OWASP Top Ten Proactive Controls presented at AppSecCalifornia 2015

by Jim Manico,

Summary : The major cause of web insecurity is poor development practices. We cannot “firewall” or “patch” our way to secure websites. Programmers need to learn to build websites differently. No company or industry is immune.
The OWASP Ten Ten Proactive Controls Project is a Top-Ten like document that focuses directly on informing developers of necessary secure coding techniques. This talk describes the bare minimum required of a development team if they wish to have even a small chance of producing secure software.
- Validation
- Whitelist Validation (struggles with internationalization)
- URL validation (as part of redirect features)
- HTML Validation (as part of untrusted content from features like TinyMCE)
Authentication
- Password storage, HMAC's for scale
- Multi-factor AuthN implementation details
- OAuth
- Forgot password workflow
Access Control
- Limits of access control
- Permission-based access control
Encoding
- Output encoding for XSS
- Query Parameterization
- Other encodings for LDAP, XML construction and OS Command injection resistance
Data Protection
- Secure number generation
- Certificate pinning
- Proper use of AES (CBC/IV Management)
Secure Requirements
- Core requirements for any project (technical)
- Business logic requirements (project specific)
Secure Architecture and Design
- When to use request, session or database for data flow