2 About Me Secure Coding Practices Quick Reference Guide project leader Application security assessments team leader at The Boeing CompanyUnited States delegate to the IEC/ISO SC27 subcommittee on cyber securityMember of the Software Assurance Working Group
3 Some BackgroundGoal: Build a secure coding kick-start tool, to help development teams quickly understand secure coding practicesOriginally developed for use inside The Boeing CompanyJuly 2010, Boeing assigned copyright to OWASPAugust 2010, project goes live on owasp.org
4 Guide Overview Technology agnostic coding practices What to do, not how to do itCompact, but comprehensive checklist formatFocuses on secure coding requirements, rather then on vulnerabilities and exploitsIncludes a cross referenced glossary to get developers and security folks talking the same language
5 Sections of the GuideThe bulk of the document is in the checklists, but it contains all of the following:Table of contentsIntroductionSoftware Security Principles OverviewSecure Coding Practices ChecklistLinks to useful resourcesGlossary of important terminology
6 Checklist Sections Data Validation Authentication and Password ManagementAuthorization and Access ManagementSession ManagementSensitive Information Storage or TransmissionSystem Configuration ManagementGeneral Coding PracticesDatabase SecurityFile ManagementMemory Management
7 Checklist Practices Short and to the point. Straight forward "do this" or "don't do that"Does not attempt to rank the practicesSome practices are conditional recommendations that depend on the criticality of the system or informationThe security implications of not following any of the practices that apply to the application, should be clearly understood
8 Extract - Database Security Use strongly typed parameterized queries. Parameterized queries keep the query and data separate through the use of placeholders. The query structure is defined with place holders and then the application specifies the contents of each placeholder.Utilize input validation and if validation fails, do not run the database command.Ensure that variables are strongly typed.Escape meta characters in SQL statements.The application should use the lowest possible level of privilege when accessing the database.Use secure credentials for database access.Do not provide connection strings or credentials directly to the client. If this is unavoidable, encrypted them.Use stored procedures to abstract data access.Turn off any database functionality (e.g., unnecessary stored procedures or services).Eliminate default content.Disable any default accounts that are not required to support business requirements.Close the connection as soon as possible.The application should connect to the database with different credentials for every trust distinction (e.g., user, read-only user, guest, administrators).
9 Using the guide Scenario #1: Developing Guidance Documents Coding PracticesGuiding PrinciplesWhat to doHow to do itSecurity PoliciesApplication Security ProceduresApplication Security Coding Standards
10 Using the guide continued Scenario #2: Support Secure Development LifecycleWhat to doHow you should do itWhat you didDid it workApplication Security RequirementsApplication Development PracticesStandardized LibrariesStandard Guidance for non-Library SolutionsReview SolutionsTest Solution ImplementationCoding Practices
11 Using the guide continued Scenario #3: Contracted DevelopmentIdentify security requirements to be added to outsourced software development projects.Include them in the RFP and ContractWe can build anythingHow do I make it workCoding PracticesI need cool SoftwareRFPBest Software EverContract Best Software EverProgrammerSalesmanCustomer
12 SummaryMakes it easier for development teams to quickly understand secure coding practicesAssists with defining requirements and adding them to policies and contractsProvides a context and vocabulary for interactions with security staffServes as an easy desk reference
13 A Secure Development Framework Guidance on implementing a secure software development framework is beyond the scope of the Quick reference Guide, however the following OWASP projects can help:Implement a secure software development lifecycleOWASP CLASP ProjectEstablish secure coding standardsOWASP Development Guide ProjectBuild a re-usable object libraryOWASP Enterprise Security API (ESAPI) ProjectVerify the effectiveness of security controlsOWASP Application Security Verification Standard (ASVS) Project)Establish secure outsourced development practices including defining security requirements and verification methodologies in both the RFP and contractOWASP Legal Project
Your consent to our cookies if you continue to use this website.