Talking about cyber defense one always thinks of bad hackers and those who, on the other side of the fence, fight them. Yet it all starts much earlier.
Particularly for software issues, everything starts when designing and implementing a program.
Bad design, lack of knowledge in the field of safe software programming, inefficiencies in quality testing and controls are the source of the problems that we face every day in the cyberspace. Yet there are standards for producing secure applications: Open Web Application Security Project, in short OWASP, is a standard for secure web application production and if we consider that almost all applications are now web-based ...
OWASP is also a global organization that aims to improve software security. The documentation produced by the organization is released under license Creative Commons Attribution-ShareAlike.
The OWASP foundation has been online since 1 December 2001 and is recognized as an organization non-profit American from the 21 April of the 2004. The foundation and its collaborators adhere to the fundamental rule of not affiliated with any technological industry to keep its impartiality and credibility intact.
OWASP naturally has a founder: Mark Curphey, who grew up in England. In 2000 Curpey, after earning a master's in Information Security, specialization in encryption, leaves England for the United States where he begins to work for Internet Security Systems, then acquired by IBM. It's in those years that gives life to OWASP.
After several experiences in the field of security, in the 2014, he founded SourceClear Headquartered in San Francisco and continues to collaborate on the dissemination of OWASP.
But why OWASP is so important?
Owasp is important because it is now a worldwide standard for secure software development but not only is important because there are thousands of IT security experts who collaborate daily on OWASP projects, because it is a collection of best practices that are rendered available for free, is important because among the many projects there is also the OWASP Academy which aims to spread knowledge about the development of secure software.
OWASP is a standard de facto, adopted by individual developers but also by major software producers. In fact, since it is a standard, it is because its adoption by an organization becomes an integral part of the cyber defense of the organization itself, this because it cyber defense it's not just what we see in the movies, which we can call "tactics" but also what we do not see but which is part of the context, of the "strategy".
An organization that produces software, as well as an organization whose business processes are heavily dependent on the software used (whether or not produced by it), must also pay attention to aspects of such as the adoption of OWASP in its interior.
The adoption of OWASP or other security standards is therefore an integral part of the cyber defense business and as such deserves attention from management. In fact, it is absolutely useless to make investments in the security sector without also thinking about of the sector.
To make a stupid but comprehensible comparison to everyone, it's like filtering water with a colander, if you need to remove particles of a certain size from the water and my colander is not effective, I can also buy a bigger colander but if in purchasing I do not care about the size of the holes I will probably only have spent more money on a bigger straw without enhancing the performance!
Here, if software is produced (or purchased) does not comply with the safety standard used during production and testing, it will be necessary to put in place a series of subsequent security controls that will address the risks involved by spending a lot of more than I would spend if I was to worry about the security aspects of software from the start.
Of course, adopting a secure software production standard does not guarantee that there can be problems but at least guarantees from the already known problems.
One of the most important products of OWASP is the Top Ten, a list of the first 10 risks associated with Web Applications. In its original version these were the points proposed, which are still under observation:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Broken Access Control
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Insufficient Attack Protection
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Underprotected API
The 2017 list despite being very similar to the previous one, has been much debated mainly because of point 7, not considered by everyone to be shared. The fact is that, although not shared by all, this can be considered as an excellent starting point for the study of the risks present in the world of web application.
To learn more:
- https://www.owasp.org
- https://www.sourceclear.com
- http://www.cert.org/secure-coding/standards/index.cfm
- https://2017.appsecusa.org/
