As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques.
All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind.
OWASP Top 10 Proactive Controls 2016
The OWASP Top Ten Proactive Controls describes the most important controls and control categories that every architect and developer should include in their projects.
Each control helps preventing one or more of the OWASP Top Ten, the most critical web application security vulnerabilities. The list of security techniques is ordered by order of importance, with the first being the most important.
- Verify for Security Early and Often
Incorporate security testing as an integral part of software engineering practice. Consider OWASP ASVS as a guide to define security requirements and testing.
- Parameterize Queries
SQL Injection is one of the most dangerous web application risks. It is easy to exploit with open source automated attack tools, and can deliver a devastating impact to your application. In order to mitigate SQL injection, untrusted input should be prevented from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as ‘Query Parameterization’. In this case, the SQL statements are sent to and parsed by the database server separately from any parameters.
- Encode Data
Encoding is a powerful mechanism to help protect against many types of attack, especially injection attacks. Essentially, encoding involves translating special characters into some equivalent form that is no longer dangerous in the target interpreter.
- Validate All Inputs
Consider all input from outside of the application as untrusted. For web applications this includes HTTP headers, cookies, and GET and POST parameters: any or all of this data could be manipulated by an attacker.
- Implement Identity and Authentication Controls
Authentication is the process of verifying that an individual or an entity is who it claims to be. Identity management is a broader topic, which not only includes authentication and session management, but also covers advanced topics like identity federation, single sign on, password-management tools, identity repositories and more.
- Implement Appropriate Access Controls
Authorization (access control) is the process where requests to access a particular feature or resource should be granted or denied. This is one of the main areas of application security design that must be heavily thought-through up front.
- Protect Data
When transmitting sensitive data, at any tier of your application or network architecture, robust encryption-in-transit should be implemented.
- Implement Logging and Intrusion Detection
Application logging should not be an afterthought or limited to debugging and troubleshooting. Logging and tracking security events and metrics helps to enable «attack-driven defense»: making sure that your security testing and controls are aligned with real-world attacks against your system.
- Leverage Security Frameworks and Libraries
Starting from scratch when it comes to developing security controls, leads to wasted time and massive security holes. Secure coding libraries help developers guard against security-related design and implementation flaws. It is critical to keep these frameworks and libraries up to date.
- Error and Exception Handling
Implementing correct error and exception handling is not exciting, but like input data validation, it is an important part of defensive coding, critical to making a system reliable as well as secure.