The OWASP Top 10 Proactive Controls 2016 is published by OWASP (Open Web Application Security Project). This is a list of security techniques should exist as a part of SDLC (Software Development Life Cycle).
1) Verify for Security Early and Often:
This is the most important aspect of any Secure Software Development Life Cycle. Applications must be tested and verified for security in the beginning of the project and throughout the lifecycle of the project – thus any issue discovered early can be fixed early and don’t block entire project.
2) Parameterize Queries:
SQL injection is one of the most dangerous vulnerabilities for the web applications. SQL injection allows evil attacker code to change the structure of a web application’s SQL statement in a way that can steal the data, modify the data or potentially facilitate native OS command injection. By using parameterized queries, one can prevent SQL Injection.
Here is an example of SQL Injection flaw.
This is a Unsfae JAVA code that allows an attacker to inject code into query that would be executed by the database.
String query = "SELECT acct_balance FROM acct_data WHERE customer_name = "
Statement statement = connection.createStatement( … );
ResultSet results = statement.executeQuery( query );
Now, “custName” parameter is simply appended to the query allows an attacker to inject any SQL code they want.
So what can we do to avoid it? Use prepared statements with variable binding(eg. parameterized queries) should help alleviate this issue.
The following code example uses a PreparedStatement, Java’s implementation of a parameterized query, to execute the same database query.
String custname = request.getParameter("custName"); // This should REALLY be validated too
// perform input validation to detect attacks
String query = "SELECT acct_balance FROM acct_data WHERE user_name = ? ";
PreparedStatement pstmt = connection.prepareStatement( query );
pstmt.setString( 1, custname);
ResultSet results = pstmt.executeQuery( );
3) Encode Data
Encoding help protect against many types of attacks – particularly XSS (Cross-site scripting). Encoding translates special characters into some equivalent that make safe for the target interpreter.
4) validate All Inputs
So that we can reduce or minimize the malformed data entering the system. This should not be used as a primary method to prevent XSS or SQL injection.
5) Implement Identity and Authentication Controls
Use standard methods for authentication, identity management, and session management. Ideally use appropriate guidelines for User IDs, password strength controls, securing password recovery mechanism, storing password, transmitting password etc. Additionally, it would be vital to ensure that all failures are logged and reviewed, all password failures are logged and reviews, as well as all account lockouts, are logged and reviewed.
Another option could be using authentication protocols that require no passwords – such as OAuth, OpenID, SAML, FIDO, etc.
For session management, one should consider a variety of factors such as Session ID properties – such as Name Fingerprinting, ID length, ID entropy, ID content; Use built-in language specific (though latest) session management implementation. Utilize secure cookie as much as possible. Follow best practices for Session ID lifecycle. Apply controls for Session Expiration and possible Session hijacking.
6) Implement Appropriate Access Controls
Deny access by default. Utilize Role Bases, Discretionary or Mandatory Access controls where applicable. By using access control, we are intentionally creating one more layer of security – known as authorization. Authorization is the process where requests to access a particular resource should be granted or denied. By creating access control policy we are ensuring that it meets the security requirements as described.
7) Protect Data
Encrypt your data in transit, at rest and during execution. Make sure to use strong encryption methods and libraries.
8) Implement Logging and Intrusion Detection
Log analysis and intrusion detection goes hand-in-hand. There are two ways of doing intrusion detection – Network based intrusion detection and log based intrusion detection. In this particular control, we need to design our log strategy such that we are able to detect the intrusion based on systems, networks, applications, devices,
9) Leverage Security Frameworks and Libraries
Leverage security frameworks and libraries as much as possible for your application language domain.
10) error and Exception Handling
Error messages give an attacker great insight into the inner working on your code. Thus its important to aspect of secure application development to prevent error, exceptions from leaking any information.