Write more secure code with the OWASP Top 10 Proactive Controls

Make sure you track the use of open source libraries and maintain an inventory of versions, their licenses and vulnerabilities such as OWASP’s top 10 vulnerabilities using tools like OWASP’s Dependency Check or Snyk. Recently, I was thinking back at a great opening session of DevSecCon community we had last year, featuring no other than Jim Manico. Discover tips, technical guides, and best practices in our monthly newsletter for developers.

This includes making sure no sensitive data, such as passwords, access tokens, or any Personally Identifiable Information (PII) is leaked into error messages or logs. As software becomes the foundation of our digital—and sometimes even physical—lives, software security is increasingly important. But developers have a lot on their plates and asking them to become familiar with every single vulnerability category under the sun isn’t always feasible. Even for security practitioners, it’s overwhelming to keep up with every new vulnerability, attack vector, technique, and mitigation bypass.

Users

When possible, I’ll also show you how to create CodeQL queries to help you ensure that you’re correctly applying these concepts and enforcing the application of these proactive controls throughout your code. It’s highly likely that access control requirements take shape throughout many layers of your application. For example, when pulling data from the database in a multi-tenant SaaS application, where you need to ensure that data isn’t accidentally exposed for different users. Another example is the question of who is authorized to hit APIs that your web application provides. Once authentication is taken care of, authorization should be applied to make sure that authenticated users have the permissions to perform any actions they need but nothing beyond those actions is allowed.

A static or dynamic assessment can be conducted to complete the test. Once you decide which test is required, you can contact us for more information on the testing. Most applications use a database to store and obtain application data. The queries used to conduct the database calls must be properly sanitized to prevent SQL Injection attacks.

strategies to expand your threat model and secure your supply chain

Some of this has become easier over the years (namely using HTTPS and protecting data in transit). You may even be tempted to come up with your own solution instead of handling those sharp edges. In this post, I’ll help you approach some of those sharp edges and libraries with a little more confidence. This lesser-known OWASP project aims to help developers prevent vulnerabilities from being introduced in the first place. For any of these decisions, you have the ability to roll your own–managing your own registration of users and keeping track of their passwords or means of authentication.

As vulnerabilities are discovered in them, you need to ensure continuous updates are applied to them to reduce exposure. Authors and planners of this educational activity attest to no conflicts of interest in the development owasp top 10 proactive controls of this course. They report no relevant financial relationships, and there is no off-label use of products in this course. No commercial support or sponsorship was accepted in the development of this course.

— Posted on July 22, 2022 at 9:12 am by permagroove