OWASP Top 10 Proactive Controls 2018: How it makes your code more secure

The OWASP list of the top 10 critical security risks to web applications does a good job of identifying prominent cybersecurity risks faced by organizations, but it doesn't offer developers much practical guidance on how to make their applications more secure. That's where OWASP's Top 10 Proactive Controls come in.

One big advantage is that they're "written for developers instead of security specialists," explained Jim Bird, one of the leaders of the controls project and co-founder and CTO of the New York-based Alternative Trading System, a system for secure and confidential institutional stock trading.

"The proactive controls are the things that you should do as a developer to include security in design and coding. It's like a developer's map to the good things available from OWASP and other best-in-class open-source projects."
Jim Bird

The items on the top 10 provide actionable guidance on how to deal with important security risks. They include links to open-source libraries, tools that developers can use, and pointers to other projects from the Open Web Application Security Project (OWASP)—such as the Cheat Sheet series—where they can dig deeper into specific areas.

Ken Prole, chief technology officer for Code Dx said the new recommendations speaks the language of developers and make it easy to understand what they should be worrying about when creating secure applications.

Here's what your app sec team needs to know about OWASP Top 10 Proactive Controls 2018.

Application Security Research Update: The State of App Sec in 2018

10 suggestions for more secure apps

The controls, introduced in 2014, have filled a gap for practitioners preaching the gospel of security to developers. Michael Leung, a management consultant with Canadian Cybersecurity Inc., used to manage security training for developers at a large financial institution in Canada. He is also a member of ISACA's CISO Forums Working Group.

"Giving them guidance that was practical was challenging. The OWASP Top 10 Proactive Controls helped a lot."
Michael Leung

Version 3.0 of the controls, released earlier this year, looks like this:

1. Define security requirements

Security requirements provide a foundation of vetted security functionality for an application, the OWASP team explained in a document on the project. Instead of creating a custom approach to security for every application, standard security requirements allow developers to reuse the definition of security controls and best practices.

2. Leverage security frameworks and libraries

Using secure coding libraries and software frameworks with embedded security helps software developers guard against security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features.

3. Secure database access

Ensure that the security controls available from the DBMS and hosting platform are enabled and properly configured. All access to the database should also be properly authenticated.

4. Encode and escape data

These are defensive techniques meant to stop injection attacks.

5. Validate all inputs

Input validation ensures that only properly formatted data may enter a software system component.

6. Implement digital identity

This control is the unique representation of a subject as it engages in an online transaction. It also includes authentication (verifying that an individual or entity is who they claim to be) and session management (helping a server maintain the state of a user's authentication so they may continue to use the system without repeating authentication).

7. Enforce access controls

Also called authorization, this determines if a request by a user, program, or process should be granted or denied.

8. Protect data everywhere

Data needs to be protected in transit and at rest. It also needs to be classified so each piece of data receives the level of protection it deserves.

9. Implement security logging and monitoring

By having an application generate data for security, you can provide valuable information for intrusion detection systems and forensic analysis, as well as help your organization meet compliance requirements.

10. Handle all errors and exceptions

Applications that mishandle errors can expose an organization to all kinds of trouble, from data leakage to the compromise of data in transit to denial of service and system shutdowns.

"Developers should look at the list as a starting point. It provides some practical guidance to build secure software."
—Michael Leung

Differences from the previous list

Some changes have been made in the 2018 version of the list compared to the previous release, in 2016. The changes were made in response to feedback from dozens of people in OWASP, Alternative Trading System's Bird explained.

"We opened the project to contributions and general review, let people make suggestions and updates and used those to come up with the new release. So the new list tries to reflect the current best thinking on where to get started building secure code."
—Jim Bird

The 2018 list has a new top item: "Define security requirements." It has also moved "leverage security frameworks and libraries" from the bottom to the No. 2 spot in the tally and added a new item at No. 3: "Secure database access."

Defining requirements

Joseph Kucic, chief security officer at Cavirin, said the desire to define security requirements at the beginning of a project often results in last-minute patches and incomplete and vulnerable applications.

"Defining security requirements is all too often missed in developing new applications or updating old ones. [Adopting the checklist] ensures that the security requirements are documented up front and that security is built into the application from the start."
Joseph Kucic

Leveraging frameworks and libraries

Using established security frameworks is now just below defining security requirements in importance, up from the ninth spot in 2016. The expanded use of third-party and open-source components in applications has contributed to this item's rise in importance.

More junior developers do not have the knowledge or time to properly implement or maintain security features, Kucic said. "Clearly, leveraging established security frameworks helps developers accomplish security goals more efficiently and accurately."

"You don't want developers creating libraries to perform authentication and other critical tasks of the app. It's usually a best practice to use a third-party component that's been vetted and has had a lot of eyes on it."
Ken Prole

Big-picture thinking with data

Securing database access is a new item that placed third on the list. "This is a great addition, since it addresses a problem that has been ongoing for too long, that has lead to data breaches," added Cavirin's Kucic.

Unfortunately, when it comes to databases, "security by default configuration and misconfigurations are common" problems, said management consultant Leung.

Kucic maintained that developers must safeguard all access to their data, and not assume it will be protected by someone else, such as a database administrator. "If the application is not designed properly to restrict access or functions, then it functions as a front door for bad actors," he said.

Joseph Carson, chief security scientist at Thycotic, noted that database control requires developers to think not only about the security of their application but where that application stores its data.

"This big difference means the developer can no longer just consider the task they have at hand, but need to think about the bigger picture."
Joseph Carson

Consider security from the start

With the latest release of the top 10 proactive controls, OWASP is helping to move security closer to the beginning of the application development lifecycle. The list is "critical to moving the industry forward with 'security left' initiatives," Kucic said.

"Security needs to start when the coding starts so that we minimize finding security issues in the penetration phase. With agile development sprint cycles, we do not have time to redo the application to address the security issues found downstream."
—Joseph Kucic

But don't stop there. While adhering to the OWASP proactive controls can improve application security, developers are only part of the picture, cautioned Katy Anton, one of leaders of the OWASP project and principal application security consultant at  Veracode.

"You need a security culture within the company. If the entire company doesn't support the developers, they won't be able to implement this minimal list of techniques and get on the ladder to more secure software."
Katy Anton

Topics: Security