Declan O’Riordan, head of security testing, T&VS & Arulselvar Thomas, security expert, T&VS India
The reality is that applications written in .Net, PHP, and Java etc. are insecure by design, insecure by default and insecure in deployment. This is because their entire security model is based on the assumption that no malicious code will be executed in its environment.
Non-secure applications are a problem for nearly every business with an online presence and the more complex and interconnected an IT infrastructure becomes, then the harder it can be to secure the applications. More powerful web applications means more complicated code carrying a greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious players, bent on profiteering from data theft, or gaining online notoriety. In this article I would like to highlight different application security frameworks from OWASP.
The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It has been a registered non-profit Organisation in Europe since June 2011.
OWASP is a combination of national and international legislation, standards, guidelines, committees, and industry codes of practice. All online application security materials and frameworks are thoroughly reviewed by OWASP’s 30,000+ volunteers before being added under the brand of OWASP materials. Thus anyone can learn important lessons on application security from OWASP documentation. OWASP currently has over 142 active Information security projects, with new project applications being submitted every week.
Different OWASP security domains
An OWASP project is a collection of related tasks that have a defined roadmap and team members. The OWASP Top 10 vulnerability list is an example of a project that is very popular with both developers and testers. Initially OWASP projects concentrated on application security and addressed 95% of security issues across platforms such as .Net, PHP, and Java; releasing free tools and security resources in these areas. Due to market demand OWASP has now also started addressing the new potential security issues across domains such as smartphone technology, Internet of Things (IoT), SCADA Security, amongst others.
OWASP core values
OWASP’s Top 10 materials and best practice guidelines are aimed at both developers and security auditors to encourage more open source products and projects to handle effective security testing. Thus it helps the organization and other security researchers with cost effective security testing:
- OPEN– Everything at OWASP is radically transparent from OWASP finances to OWASP code.
- INNOVATION– OWASP encourages and supports innovation and experiments for solutions to software security challenges.
- GLOBAL– Anyone around the world is encouraged to participate in the OWASP community.
- INTEGRITY– OWASP is an honest and truthful, vendor neutral, global community.
OWASP provides complete documentation guidelines to demonstrate application security across all domains. Maximum numbers of application security compliance controls are addressed by OWASP. This should help developers and testers to better understand their application security and achieve certification where required. OWASP also offers security standards and regulations which is a general application security framework addressing general application security guidelines and industry best practices such as:
- BSIMM – The Building Security In Maturity Model
- CMMI – Capability Maturity Model Integration
- CobIT -Control Objectives for Information and Related Technology
- COSO -The Committee of Sponsoring Organizations
- ISF – Information Security Forum’s (ISF) Standard of Good Practice
- ITIL – Information Technology Infrastructure Library (ITIL)
- ISO/IEC 27001:2005 27002:2005
- HIPPA – Health Insurance Portability and Accountability Act
- MS SDL – Microsoft Security Development Lifecycle
- NIST Handbooks (e.g. the “800 Series”)
- Open SAMM – Software Assurance Maturity Model
- PCI DSS – Payment card Industry Data security standard
OWASP provides awareness and guidelines for web application security. The experts at OWASP have concluded that security vulnerabilities represent a serious risk to agencies and companies that have exposed their business logic to the Internet. Web application security problems are as serious as network security problems, although they have traditionally received considerably less attention. Attackers have begun to focus on web application security problems and are actively developing tools and techniques for detecting and exploiting them. Developers and testers need to respond and a great first step is to look at the OWASP Secure Coding Practices, Testing guidelines, ASVS checklist and OWASP Top 10 lists.
What you should do
- You need to educate your developers about OWASP’s application security framework.
- You need to educate your functional testers to improve their test cases in respect to the basic OWASP security requirements.
- Application owners should maintain awareness of the OWASP standard to reduce the risk of information security non-compliances.
- Adopt OWASP best practices throughout the application development lifecycle.
- Develop a culture where security is an ongoing process rather a onetime implementation consideration.
Free white papers on how to start building and testing secure web applications
The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:
– An explanation of Web Application Security Development and Testing
– Guidelines for developers and testers to reduce the top ten application security risks
Download your free white papers now
– OWASP – https://www.owasp.org/
– Wikipedia – http://en.wikipedia.org/wiki/OWASP
– DenimGroup – http://www.denimgroup.com/blog/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html
– Critical Watch – http://www.criticalwatch.com/assets/c-Owasp-to-Wasc-to-CWE-Mapping-Tech-Paper-0710131.pdf