://s1.shard.jp/galeach/new177.html asian scat picture] [http://s1.shard.jp/galeach/new130.html asia airways
 
 
http://www.textorpaschilim.com
 
 
{{Top_10_2007:TopTemplate|usenext=NextLink|next=-References|useprev=PrevLink|prev=-Failure to Restrict URL Access|usemain=MainLink|main=}}
 
{{Top_10_2007:TopTemplate|usenext=NextLink|next=-References|useprev=PrevLink|prev=-Failure to Restrict URL Access|usemain=MainLink|main=}}
  
Line 79: Line 4:
 
The OWASP Top 10 is just the beginning of your web application security journey.  
 
The OWASP Top 10 is just the beginning of your web application security journey.  
  
''The world's six billion people can be divided into two groups: group one, who know why every good software company ships products with known bugs; and group two, who don't. Those in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group two …who is shocked that any software company would ship a product before every last bug is fixed.''
+
''The world's six billion people can be divided into two groups: group one, who know why every good software company ships products with known bugs; and group two, who don't. Those in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group two …who is shocked that any software company would ship a product before every last bug is fixed.''
 
''Eric Sink, Guardian May 25, 2006''
 
''Eric Sink, Guardian May 25, 2006''
  
Line 91: Line 16:
 
*'''Ask questions about business requirements''', particularly missing non-functional requirements
 
*'''Ask questions about business requirements''', particularly missing non-functional requirements
 
*Work through the [[OWASP_Secure_Software_Contract_Annex|OWASP Secure Software Contract Annex]] with your customer
 
*Work through the [[OWASP_Secure_Software_Contract_Annex|OWASP Secure Software Contract Annex]] with your customer
*'''Encourage safer design''' – include defense in depth and simpler constructs through using threat modeling (see [HOW1] in the book references)
+
*'''Encourage safer design''' include defense in depth and simpler constructs through using threat modeling (see [HOW1] in the book references)
 
*'''Ensure that you have considered confidentiality, integrity, availability , and non-repudiation'''
 
*'''Ensure that you have considered confidentiality, integrity, availability , and non-repudiation'''
 
*'''Ensure your designs are consistent with security policy and standards''', such as COBIT or PCI DSS 1.1
 
*'''Ensure your designs are consistent with security policy and standards''', such as COBIT or PCI DSS 1.1
Line 97: Line 22:
 
== For Developers ==
 
== For Developers ==
  
Many developers already have a good handle on web application security basics. To ensure effective mastery of the web application security domain requires practice. Anyone can destroy (i.e. perform penetration testing) – it takes a master to build secure software. Aim to become a master.
+
Many developers already have a good handle on web application security basics. To ensure effective mastery of the web application security domain requires practice. Anyone can destroy (i.e. perform penetration testing) it takes a master to build secure software. Aim to become a master.
  
 
*Consider [[Membership | joining OWASP]] and attending [[:Category:OWASP_Chapter|local chapter]] meetings
 
*Consider [[Membership | joining OWASP]] and attending [[:Category:OWASP_Chapter|local chapter]] meetings
*'''Ask for secure code training''' if you have a training budget. Ask for a training budget if you don’t have one
+
*'''Ask for secure code training''' if you have a training budget. Ask for a training budget if you don’t have one
*'''Design your features securely''' – consider defense in depth and simplicity in design
+
*'''Design your features securely''' consider defense in depth and simplicity in design
 
*'''Adopt coding standards''' which encourage safer code constructs
 
*'''Adopt coding standards''' which encourage safer code constructs
 
*'''Refactor existing code to use safer constructs''' in your chosen platform, such as parameterized queries  
 
*'''Refactor existing code to use safer constructs''' in your chosen platform, such as parameterized queries  
Line 114: Line 39:
 
*Consider [[Membership | joining OWASP]] and attending [[:Category:OWASP_Chapter|local chapter]] meetings
 
*Consider [[Membership | joining OWASP]] and attending [[:Category:OWASP_Chapter|local chapter]] meetings
 
*If your project has more than 4 developers, '''consider making at least one developer a security person'''
 
*If your project has more than 4 developers, '''consider making at least one developer a security person'''
*'''Design your features securely''' – consider defense in depth and simplicity in design
+
*'''Design your features securely''' consider defense in depth and simplicity in design
 
*'''Adopt coding standards which encourage safer code constructs'''
 
*'''Adopt coding standards which encourage safer code constructs'''
 
*'''Adopt the responsible disclosure policy''' to ensure that security defects are handled properly
 
*'''Adopt the responsible disclosure policy''' to ensure that security defects are handled properly
Line 142: Line 67:
 
*'''Consider using third-party code auditors''', who can provide an independent assessment
 
*'''Consider using third-party code auditors''', who can provide an independent assessment
 
*'''Adopt responsible disclosure practices''' and build a process to properly respond to vulnerability reports for your products
 
*'''Adopt responsible disclosure practices''' and build a process to properly respond to vulnerability reports for your products
 
  
 
{{Top_10_2007:TopTemplate|usenext=NextLink|next=-References|useprev=PrevLink|prev=-Failure to Restrict URL Access|usemain=MainLink|main=}}
 
{{Top_10_2007:TopTemplate|usenext=NextLink|next=-References|useprev=PrevLink|prev=-Failure to Restrict URL Access|usemain=MainLink|main=}}
 +
 +
[[Category:OWASP Top Ten Project]]

Latest revision as of 21:45, 18 April 2010

«««« Main
()
»»»»


The OWASP Top 10 is just the beginning of your web application security journey.

The world's six billion people can be divided into two groups: group one, who know why every good software company ships products with known bugs; and group two, who don't. Those in group 1 tend to forget what life was like before our youthful optimism was spoiled by reality. Sometimes we encounter a person in group two …who is shocked that any software company would ship a product before every last bug is fixed. Eric Sink, Guardian May 25, 2006

Most of your users and customers are in group two. How you deal with this problem is an opportunity to improve your code and the state of web application security in general. Billions of dollars are lost every year, and many millions of people suffer identity theft and fraud due to the vulnerabilities discussed in this document.

Contents

For Architects and Designers

To properly secure your applications, you must know what you are securing (asset classification), know the threats and risks of insecurity, and address these in a structured way. Designing any non-trivial application requires a good dose of security.

  • Ensure that you apply "just enough" security based upon threat risk modeling and asset classification. However, as compliance laws (SOX, HIPAA, Basel, etc.) place increasing burdens, it may be appropriate to invest more time and resources than satisfies the minimum today, particularly if best practice is well known and is considerably tougher than the minimum
  • Ask questions about business requirements, particularly missing non-functional requirements
  • Work through the OWASP Secure Software Contract Annex with your customer
  • Encourage safer design – include defense in depth and simpler constructs through using threat modeling (see [HOW1] in the book references)
  • Ensure that you have considered confidentiality, integrity, availability , and non-repudiation
  • Ensure your designs are consistent with security policy and standards, such as COBIT or PCI DSS 1.1

For Developers

Many developers already have a good handle on web application security basics. To ensure effective mastery of the web application security domain requires practice. Anyone can destroy (i.e. perform penetration testing) – it takes a master to build secure software. Aim to become a master.

  • Consider joining OWASP and attending local chapter meetings
  • Ask for secure code training if you have a training budget. Ask for a training budget if you don’t have one
  • Design your features securely – consider defense in depth and simplicity in design
  • Adopt coding standards which encourage safer code constructs
  • Refactor existing code to use safer constructs in your chosen platform, such as parameterized queries
  • Review the OWASP Development Guide and start applying selected controls to your code. Unlike most security guides, it is designed to help you build secure software, not break it
  • Test your code for security defects and make this part of your unit and web testing regime
  • Review the book references, and see if any of them are applicable to your environment

For Open Source Projects

Open source is a particular challenge for web application security. There are literally millions of open source projects, from one developer personal projects through to major projects such as Apache, Tomcat, and large scale web applications, such as PostNuke.

  • Consider joining OWASP and attending local chapter meetings
  • If your project has more than 4 developers, consider making at least one developer a security person
  • Design your features securely – consider defense in depth and simplicity in design
  • Adopt coding standards which encourage safer code constructs
  • Adopt the responsible disclosure policy to ensure that security defects are handled properly
  • Review the book references, and see if any of them are applicable to your environment

For Application Owners

Application owners in commercial settings are often time and resource constrained. Application owners should:

  • Work through the OWASP Secure Software Contract Annex with the software producers
  • Ensure business requirements include non-functional requirements (NFRs) such as security requirements
  • Encourage designs which include secure by default features, defense in depth and simplicity in design
  • Employ (or train) developers who have a strong security background
  • Test for security defects throughout the project: design, build, test, and deployment
  • Allow resources, budget and time in the project plan to remediate security issues

For C-level Executives

Your organization must have a secure development life cycle (SDLC) in place that suits your organization. Vulnerabilities are much cheaper to fix in development than after your product ships. A reasonable SDLC not only includes testing for the Top 10, it includes:includes:

  • For off the shelf software, ensure purchasing policies and contracts include security requirements
  • For custom code, adopt secure coding principles in your policies and standards
  • Train your developers in secure coding techniques and ensure they keep these skills up to date
  • Include security-relevant code analysis tools in your budget
  • Notify your software producers of the importance of security to your bottom line
  • Train your architects, designers, and business people in web application security fundamentals
  • Consider using third-party code auditors, who can provide an independent assessment
  • Adopt responsible disclosure practices and build a process to properly respond to vulnerability reports for your products


«««« Main
()
»»»»