C1: Define Security Requirements

In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding owasp top 10 proactive controls techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure.

  • It lists security requirements such as authentication protocols, session management, and cryptographic security standards.
  • The ASVS requirements are basic verifiable statements which can be expanded upon with user stories and misuse cases.
  • Be wary of systems that do not provide granular access control configuration capabilities.
  • However, this document should be seen as a starting point rather than a comprehensive set of techniques and practices.

Security requirements define the security functionality of an application. Better security built in from the beginning of an applications life cycle results in the prevention of many types of vulnerabilities. According to OWASP, a security requirement is a statement of needed functionality that satisfies many different security properties of software.

Vulnerabilities Prevented

The application must always make a decision, whether implicitly or explicitly, to either deny or permit the requested access. Logic errors and other mistakes relating to access control may happen, especially when access requirements are complex; consequently, one should not rely entirely on explicitly defined rules for matching all possible requests. For security purposes an application should be configured to deny access by default. OWASP’s Proactive Controls can provide concrete practical guidance to help developers build secure software, but getting developers motivated to write secure code can be challenging. For more tips on how to address this challenge, drop in on Adhiran Thirmal’s session, “How to Win Over that Elusive Developer,” at the upcoming SecureGuild online conference.

Just as functional requirements are the basis of any project and something we need to do before writing the first line of code, security requirements are the foundation of any secure software. In the first blog post of this series, I’ll show you how to set the stage by clearly defining the security requirements and standards of your application. You’ll learn about the OWASP ASVS project, which contains hundreds of already classified security requirements that will help you identify and set the security requirements for your own project. Authorization may be defined as “the process of verifying that a requested action or service is approved for a specific entity” (NIST).

OWASP Proactive Control 1 — define security requirements

Broken Access Control was ranked as the most concerning web security vulnerability in OWASP’s 2021 Top 10 and asserted to have a “High” likelihood of exploit by MITRE’s CWE program. 10, Access Control was among the more common of OWASP’s Top 10 risks to be involved in exploits and security incidents despite being among the least prevalent of those examined. This cheat sheet will help users of the OWASP Top Ten identify which cheat sheets map to each security category. Observe in the above code that the session cookie JSESSIONID remains the same for pre- and post-login. This vulnerability can be exploited by an attacker who has physical access to the machine and notes the value of session cookie pre-authentication. Many developers have a tough time handling authorization, and at some point leave a gap that gets exploited, leading to unauthorized data access.

what are owasp proactive controls

Some part of the application fetches that information from the database and sends it to the user without properly encoding it. It then leads to malicious code being executed by the browser on the client side. Stored XSS can be carried out in public forums to conduct mass user exploitation.

Define Security Requirements¶

Developers are already wielding new languages and libraries at the speed of DevOps, agility, and CI/CD. The objective of this cheat sheet is to assist developers in implementing authorization logic that is robust, appropriate to the app’s business context, maintainable, and scalable. The guidance provided in this cheat sheet should be applicable to all phases of the development lifecycle and flexible enough to meet the needs of diverse development environments.

A prominent OWASP project named Application Security Verification Standard—often referred to as OWASP ASVS for short—provides over two-hundred different requirements for building secure web application software. The process includes discovering / selecting, documenting, implementing, and then confirming correct implementation of new security features and functionality within an application. This cheatsheet will help users of the OWASP Proactive Controls identify which cheatsheets map to each proactive controls item. Even when no access control rules are explicitly matched, the application cannot remain neutral when an entity is requesting access to a particular resource.