Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org OWASP Secure Coding Practices Quick Reference Guide Project leader Keith Turpin Keith.n.turpin@boeing.com August, 2010

2 OWASP 2 About Me  Secure Coding Practices Quick Reference Guide project leader  Application security assessments team leader at The Boeing Company  United States delegate to the IEC/ISO SC27 subcommittee on cyber security  Member of the Software Assurance Working Group

3 OWASP 3 Some Background  Goal: Build a secure coding kick-start tool, to help development teams quickly understand secure coding practices  Originally developed for use inside The Boeing Company  July 2010, Boeing assigned copyright to OWASP  August 2010, project goes live on owasp.org

4 OWASP 4 Guide Overview  Technology agnostic coding practices  What to do, not how to do it  Compact, but comprehensive checklist format  Focuses on secure coding requirements, rather then on vulnerabilities and exploits  Includes a cross referenced glossary to get developers and security folks talking the same language

5 OWASP 5 Sections of the Guide  The bulk of the document is in the checklists, but it contains all of the following: Table of contents Introduction Software Security Principles Overview Secure Coding Practices Checklist Links to useful resources Glossary of important terminology

6 OWASP 6 Checklist Sections  Data Validation  Authentication and Password Management  Authorization and Access Management  Session Management  Sensitive Information Storage or Transmission  System Configuration Management  General Coding Practices  Database Security  File Management  Memory Management

7 OWASP 7 Checklist Practices  Short and to the point.  Straight forward "do this" or "don't do that"  Some practices will require coded solutions. When they do, use tested, standardized managed code whenever possible  Some practices are conditional recommendations that depend on the criticality of the system or information  The security implications of not following any of the practices that apply to the application, should be clearly understood

8 OWASP 8 Using the guide  Scenario #1: Developing Guidance Documents Coding Practices Security Policies Application Security Procedures Application Security Coding Standards Guiding PrinciplesWhat to doHow to do it

9 OWASP 9 Using the guide continued  Scenario #2: Support Secure Development Lifecycle Application Security Requirements Application Development Practices Standardized Libraries Standard Guidance for non-Library Solutions Review Solutions Test Solution Implementation What to doHow you should do itWhat you didDid it work Coding Practices

10 OWASP 10 RFP Best Software Ever Using the guide continued  Scenario #3: Contracted Development  Identify security requirements to be added to outsourced software development projects.  Include them in the RFP and Contract Contract Best Software Ever I need cool Software We can build anything How do I make it work CustomerSalesmanProgrammer Coding Practices

11 OWASP 11 Summary  Make it easier for development teams to quickly understand secure coding practices  Does not specify what should or must be done, as all of these practices can be contributing factors to the overall security profile of an application and often it is the combination of flaws, rather than any single one, which leads to an exploitable situation

12 OWASP 12 A Secure Development Framework  Implement a secure software development lifecycle  OWASP CLASP Project OWASP CLASP Project  Establish secure coding standards  OWASP Development Guide Project OWASP Development Guide Project  Build a re-usable object library  OWASP Enterprise Security API (ESAPI) Project OWASP Enterprise Security API (ESAPI) Project  Verify the effectiveness of security controls  OWASP Application Security Verification Standard (ASVS) Project) OWASP Application Security Verification Standard (ASVS) Project)  Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contract  OWASP Legal Project OWASP Legal Project Guidance on implementing a secure software development framework is beyond the scope of the Quick reference Guide, however the following OWASP projects can help:

13 OWASP 13 Questions


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google