Writing secure code is now a must for developers. The rising number of attacks on organizations big and small and the fallout for companies who’ve been breached are growing. As such, security is finally moving out of the periphery to become a mainstay for business continuity.
Secure applications are essential to the life and longevity of any organization creating or releasing software, and security starts from the foundation: the code. How can developers create secure code? By deeply understanding what secure code is, what it looks like, and how to write and test it. Because of the number of languages, broad amount of attack vectors, and rapidly changing development landscape, there’s a lot to learn and a lot developers need to know.
Developers are in luck, though. There is a huge amount of information available online, and several well-known, well-received organizations dissipating that information to make security more transparent and embedded in organizations. One of those organizations is OWASP, a non-profit company with branches worldwide, dedicated to making “software security visible, so that individuals and organizations are able to make informed decisions”. OWASP is free to join and provides hundreds of free and open-sourced resources, many of which can be downloaded for easy, offline access.
OWASP has a LOT of resources meant for a wide array of people, from security members, to CISOs, to managers, to, of course, developers. It can be difficult to know where to start if you’re a newbie to what OWASP has to offer. To help sift through the thousands of articles, guides, and checklists, we’ve highlighted the five most important resources that no developer should be without.
Top 5 OWASP Resources for Developers:
1. OWASP Developer Guide
Let’s start at the very beginning – the essential OWASP Developer Guide. The guide, which was started over 15 years ago, saw a major revision starting in 2014 to bring the guide into the current decade.
The guide’s main objective is to provide developers and architects with a wide set of secure coding principles that can be followed in any organization working on any kind of software or web development. The guide is not specific in regard to languages and frameworks and is more of a set of broad principles that should be followed during coding. The idea, as stated on the guide’s wiki on the OWASP site, is to “look past…[language] differences and apply the basic tenets of secure system engineering to application security.”
A new version of the Developer Guide is currently being worked on, and volunteers are always in need – check out their FAQ for ways you can help.
Get the Guide: The guide’s latest stable release, 2.0.1, can be found on GitHub here.
2. OWASP Top 10 Cheat Sheet
Anyone working with code should be very familiarized with the OWASP Top 10. Yet, even after studying the vulnerabilities and how to prevent them, there will be a point at which most developers will have questions or just want to double check on a specific vulnerability and the secure coding requirements for it. This is what makes the OWASP Top 10 Cheat Sheet another great resource to keep near your side as you develop software.
The Cheat Sheet plainly lays out the key requirements to preventing each vulnerability in depth, and on top of that includes testing checklists and guides to ensure your code’s veracity. It follows a distinct method of presentation, controller, model, and testing that is easy to follow and quickly understand.
Find the OWASP Top 10 Cheat Sheet here.
3. OWASP Application Security Verification Standard (ASVS)
When it comes to application security standards, there are a lot of different opinions and ideas floating around – but still not one single, universal standard.
OWASP set out to create a standard that can be used around the world: The Application Security Verification Standard, or ASVS. The ASVS is a list of security requirements to identify and define a secure application and can be used by organizations, vendors, and customers alike.
Broken up into levels denoting the specific security needs of different types of applications, the requirements differ between general software (opportunistic level), applications containing sensitive data that needs protection (standard level), and finally the most critical applications (advanced level), such as banking software, medical applications, government sites and software, and similar. The ASVS is a perfect resource for developers working on security controls, as it specifies what needs to be done in order to prevent the application from attack. The document can be used as a blueprint for engineers and developers and as a checklist for vendors, customers, and the organizations themselves.
Get familiar with the Application Security Verification Standard here, where you can download the latest 3.0.1 version, released in June 2016, in both Word and PDF forms.
BONUS: Checkmarx hosted a webinar with the ASVS lead author Jim Manico – click here to watch the webinar on-demand!
4. Security Knowledge Framework
The Security Knowledge Framework is an in-depth tool designed to serve developers and security teams in building and verifying secure software. Billed as “an expert system application,” the framework builds off the ASVS by using the standard as the basis for the platform, allowing developers to better understand and implement necessary security requirements. The framework allows all team members to follow along with the progress of secure coding in both pre-development design and post-development testing.
The Security Knowledge Framework offers four areas of resources, including a knowledge base for in-depth descriptions of vulnerabilities and security terms, an interactive checklist to ensure ASVS security standards are planned or have been implemented, a list of language-specific code examples (including PHP, C#/.Net, JAVA, Flask, Django, and Go), and finally, an area where developers and security teams can work together to triage areas that didn’t quite make the ASVS cut.
5. Developer Cheat Sheet Series
OWASP is committed to helping improve security and developer relationships by using security expertise to better educate developers. Their Developer Cheat Sheet Series is a case in point: The organization has recruited security experts from around the world to create deep-dive guides into specific vulnerabilities, security protocols, and nuances within popular programming languages. These cheat sheets, designed with easy-to-digest bullet points, help developers better understand the security best practices and requirements of whatever project or security issue they deal with, from Access Control to XML Security and everything in between.
Get the full list of Developer Cheat Sheets here, where a PDF is available for download and quick access.
OWASP has created these resources over the past decade and a half because they understand the need for continued education and for strengthening the relationships between security and development in order to instil better collaboration in creating secure applications. Their resources are designed to be reader-friendly and accessible by all, making the resources we’ve highlighted – as well as the hundreds of others available on the OWASP site – perfect for developers, as well as security experts, students, and others.