Many organizations haven’t considered a fixed standard for their web security. This makes it hard to determine how secure you are. It is not always enough to ask a developer “Are things secure?”. It becomes a subjective assessment with risks of missing critical issues.
Security should be based on known standards to ensure common understanding in development and following security check (QA). A standard also ensures you don’t implement “Security by Obscurity” – hidden or personal patterns instead of an open standard.
How we have implemented the OWASP security standard
The Open Web Application Security Project (OWASP) (owasp.org) is a non-profit fond that works for improving software security. They deliver both courses and standards but most importantly have well documented principles for how security should be implemented in web applications.
With the OWASP open source standard you adhere to one of the world’s most widespread standards. Many experts have thought through and described safe patterns that make it manageable to keep an ongoing eye on your security. With well described principles it is easier to educate your developers and do documentation while keeping security procedures updated externally.
We always start with the OWASP Top 10 list which is conveyed to all developers. When we do security checks our QA team also test from the same standard while doing injection tests etc. With OWASP it’s easy to communicate to our clients what their baseline security looks like – from here they can always add extra security if needed. There’s a difference in dealing with standard public websites based on Umbraco CMS or if it’s a system with more personally sensitive data.
In any case the Top 10 list is our starting point for security concerns – in dealing with more critical systems we have an expanded security model with IP restrictions, full cryptography and e.g. two-factor authentication (2FA). But when we’re talking about security you always start with the weakest link and here OWASP Top 10 is a really good starting point.
Top 10 OWASP security rules
OWASP Top 10 is a standard awareness document for developers on web application security. It represents broad consensus about the most critical security risks for web applications.
Current OWASP Top 10 (since 2021):
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
When the 10 principles are implemented the basis for your web application is relatively secure. When you couple it to ongoing check by QA you’ll be sure that the implementation is done correctly by developers.