What do you think about the OWASP web application security top ten as a developer?

I like the OWASP Top Ten for “developers” charts. From my point of view, it gives an awesome advice, where to start or helps to take care and remember what you maybe already know about web security implementation. From my side it feels a bit like “rub salt into the wound” of a developer soul, isn’t it so? Especially when you starting developing cloud native and microservices based applications.

When I take a look at that topics OWASP has chosen, I would say; these are my top three favourites out of that top ten list:

Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.”

Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.”

Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.”

Maybe you can share with us your top three topics?

Also the New 25 Most Dangerous Programming Errors (SANS TOT 25) can be useful in this context.


Possibly that blog post did stimulated you to think a little bit about your own security implementations or you will reflect a bit: I am doing enough or is there more I could/should do to implement security? Honestly, I have to add a little more in the future 😉

Greetings,

Thomas

#owasp, #security, #development, #developer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.