I like the OWASP Top Ten for “developers” charts. From my point of view, it gives an awesome advice, where to start or helps to take care and remember what you maybe already know about web security implementation. From my side it feels a bit like “rub salt into the wound” of a developer soul, isn’t it so? Especially when you starting developing cloud native and microservices based applications.
When I take a look at that topics OWASP has chosen, I would say; these are my top three favourites out of that top ten list:
“Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.”
“Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.”
“Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.”
Maybe you can share with us your top three topics?
Possibly that blog post did stimulated you to think a little bit about your own security implementations or you will reflect a bit: I am doing enough or is there more I could/should do to implement security? Honestly, I have to add a little more in the future 😉
#owasp, #security, #development, #developer