As software becomes the foundation of our digital—and sometimes even physical—lives, software security is increasingly important. But developers have a lot on their plates and asking them to become familiar with every single vulnerability category under the sun isn’t always feasible. Even for security practitioners, it’s overwhelming to keep up with every new vulnerability, attack vector, technique, and mitigation bypass. Developers are already wielding new languages and libraries at the speed of DevOps, agility, and CI/CD. The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software development project. This document’s main purpose is to provide a solid foundation of topics to help drive introductory software security developer training.
C9. Implement Security Logging and Monitoring¶
When software is architected using the open design concept,the review of the design itself will not result in the compromise of the safeguards in the software. Also known as ‘keep it simple’, if there are multiple implementations then the simplestand most easily understood implementation should be chosen. Make sure you track the use of open source libraries and maintain an inventory of versions, their licenses and vulnerabilities such as OWASP’s top 10 vulnerabilities using tools like OWASP’s Dependency Check or Snyk.
Implement Digital Identity
Access control vulnerabilities—such as directory traversal, cross-site request forgery (CSRF), and insecure direct object references (IDOR)—are among the most common and dangerous issues in modern web applications. These flaws often arise from subtle implementation oversights that only surface during real-world usage. A DAST-first approach continuously scans running applications during development and in production, giving security teams visibility into actual exploit paths. Unlike tools that rely on code analysis, DAST tools work by interacting with live applications just as an attacker would, surfacing runtime issues that truly increase business risk.
Some applications enforce access control at the platform level by restricting certain URLs or HTTP methods based on user roles. Context-dependent access controls adapt based on application state or user interactions, ensuring actions occur in the correct sequence. This prevents the scenario where you have multiple access control implementations, where most are correct, but some are flawed.
The Principle of Least Privilege ensures that users and systems only have the minimum necessary access required to perform their functions. This helps reduce the attack surface and limits potential damage from compromised accounts by restricting escalation options. Vertical privilege escalation happens when a user gains access to a higher level of functionality that should be restricted. For example, if a regular user can navigate to an admin dashboard and delete accounts, they have successfully exploited a vertical privilege escalation flaw. Identification and authentication failures occur when an application cannot correctly resolve the subject attempting to gain access to an information service or properly verify the proof presented as validation of the entity. This issue manifests as a lack of MFA, allowing brute force-style attacks, exposing session identifiers, and allowing weak or default passwords.
- This issue manifests as a lack of MFA, allowing brute force-style attacks, exposing session identifiers, and allowing weak or default passwords.
- KPMG combines cutting-edge technology, actionable insights, and unparalleled expertise to help you prioritize and address your most critical cyber and tech risk challenges.
- The OWASP Top 10 Proactive Controls describes the most important controls and control categoriesthat security architects and development teams should consider in web application projects.
- Identification and authentication failures occur when an application cannot correctly resolve the subject attempting to gain access to an information service or properly verify the proof presented as validation of the entity.
- This approach ensures that risk assessments remain dynamic, with constant observations and adjustments to current threats.
A fully secure development process should include comprehensive requirements from a standard such as the OWASP ASVS in addition to including a range of software development activities described in maturity models such as OWASP SAMM and BSIMM. Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. OWASP Top 10 Proactive Controls describes the most important control and control categories that every architect and developer should absolutely, 100% include in every project.
OWASP Proactive Control 1 — define security requirements
- These controls help enforce security principles like least privilege and separation of duties, ensuring users only access what is necessary for their role.
- The answer is with security controls such as authentication, identity proofing, session management, and so on.
- If you devote your free time to developing and maintaining OSS projects, you might not have the time, resources, or security knowledge to implement security features in a robust, complete way.
This concept is not only relevant for Cross-Site Scripting (XSS) vulnerabilities and the different HTML contexts, it also applies to any context where data and control planes are mixed. In this post, Senior Application Security Engineer Jason White will show you how to identify the characters with special meaning for any given context and how to properly encode them so they cannot be used to break out of the context they’re being written to. First, security vulnerabilities continue to evolve and a top 10 list simply can’t offer a comprehensive understanding of all the problems that can affect your software. Entirely new vulnerability categories such as XS Leaks will probably never make it to these lists, but that doesn’t mean you shouldn’t care about them. This cheat sheet will help users of the OWASP Top Ten Proactive Controls 2018 identify which cheat sheets map to each proactive control. The OWASP Top 10 Proactive Controls describes the most important controls and control categoriesthat security architects and development teams should consider in web application projects.
C6. Implement Digital Identity¶
Access the latest KPMG insights to learn valuable facts, trends and guidance for CISOs about navigating the complexities of AI risk and innovation. AI is not a silver bullet, but it is an invaluable tool when used intentionally. AI can layer in complex large language models, providing a deeper understanding of your environment and automating various tasks.
Instead, you build proper controls in the presentation layer, such as the browser, to escape any data provided to it. Security misconfiguration is when an important step to secure an application or system is skipped intentionally or forgotten. However, development managers, product owners, Q/A professionals, program managers, and anyone involved in building software can also benefit from this document. All access control failures should be logged as these may be indicative of a malicious user probing the application for vulnerabilities. Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges.
Design Access Control Thoroughly Up Front
Let’s explore each of the OWASP Top Ten, discussing how the pieces of the Proactive Controls mitigate the defined application security risk. In this blog post, we’ll describe some common CORS issues as well as how you can find and fix them. You need to protect data whether it is in transit (over the network) or at rest (in storage).
Logging is storing a protected audit trail that allows an operator to reconstruct the actions of any subject or object that performs an action or has an action performed against it. Monitoring is reviewing security events generated by a system to detect if an attack has occurred or is currently occurring. No matter how many layers of validation data goes through, it should always be escaped/encoded for the right context.
Proactive Controls is a catalog of available security controls that counter one or many of the top ten. In this series, I’m going to introduce the OWASP Top 10 Proactive Controls one at a time to present concepts that will make your code more resilient and enable your code to defend itself against would-be attackers. owasp proactive controls When possible, I’ll also show you how to create CodeQL queries to help you ensure that you’re correctly applying these concepts and enforcing the application of these proactive controls throughout your code.
One example of a failure involves using untrusted software in a build pipeline to generate a software release. Another example is insecure deserialization, where an application receives an object from another entity and does not properly validate that object, resulting in an attack being loosed upon the application that received the object. The Top Ten calls for more threat modeling, secure design patterns, and reference architectures. Threat modeling analyzes a system representation to mitigate security and privacy issues early in the life cycle.
Vertical privilege escalation
The proactive controls document, written by Manico himself, along with Katy Anton and Jim Bird, provides a security overview for developers wanting to jump into web security, understand the different layers of security risks, and how to protect against them. It’s important to carefully design how your users are going to prove their identity and how you’re going to handle user passwords and tokens. This should include processes and assumptions around resetting or restoring access for lost passwords, tokens, etc. In this post, you’ll learn how using standard and trusted libraries with secure defaults will greatly help you implement secure authentication. One of the main goals of this document is to provide concrete practical guidance that helps developers build secure software. The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be considered for every software development project.