Building secure applications and sites is not simple. But it is simple to stay on top of standards and best practices that will help you to keep your data and your users safe. No one wants their site to be the subject of a news headline.
“Those who cannot remember the past are condemned to repeat it.”
(George Santayana, The Life of Reason, 1905-1906)
In order to make software more secure we must understand the mistakes of previous software development generations, learn from them, and making our software more sustainable by avoiding their mistakes.
The Open Web Application Security Project (OWASP), is a loosely affiliated team of individuals who work as security experts in the web application development field. In addition to a website full of great projects and other information, they produce a “Top Ten” document every few years. This document includes a list of the most critical web application security flaws in the software industry, based on an assessment of the amount of business risk being exposed by the flaw. For example, a vulnerability that simply crashes a system is less critical than one that exposes data. OWASP provides guidance on how to identify this risk based on their Risk Rating Methodology, based on 4 points:
- Ease of Attack Vector – How easy is it to craft and iterate through the attack process?
- Prevalence of Weakness – Is this a common weakness found on a lot of websites?
- Detectability of the Weakness – How easy is it to figure out that the weakness exists?
- Technical Impact – What happens if an attack is successful?
It becomes painfully clear with this rating system, why SQL Injection Attacks have been at the top of this list for several cycles of the OWASP Top Ten. It’s very easy to attempt to insert SQL strings into web pages, and the vulnerability that can result can be severe. Additionally, the convenience of profiling a site such as one based on WordPress or another open source platform can expose what plugins or functions might have this exposed vulnerability in the first place.
OWASP is important because it is both a reflection of the state of web application programming standards and a guide to the types of attacks likely to be seen in the field. This allows us to learn where to improve and make investments in hardening our applications. It also enables us to learn how to do a better job testing for possible vulnerabilities by emulating popular attack vectors being used in the wild. This is the other place where OWASP is an outstanding resource. The team defines the existing attack vectors, explain the common causes for the vulnerabilities and describe various ways to mitigate them using actual code samples in their “Cheat Sheets.” For example, their SQL Injection Prevention Cheat Sheet checks off all of the boxes that you would want to hand a developer. These include an explanation of the vulnerability, types of defenses that can be implemented in code, and examples of unsafe vs. safe SQL statements.
So to ask again, why is OWASP important? This team of experts in secure software development provides our developers with the information and tools to build great code that delivers the highest level of integrity to the web applications that they build. In order to obtain a system that is worthy of the brand it is built on top of, a solid foundation of well-built code must be created and upheld.