Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability. The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will map to one or more items in the risk based OWASP Top 10.
The input is interpreted as a command, processed, and performs an action at the attacker’s control. The injection-style attacks come in many flavors, from the most popular SQL injection to command, LDAP, and ORM. The Proactive Controls list starts by defining security requirements derived from industry standards, applicable laws, and a history of past vulnerabilities. Proactive Controls for Software developers describing the more critical areas that software developers must focus to develop a secure application. After the need is determined for development, the developer must now modify the application in some way to add the new functionality or eliminate an insecure option. In this phase the developer first determines the design required to address the requirement, and then completes the code changes to meet the requirement.
OWASP Proactive Control 9 — implement security logging and monitoring
AAL3 requires authentication that is “based on proof of possession of a key through a cryptographic protocol.” This type of authentication is used to achieve the strongest level of authentication assurance. It is worth noting that biometrics, when employed as a single factor of authentication, are not considered acceptable secrets for digital authentication. Biometrics must be used only as part of multi-factor authentication with a physical authenticator (something you own). For example, accessing a multi-factor one-time password (OTP) device that will generate a one-time password that the user manually enters for the verifier.
Make sure you track the use of open source libraries and maintain an inventory of versions, their licenses and vulnerabilities such as OWASP’s top 10 vulnerabilities using tools like OWASP’s Dependency Check or Snyk. An application vulnerability is a system flaw or weakness in an application’s code that can be exploited by a malicious actor, potentially leading to a security breach. For example, traffic can be compared with network models to identify anomalous behavior. “This is a great addition, since it addresses a problem that has been ongoing for too long, that has lead to data breaches,” added Cavirin’s Kucic. Input validation ensures that only properly formatted data may enter a software system component.
Vulnerable and outdated components are older versions of those libraries and frameworks with known security vulnerabilities. Broken Access Control is when an application does not correctly implement a policy that controls what objects a given subject can access within the application. An object is a resource defined in terms of attributes it possesses, operations it performs or are performed on it, and its relationship with other objects. A subject is an individual, process, or device that causes information to flow among objects or change the system state.
It is common for an application to have a mechanism for a user to gain access to their account in the event they forget their password. A good design workflow for a password recovery feature will use multi-factor authentication elements. For example, it may ask a security question – something they know, and then send a generated token to a device – something owasp proactive controls they own. This investigation culminates in the documentation of the results of the review. Systems and large applications can be configurable, and this configuration is often used to secure the system/application. If this configuration is misapplied then the application may no longer be secure,
and instead be vulnerable to well-known exploits.