If your organization truly recognizes the importance of deploying secure applications as part of your overall security
process, kudos to you. You're one of the few. Most companies remain mired in reactive security processes that keep them at risk because they never truly address the root cause of most vulnerabilities: insecure software development.
One proactive, timely and cost-effective way to reduce vulnerabilities is to map security programs to a list of common vulnerabilities, such as the Open Web Application Security Project (OWASP) Top 10.
For some enterprises, addressing the OWASP Top 10 is mandatory for industry and regulatory compliance; for others, it is optional but advised. Training developers to protect their code against the OWASP Top 10 offers a proven method for secure Web application development.
So, what is the OWASP Top 10 list?
The OWASP Top 10 list represents a consensus among leading application security experts about the greatest software risks. These risks are based on the frequency of the attacks that exploit them, the severity of their vulnerabilities, and the magnitude of their potential impact on businesses. The OWASP also has a rich set of remediation guidelines to help developers fix vulnerabilities and code defensively.
This list serves as a key checklist and internal Web application development standard for many of the world's largest organizations. The project has been maintaining the list and other application security content since 2003.
The objective of the OWASP Top 10 is to not only raise awareness about specific risks, but also to educate managers and technical personnel on how to assess and protect against a wide range of Web application vulnerabilities. Many standards bodies, including the PCI Security Standards Council, National Institute of Standards Technology (NIST) and the Federal Trade Commission regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
Mapping a security program to OWASP best practices is essential when developers are being trained to write defensive code for Web and mobile applications. Additionally, because knowledge retention often is a challenge when developers are working with complex content and technical concepts, it's important that the development team be equipped with on-the-job checklists and reference guides to help them overcome that challenge in their daily activities. When developers have these resources, risks are reduced dramatically, compliance is facilitated and overall development costs are decreased -- because there is less need to rewrite code.
Use OWASP guidance to train developers and meet compliance mandates
Ensuring adherence to OWASP guidelines can be tricky. Organizations can take the OWASP Top 10 Web application security risks in a variety of ways. But one of the keys to ensuring an organization is addressing security effectively at the application level is to build security into the application development process itself.
Mapping a security program to OWASP best practices is essential when training developers are being trained to write defensive code for Web and mobile applications.
One way to do this is to train the development team not just to write secure code, but to recognize the vulnerabilities that are most attractive to attackers. This knowledge provides structure, and allows them to focus on the vulnerabilities that put their organization or customers most at risk.
A great example of compliance mapping through the OWASP Top 10 is the Payment Card Industry Data Security standard (PCI DSS). This standard's rules specifically require addressing the Top 10. As PCI DSS requirement 6.5 states: "As industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements."
Auditors are likely to view an organization's failure to address the OWASP Top 10 as an indication that it may be falling short of many compliance standards. Integrating the Top 10 into its software development lifecycle (SDLC) demonstrates an overall commitment to industry best practices for secure development.
Train properly to meet your objectives
But how can an organization meet the required regulatory initiatives with application security training? It's simple: Roll out the training program and document it accordingly. A number of regulations, directives and industry best practices call out training as a requirement, including:
- PCI DSS requires that organizations obtain and review software development processes and verify that they require training in secure coding techniques for developers, based on industry best practices and guidance.
- NIST 800-53 requires that federal agencies establish sound security policy, architecture and controls as the foundation for design, and to incorporate security into the system development lifecycle in Control SA-8. It also requires that system developers and integrators be trained on how to develop secure software.
- The Health Insurance Portability and Accountability Act requires that HIPAA-covered organizations perform risk analysis and risk assessments, and, in some cases ensure that proper controls are in place for Web application vulnerabilities.
- A new ISO standard -- ISO 27034: Guidelines for Application Security -- is under development.
- The Department of Defense (DoD) and Defense Information Systems Agency (DISA) recently published the Application Security and Development Security Technical Implementation Guide with detailed recommendations for creating a secure SDLC.
- DoD Directive 8500.1 requires the appropriate security training for developers throughout the development lifecycle across four distinct subsections in DISA's Security Technical Implementation Guides.
There are a number of best practices that organizations can put into effect to harden applications and reduce the likelihood and potential impact of an attack. The OWASP Top 10 is a generally accepted set of agreed-on Web application vulnerabilities, complemented by a set of secure coding and testing guidelines. Mapping application security to the OWASP Top 10 is just one of these best practices.
The list and guides alone will not prevent attacks, however, nor will they ensure your team is educated properly. Organizations that proactively seek the secure development knowledge needed to find, fix and prevent the OWASP Top 10 are the ones that will reduce their Web application vulnerabilities and facilitate compliance.
Ed Adams is CEO at Security Innovation Inc., a software security and cryptography firm in Boston. Let us know what you think about the story; email Ben Cole, Associate Editor.