OWASP Secure Coding Practices Quick Reference Guide

Slides:

Advertisements

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Advertisements

OWASP Secure Coding Practices Quick Reference Guide

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

Web Application Security Representation and Management of Data on the Web.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

PHASE 3: SYSTEMS DESIGN Chapter 8 System Architecture.

Introduction to Application Penetration Testing

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

A Security Review Process for Existing Software Applications

15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.

Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section 15.2 Identify guidelines.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Chapter 3: Authentication, Authorization, and Accounting

Experience you can trust. 1 Residential Energy Analysis Guided Tour Date: 2004.

Construction Planning and Prerequisite

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

MOSS Design Presentation -Senior Project-. MOSS MOSS Server System 1. MOSS Application 2. Server 3. Client SIU-E Code Cop System 1. SIU-E.

ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.

Workflow Demo: Upload, Review and Approve. Cpay : Users & Functionalities Customer AdministratorCustomer AuthorizerUploaderReviewerApproverInterceptor.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cloud Computing ILAS project DONE BY:. Table of content INTRODUCTION. ◦ Cloud computing in general ◦ What are the things that worked during the implementation.

IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

19 Copyright © 2008, Oracle. All rights reserved. Security.

CS457 Introduction to Information Security Systems

Jean-Philippe Baud, IT-GD, CERN November 2007

SE-1021 Software Engineering II

TOPIC: Web Security (Part-4)

Server Concepts Dr. Charles W. Kann.

A Security Review Process for Existing Software Applications

Security mechanisms and vulnerabilities in .NET

Section 15.1 Section 15.2 Identify Webmastering tasks

LCG Monte-Carlo Events Data Base: current status and plans

Cross-Site Request Forgeries: Exploitation and Prevention

Secure Source Code Analysis.

Principles of report writing

Computer-Based Processing: Developing an Audit Assessment Approach

This is the Sign In page for the Dashboard

Chapter 29: Program Security

SDLC Phases Systems Design.

We Need To Talk Security

Presentation transcript:

OWASP Secure Coding Practices Quick Reference Guide Project leader Keith Turpin Keith.n.turpin@boeing.com August, 2010

Project Overview The guide provides a technology agnostic set of coding practices Presented in a compact, but comprehensive checklist format At only 12 pages long, it is easy to read and digest Focuses on secure coding requirements, rather then on vulnerabilities and exploits

Sections of the Guide The bulk of the document is in the checklists, but other sections include: Introduction Table of contents Software Security Principles Overview Secure Coding Practices Checklist Glossary of important terminology Links to useful resources

Checklist Sections The checklist are broken up into the following major sections: Data Validation Authentication and Password Management Authorization and Access Management Session Management Sensitive Information Storage or Transmission System Configuration Management General Coding Practices Database Security File Management Memory Management

Checklist Practices The practices in each section are short and to the point. Some examples include: Conduct all data validation on a trusted system Use two factor authentication for highly sensitive or high value transactional accounts If a session was established before login, close that session and establish a new session after a successful login Turn off verbose system messages, especially any associated with error conditions Restrict the web server, process and service accounts to the least privileges possible Use strongly typed parameterized queries

Summary The guides goal is to make it easier for development teams to quickly understand and review secure coding practices. It does not specify what should or must be done, as all of these practices can be contributing factors to the overall security profile of an application and often it is the combination of flaws, rather than any single one, which leads to an exploitable situation.