HackDig : Dig high-quality web security articles for hacker

How to Use the OWASP Top 10 to Simplify Application Security

2016-01-27 15:20

How_to_Use_the_OWASP_Top_10_to_Simplify_Application_Security.jpgThe security landscape changes at an incredible pace, with new threats and vulnerabilities being identified all the time.

Keeping your application security up-to-date can seem like an insurmountable challenge – but today, I’m looking at how the OWASP Top 10 can help organisations like yours improve and simplify their application security.

What is the OWASP Top 10?

The OWASP Top 10 is a list of the ten most critical web application security risks, published by the Open Web Application Security Project (OWASP) since 2003.

The list represents a consensus among many of the world’s leading information security experts on the greatest security risks, as determined by attack frequency and the size of their impact.

The project aims to raise awareness about specific risks, and to help organisations establish a strong foundation of security training and standards to protect against these risks.

How to Simplify Application Security

As well as identifying risks, the OWASP Top 10 also provides guidance on how to avoid each of them.

This creates a simple (and prioritised) application security framework for organisations to follow – with the adoption of the OWASP Top Ten regarded as:

“...the most effective first step towards changing the software development culture within your organization into one that produces secure code.

Integrating awareness of the ten most critical security risks into the software development lifecycle (SDLC) forces organisations to adopt security best practices.The OWASP Top 10 can be used to improve security throughout each of the six phases of the SDLC – from requirements and analysis, right through to maintenance:

1) Requirements and Analysis

In this phase analysts consider the requirements and goals of the application, as well as possible problems. Part of this process involves threat modelling.

The OWASP Top 10 can be used as a guide to potential attacks; and examining how the ten risks could affect your software will help you to shape your application design to minimise the most critical threats.

2) Architecture and Design

You can follow specific design guidelines that are proven solutions to the Top 10 risks, especially those you identified during the Requirements and Analysis phase as being particular vulnerabilities.

3) Development

In the Development phase you can adopt specific secure coding standards that have been proven to defend against the OWASP Top 10 risks.

The Development phase is also when code reviews typically occur; as well as reviewing code to ensure it has the features and functions specified, developers should be trained to look for vulnerabilities in the code relating to the OWASP Top 10.

4) Testing

If you are aware of the most common security risks, during the Testing phase you can ensure that specific tests are run to simulate attacks related to the OWASP Top 10.

Additionally, static analysis tools, which read through software code, can be programmed to look for clues in the code that may point to vulnerabilities – things that your developers may not have picked up on during their code reviews.

5) Deployment

Software and computer systems that aren’t configured with security in mind can expose systems to attack. Thankfully, the OWASP Top 10 can be very helpful in the Deployment phase of the SDLC – helping reduce risk by checking for configuration and physical deployment errors relating to the Top 10.

For example, many security problems can be prevented by ensuring that unnecessary utility software is shut off on servers, and that auditing and logging services are always turned on.

6) Maintenance

Focusing on the OWASP Top 10 will ensure that even after Deployment organisations conduct ongoing code reviews to find out if changes to the application over time have created any new vulnerabilities.

Discover an actionable, effective framework for improving your application security, and download our whitepaper below.

how to roll out and effective application security training program


Source: ces-noitacilppa-yfilpmis-ot-01-pot-psawo-eht-esu-ot-woh/golb/moc.eporuenoitavonniytiruces.www

Read:3049 | Comments:0 | Tags:No Tag

“How to Use the OWASP Top 10 to Simplify Application Security”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud