The Open Web Application Security Project (OWASP) was founded to ‘improve the security of software.’ They have existed for nearly 20 years and now have ‘hundreds of chapters and tens of thousands of members worldwide.’ The resource library they have created to assist developers, technologist, and their companies are incredible. The knowledge here should be gobbled up by any developer looking to improve the quality of their code and projects. After Colonial Pipeline more people need to turn to the OWASP Cheat Sheets and other tools found on their site.
OWASP created their cheat sheet series to be of particular use to application developers and defenders. Their goal is to provide beneficial information, not just general best practices like ‘validate all input’. For example, their Injection Prevention Cheat Sheet in Java is part of the cheat sheets you can download. It points to the fact that you should do Input Validation, and then it goes into code-level details for what to do regarding SQL injections and how to use Query Parameterization to prevent it.
One of the projects that everyone that knows of OWASP knows about is their Top 10 web security risks. The latest version is dated 2017, although they have begun their work on the next version dated 2021. If you are interested in https://github.com/OWASP/Top10/contributing or following along, you can. One of the best things about OWASP is they are Open; this is the community working together.
Did you know there is an OWASP Top 10 Mobile threats as well? The OWASP Mobile Security Project has many other projects aside from the Top 10. For example, there is a platform for people to practice their iOS penetration testing skills called ‘Damn Vulnerable iOS Application.’ They have 21 different exercises that you can practice your skills on that cover everything in the Top 10 mobile risks list.
The recent attack on the Colonial Pipeline was not unexpected. The US Government also knew that this was possible. It was indeed not a shock that this occurred for most, if not all, information security professionals. OWASP has also committed to working with the community to secure, among other things, the critical infrastructure ISVs (Independent Software Vendors (ISV)). More attacks will occur; we must secure our voting systems, infrastructure, defense, and supply chain.
Another terrific project that the community of OWASP is working on is the ASVS Project. This project ‘provides a basis for designing, building, and testing technical application security controls.’ Here, the aim is to provide helpful information to everyone beyond the usual best practice general statements. For example, common best practice around encryption is ‘use known good encryption.’ Beyond that, where do you go? How do we figure out what is good? One place to start is: do not use known bad or weak. In the ASVS document 4.0.2 (downloadable from github), the 6.2.5 section says to not use ECB, PKCS#1, MD5, SHA1, Triple-DES, etc. It gives you specifics to work with!
There are many more terrific projects to explore at OWASP!
Look for our next posts on OWASP!