The great OWASP resource on application security testing

owaspThe reality is that applications written in .Net, PHP, and Java etc. are insecure by design, insecure by default and insecure in deployment. This is because their entire security model is based on the assumption that no malicious code will be executed in its environment.

Non-secure applications are a problem for nearly every business with an online presence and the more complex and interconnected an IT infrastructure becomes, then the harder it can be to secure the applications. More powerful web applications means more complicated code carrying a greater the risk of coding flaws — which can lead to serious security vulnerabilities within the application. Web application vulnerabilities face exploitation by relentless malicious players, bent on profiteering from data theft, or gaining online notoriety. In this article I would like to highlight different application security frameworks from OWASP.

OWASP

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It has been a registered non-profit Organisation in Europe since June 2011.

Why OWASP?

OWASP is a combination of national and international legislation, standards, guidelines, committees, and industry codes of practice. All online application security materials and frameworks are thoroughly reviewed by OWASP’s 30,000+ volunteers before being added under the brand of OWASP materials. Thus anyone can learn important lessons on application security from OWASP documentation. OWASP currently has over 142 active Information security projects, with new project applications being submitted every week.

Different OWASP security domains

An OWASP project is a collection of related tasks that have a defined roadmap and team members. The OWASP Top 10 vulnerability list is an example of a project that is very popular with both developers and testers. Initially OWASP projects concentrated on application security and addressed 95% of security issues across platforms such as .Net, PHP, and Java; releasing free tools and security resources in these areas. Due to market demand OWASP has now also started addressing the new potential security issues across domains such as smartphone technology, Internet of Things (IoT), SCADA Security, amongst others.

OWASP core values

OWASP’s Top 10 materials and best practice guidelines are aimed at both developers and security auditors to encourage more open source products and projects to handle effective security testing. Thus it helps the organization and other security researchers with cost effective security testing:

  • OPEN– Everything at OWASP is radically transparent from OWASP finances to OWASP code.
  • INNOVATION– OWASP encourages and supports innovation and experiments for solutions to software security challenges.
  • GLOBAL– Anyone around the world is encouraged to participate in the OWASP community.
  • INTEGRITY– OWASP is an honest and truthful, vendor neutral, global community.

OWASP guidelines

OWASP provides complete documentation guidelines to demonstrate application security across all domains. Maximum numbers of application security compliance controls are addressed by OWASP. This should help developers and testers to better understand their application security and achieve certification where required. OWASP also offers security standards and regulations which is a general application security framework addressing general application security guidelines and industry best practices such as:

  • BSIMM – The Building Security In Maturity Model
  • CMMI – Capability Maturity Model Integration
  • CLASP
  • CobIT -Control Objectives for Information and Related Technology
  • COSO -The Committee of Sponsoring Organizations
  • ISF – Information Security Forum’s (ISF) Standard of Good Practice
  • ITIL – Information Technology Infrastructure Library (ITIL)
  • ISO/IEC 27001:2005 27002:2005
  • HIPPA – Health Insurance Portability and Accountability Act
  • MS SDL – Microsoft Security Development Lifecycle
  • NIST Handbooks (e.g. the “800 Series”)
  • Octave
  • Open SAMM – Software Assurance Maturity Model
  • PCI DSS – Payment card Industry Data security standard

Conclusion

OWASP provides awareness and guidelines for web application security. The experts at OWASP have concluded that security vulnerabilities represent a serious risk to agencies and companies that have exposed their business logic to the Internet. Web application security problems are as serious as network security problems, although they have traditionally received considerably less attention. Attackers have begun to focus on web application security problems and are actively developing tools and techniques for detecting and exploiting them. Developers and testers need to respond and a great first step is to look at the OWASP Secure Coding Practices, Testing guidelinesASVS checklist and OWASP Top 10 lists.

What you should do

  • You need to educate your developers about OWASP’s application security framework.
  • You need to educate your functional testers to improve their test cases in respect to the basic OWASP security requirements.
  • Application owners should maintain awareness of the OWASP standard to reduce the risk of information security non-compliances.
  • Adopt OWASP best practices throughout the application development lifecycle.
  • Develop a culture where security is an ongoing process rather a onetime implementation consideration.

Free white papers on how to start building and testing secure web applications

The purpose of these documents is to set out good practice for avoiding security vulnerabilities on any Web Application project and they include:

  • An explanation of Web Application Security Development and Testing
  • Guidelines for developers and testers to reduce the top ten application security risks
  • Download your free white papers now

References

 

2018-02-23T12:09:24+00:00 6th February, 2015|Security, Thought Leadership|
T&VS NEWSLETTER SIGN-UP
The T&VS newsletters inform you about industry news, events and information from T&VS. No spam, we promise and it is always easy to unsubscribe.
We never share your information. Read our Privacy Statement
Interested in Formal Verification?
Then why not attend the TVS Formal
Verification Bootcamp training?
The 2-day Formal Verification Bootcamp is for design and verification engineers looking to enhance their knowledge of formal verification and to learn how to write effective assertions to find and fix bugs. The course is a mix of presentations and hands-on development exercises.
Bootcamp Enquiry Form
If you are interested in receiving additional information on the course then simply email Mike Bartley (TVS CEO and Course Leader) by entering your details below.
Interested in SystemC?
FREE SystemC UVM Library Now Available
The TVS SystemC UVM library closely mimics UVM but gives users a license free UVM-based verification environment.
Have your product requirements been successfully tested and implemented?
Find out how asureSIGN can help you implement a successful Requirements Driven Verification and Test Strategy by visiting asureSIGN or enter your details and we will be in touch.
Course Dates and Pricing
To receive additional information, including course dates and pricing, please contact our training team who will be happy to help.
Download Request
Please complete the following form then click 'submit' to access the download.
Presentation Request
Please complete the following form then click 'submit' to gain access to the presentations.
DOWNLOAD REQUEST
Please complete the following form and then click 'submit' to gain access to the download.
FREE QA ASSESSMENTS
Did you get what you were looking?

Let the testing experts help. We will run a FREE QA assessment which will include our top 5 recommendations to help maximise your testing.