Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published bySheila Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Secure Coding Practices Quick Reference Guide Justin Clarke justin.clarke@owasp.org AppSec Asia Pacific 13 April 2012

2 OWASP 2 Some Background  Goal: Build a secure coding kick-start tool, to help development teams quickly understand secure coding  Originally developed for use inside The Boeing Company  July 2010, Boeing assigned copyright to OWASP  August 2010, project goes live on owasp.org  November 2010, SCP v2 goes live (current stable version)

3 OWASP Project Structure / Localizations English – Keith Turpin (Project leader) Korean Portuguese Brazilian Portuguese Spanish https://www.owasp.org/index.php/OWASP_Secure_Codi ng_Practices_-_Quick_Reference_Guide 3

4 OWASP 4 Guide Overview  Technology agnostic coding practices  What to do, not how to do it  Compact, but comprehensive checklist format  Focuses on secure coding requirements, rather then on vulnerabilities and exploits  Includes a cross referenced glossary to get developers and security folks talking the same language

5 OWASP 5 Sections of the Guide  The bulk of the document is in the checklists, but it contains all of the following: Table of contents Introduction Software Security Principles Overview Secure Coding Practices Checklist Links to useful resources Glossary of important terminology

6 OWASP 6 Checklist Sections  Input Validation  Output Encoding  Authentication and Password Management  Session Management  Access Control  Cryptographic Practices  Error Handling and Logging  Data Protection  Communication Security  System Configuration  Database Security  File Management  Memory Management  General Coding Practices - Only 9 pages long

7 OWASP 7 Checklist Practices  Short and to the point  Straight forward "do this" or "don't do that"  Does not attempt to rank the practices  Some practices are conditional recommendations that depend on the criticality of the system or information  The security implications of not following any of the practices that apply to the application, should be clearly understood

8 OWASP 8 Extract - Database Security  Use strongly typed parameterized queries  Utilize input validation and output encoding and be sure to address meta characters. If these fail, do not run the database command  Ensure that variables are strongly typed  The application should use the lowest possible level of privilege when accessing the database  Use secure credentials for database access  Do not provide connection strings or credentials directly to the client. If this is unavoidable, encrypted them  Use stored procedures to abstract data access  Close the connection as soon as possible  Remove or change all default database administrative passwords. Utilize strong passwords/phrases or implement multi-factor authentication  Turn off all unnecessary database functionality (e.g., unnecessary stored procedures or services, utility packages, install only the minimum set of features and options required (surface area reduction))

9 OWASP 9 Using the guide  Scenario #1: Developing Guidance Documents Coding Practices General Security Policies Application Security Procedures Application Security Coding Standards Guiding PrinciplesWhat to doHow to do it

10 OWASP 10 Using the guide continued  Scenario #2: Support Secure Development Lifecycle Application Security Requirements Secure Development Processes Standardized Libraries Standard Guidance for non-Library Solutions Review Solutions Test Solution Implementation What to doHow you should do itWhat you didDid it work Coding Practices

11 OWASP 11 RFP Best Software Ever Using the guide continued  Scenario #3: Contracted Development  Identify security requirements to be added to outsourced software development projects.  Include them in the RFP and Contract Contract Best Software Ever I need cool Software We can build anything How do I make it work CustomerSalesmanProgrammer Coding Practices

12 OWASP 12 Summary  Makes it easier for development teams to quickly understand secure coding practices  Assists with defining requirements and adding them to policies and contracts  Provides a context and vocabulary for interactions with security staff  Serves as an easy desk reference

13 OWASP 13 A Secure Development Framework  Implement a secure software development lifecycle  OWASP CLASP Project  OpenSAMM  Establish secure coding standards  OWASP Development Guide Project  Build a re-usable object library  OWASP Enterprise Security API (ESAPI) Project  Verify the effectiveness of security controls  OWASP Application Security Verification Standard (ASVS) Project)  Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contract  OWASP Legal Project Guidance on implementing a secure software development framework is beyond the scope of the Quick reference Guide, however the following OWASP projects can help:

14 OWASP 14 Questions

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide
Computer Software 3 Section A Software Basics CHAPTER PARSONS/OJA

Computer Software 3 Section A Software Basics CHAPTER PARSONS/OJA
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Software Quality Assurance Plan

Software Quality Assurance Plan
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 2 Overview of Database Administrator (DBA) Tools.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 2 Overview of Database Administrator (DBA) Tools.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
Understand Database Security Concepts

Understand Database Security Concepts
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.

Unauthorized Reproduction Prohibited SkyPoint Alarm Integration Add-On Using OnGuard Alarms to create events in SkyPoint Also called ‘SkyPoint V0’ CR4400.
Information Security Policies and Standards

Information Security Policies and Standards
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Software Requirement Specification(SRS)

Software Requirement Specification(SRS)
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
Data Structures and Programming.  John Edgar2.

Data Structures and Programming.  John Edgar2.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
The Re-engineering and Reuse of Software

The Re-engineering and Reuse of Software

Similar presentations

Ads by Google