How much subjectivity is there in the OWASP Proactive Controls? I like that it offers more guidance for developers...
in implementing specific controls into the development process, but how much more work is required to actually identify and implement the controls?
The majority of Web application attacks are not classified as difficult because hackers are taking advantage of vulnerabilities that experts have been aware of for years; vulnerabilities like cross-site scripting and SQL injection always appear in lists such as the CWE/SANS Top 25 Most Dangerous Programming Errors and the OWASP (Open Web Applications Security Project) Top 10 Most Critical Web Application Security Risks. Even a single instance of one of these vulnerabilities can negate any protection provided by elaborate network defenses, which is why these vulnerabilities are used time and again by hackers as an initial attack vector.
While reactive security controls such as firewalls and signature-based antivirus scanning are essential in a layered defensive strategy, they have to detect a threat before they can protect against it. Proactive controls offer a barrier against attacks by reducing an infrastructure's threat surface.
The OWASP Top Ten Proactive Controls is a list of security techniques and best practices enterprises should apply to remove the majority of the most prevalent and exploitable vulnerabilities found in Web applications today. Listed in order of importance, they are:
- Parameterize queries
- Encode data
- Validate all inputs
- Implement appropriate access controls
- Establish identity and authentication controls
- Protect data and privacy
- Implement logging, error handling and intrusion detection
- Leverage security features of frameworks and security libraries
- Include security-specific requirements
- Design and architect security in
Some of the controls, such as "Leveraging security features of frameworks and security libraries," are not expensive to implement but will certainly involve some management overhead. Others, like "Design and architect security in," may well require both a change in the development process and additional resources for training developers. Training costs both time and money, but in the long run it will be cheaper than launching a vulnerable application.
Not only is there the cost of fixing bugs, but other less obvious costs must be planned for as well, such as overtime and duplicated effort, disgruntled customers, reputation damage and legal action. Fortify, now part of HP, reported that an effective developer education program can reduce vulnerabilities by nearly 25%.
Research and the combined experience of companies such as Microsoft show that the most effective way to reduce vulnerabilities, and keep overall development time and costs down is to minimize the number of coding errors made during development. Implementing the OWASP Top Ten Proactive Controls in software development projects will help achieve this. Security has to be seen by developers as a feature that will be tested, just like any other component or requirement. If development budgets are tight, project managers still need to adopt at least the first five controls, as these will enforce good coding practices and reduce the number of easy attack vectors for hackers.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.