-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d35cc10
commit e5bceb0
Showing
18 changed files
with
1,234 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Final word | ||
|
||
This document should be seen as a starting point rather than a comprehensive set of techniques and practices. We want to again emphasize that this document is intended to provide initial awareness around building secure software. | ||
|
||
Good next steps to help build an application security program include: | ||
|
||
1. To understand some of the risks in web application security please review the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) . | ||
2. A secure development program should include a *comprehensive list of security requirements* . | ||
Use [Threat Modeling](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html) to identify potential security threats, derive security requirements, and tailor security controls to prevent those. Use standards such as the [OWASP (Web) ASVS](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project) and the [OWASP (Mobile) MASVS](https://github.com/OWASP/owasp-masvs) which provides a catalog of available security requirements along with the relevant verification criteria. | ||
3. To understand the core building blocks of a secure software program from a more macro point of view please review the [OWASP OpenSAMM project](https://www.owasp.org/index.php/OWASP_SAMM_Project). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# About this Project | ||
|
||
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems. | ||
|
||
## Aim & Objective | ||
|
||
The goal of the **OWASP Top 10 Proactive Controls project** is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations. We hope that the OWASP Proactive Controls is useful to your efforts in building secure software. | ||
|
||
## Target Audience | ||
|
||
This document is primarily written for developers. However, development managers, product owners, Q/A professionals, program managers, and anyone involved in building software can also benefit from this document. | ||
|
||
## How to Use this Document | ||
|
||
This document’s main purpose is to provide a solid foundation of topics to help drive introductory software security developer training. To be effective, these controls should be used consistently and thoroughly throughout all applications. | ||
|
||
However, this document is a starting point rather than a comprehensive set of techniques and practices. | ||
|
||
A fully secure development process should include comprehensive requirements from a standard such as the OWASP ASVS in addition to including a range of software development activities described in maturity models such as [OWASP SAMM](https://www.owasp.org/index.php/OWASP_SAMM_Project) and [BSIMM](https://www.bsimm.com/). | ||
|
||
## Project Leaders | ||
|
||
* [Andreas Happe](mailto:[email protected]), connect through [linkedin](https://www.linkedin.com/in/andreashappe/), [github](https://github.com/andreashappe), [twitter/x](https://twitter.com/andreashappe) | ||
* [Jim Manico](mailto:[email protected]), connect through [linkedin](https://www.linkedin.com/in/jmanico/), [github](https://github.com/jmanico), [twitter/x](https://twitter.com/manicode) | ||
* [Katy Anton](mailto:[email protected]), connect through [linkedin](https://www.linkedin.com/in/katyanton/), [github](https://github.com/katyanton), [twitter/x](https://twitter.com/katyanton) | ||
|
||
## Copyright and Licence | ||
|
||
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International license. For any reuse or distribution, you must make it clear to others the license terms of this work. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# About OWASP | ||
|
||
The *Open Worldwide Application Security Project* (*OWASP*) is an open community | ||
dedicated to enabling organizations to develop, purchase, and maintain | ||
applications and APIs that can be trusted. | ||
|
||
All OWASP tools, documents, videos, presentations, and chapters are free and | ||
open to anyone interested in improving application security. | ||
|
||
We advocate approaching application security as a people, process, and | ||
technology problem, because the most effective approaches to application | ||
security require improvements in these areas. | ||
|
||
OWASP is a new kind of organization. Our freedom from commercial pressures | ||
allows us to provide unbiased, practical, and cost-effective information about | ||
application security. | ||
|
||
OWASP is not affiliated with any technology company, although we support the | ||
informed use of commercial security technology. OWASP produces many types of | ||
materials in a collaborative, transparent, and open way. | ||
|
||
The OWASP Foundation is the non-profit entity that ensures the project's | ||
long-term success. Almost everyone associated with OWASP is a volunteer, | ||
including the OWASP board, chapter leaders, project leaders, and project | ||
members. We support innovative security research with grants and infrastructure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# How to Contribute? | ||
|
||
Please don’t hesitate to contact the OWASP Proactive Control project with your questions, comments, and ideas. | ||
|
||
You can contact maintainers directly, use our [project-top10-proactive-controls OWASP slack channel](https://owasp.slack.com/archives/C07KNHZAN1H) (If you do not have a slack user, you can get a [free invite here](https://owasp.org/slack/invite)), or visit [our github page](https://github.com/OWASP/www-project-proactive-controls). | ||
|
||
You find the source code of the current version of the OWASP Top 10 Proactive Controls in the `docs/` directory within the git repository. Please focus upon contributions for the current version, not archived versions within `docs/archive`. | ||
|
||
When you check [our open issues on github](https://github.com/OWASP/www-project-proactive-controls/issues), you can see that some issues are tagged with `help wanted` or `good first issue`. Choose these if you want to help out the project! | ||
|
||
## Translations | ||
|
||
Starting with version `v4` in 2024, we don't accept inclusion of translations into the OWASP Top 10 Proactive Controls directly and are only providing the English version. | ||
|
||
We do encourage translators to create translated versions and host them themselves and will link to those external sites/documents if notified about them. | ||
|
||
## How to test the OWASP Proactive Control website locally? | ||
|
||
If you can run python, you can locally run the OWASP Proactive Control website locally. We recommend this to test your changes before pushing them to github. | ||
|
||
To do this, we will use `venv` to create a local python environment to install the needed `mkdocs` package. | ||
|
||
```shell | ||
# creates and activates a new python environment in a new `venv` directory | ||
$ python3 -m venv venv | ||
$ source venv/bin/activate | ||
|
||
# install the mkdocs package | ||
$ pip install mkdocs-material mkdocs-redirects | ||
|
||
# switch into your checked-out OWASP Proactive Controls directory | ||
$ cd owasp-proactive-controls | ||
|
||
# run the local webserver | ||
$ mkdocs serve | ||
|
||
# now you can point your browser to http://localhost:8000 and check | ||
# how your changes will look like | ||
``` | ||
|
||
## A Big Thank you to our Contributors! | ||
|
||
This document would not have been possible without our contributors for which we are grateful. The 2024 Version makes listing all contributors hard as we were using an untracked google shared doc in the beginning. We hope that we haven't missed someone and are very gracious for: | ||
|
||
[Andreas Happe](https://github.com/andreashappe), [Jim Manico](https://github.com/jmanico), [Katy Anton](https://github.com/katyanton), Chris Romeo, Jasmin Mair, Abdessamad Temmar, Carl Sampson, Eyal Estrin, [Israel Chorzevski](https://github.com/sro-co-il), [Zoe Braiterman](https://github.com/zbraiterman), [Timo Pagel](https://github.com/wurstbrot), [ThreeHoolagins](https://github.com/ThreeHoolagins), [Wallace Soares](https://github.com/soareswallace), [Aref Shaheed](https://github.com/aref2008), [ThunderSon](https://github.com/ThunderSon), [Marcus Fenstrom](https://github.com/MFernstrom), [Datz](https://github.com/DatzAtWork), [Josh Grossman](https://github.com/tghosth), [Tomas Coiro](https://github.com/CoiroTomas), [Dr. Pi3ch](https://github.com/pi3ch), [Ishaq Mohammed](https://github.com/security-prince), [Richard Tweed](https://github.com/RichardoC), [Derek Gary](https://github.com/DerekGary), [Starr Brown](https://github.com/mamicidal), [Thomas](https://github.com/tthn0), [Christian Capellan](https://github.com/ccapellan), [Adriaan Joubert](https://github.com/adriaanjoubert), [Kenneth Kron](https://github.com/biofool), [Jaskirat Singh](https://github.com/Jassi2004), [Lukas Weichselbaum](https://github.com/lweichselbaum), [joonakokkola](https://github.com/joonakokkola), [cowsecurity](https://github.com/cowsecurity) | ||
|
||
### Contributors to previous Top 10 Proactive Control versions | ||
|
||
Another round of applause to all the contributors of previous OWASP Top 10 Proactive Controls lists: | ||
|
||
Massimiliano Graziani, [Taras Ivashchenko](mailto:[email protected]), Jay Zudilin, [Danny Harris](mailto:[email protected]), Hiroaki Kuramochi, Hiroshi Fujimoto, Hidenori Nagai, [Riotaro OKADA](mailto:[email protected]), Robert Dracea, Koichiro Watanabe, Tony Hsu Hsiang Chih, [Cyrille Grandval](mailto:[email protected]), [Frédéric Baillon](mailto:[email protected]), [Danny Harris](mailto:[email protected]), Stephen de Vries, Andrew Van Der Stock, Gaz Heyes, Colin Watson, Jason Coleman, Cassio Goldschmidt, Dan Anderson, David Cybuck, Dave Ferguson, Osama Elnaggar, Rick Mitchell |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# OWASP Top 10 Proactive Controls in the News | ||
|
||
## 2024 | ||
|
||
Introduction of the OWASP Top 10 Proactive Controls v4 and switch to new wiki system. | ||
|
||
- \[9 Sep 2024\] Featured in `SecureIdeas` post [What’s new in the OWASP Proactive Controls for 2024](https://www.secureideas.com/blog/whats-new-in-the-owasp-proactive-controls-for-2024) | ||
- \[6 Feb 2024\] Featured in `gbhackers.` post [OWASP Top 10 Proactive Security Controls For Software Developers to Build Secure Software](https://gbhackers.com/owasp-released-top-10-proactive-controls/) | ||
|
||
## 2022 | ||
|
||
- \[10 Nov 2022\] [Blog Post by Kerr](https://kerr.ventures/2022/11/10/owasp-proactive-controls-the-answer-to-the-owasp-top-ten/) | ||
- \[13 June 2022\] Featured on the [GitHub Blog](https://github.blog/open-source/write-more-secure-code-owasp-top-10-proactive-controls/) | ||
|
||
## 2021 | ||
|
||
- \[12 Feb 2021\] Featured in oneconsult's post [OWASP Top 10 Proactive Controls – Teil 1](https://www.oneconsult.com/de/blog/news/owasp-top-10-proactive-controls-teil-1/) | ||
|
||
## 2020 | ||
|
||
- \[5 Nov 2020\] Featured by Snyk in [Developing secure software: how to implement the OWASP top 10 Proactive Controls](https://snyk.io/blog/owasp-top-10-proactive-controls-2020/) | ||
|
||
## 2019 | ||
|
||
- \[July 2019\] Featured in Coursera course from UCDavies | ||
[Identifying Security Vulnerabilities](https://www.coursera.org/directory/videos?courseId=V1k0pBtIEemZRAqH7m9oGA) | ||
- \[23 June 2019\] Featured on HackerCombat: [Implement OWASP Proactive Controls to Work](https://hackercombat.com/implement-owasp-proactive-controls-to-work/) | ||
- \[7 June 2019\] Feature on OWASP DevSlop Show [Proactive Controls](https://www.youtube.com/watch?v=Jdb3qweDc_Q) | ||
- \[15 May 2019\] Featured in TechBeacon: [Put OWASP Top 10 Proactive Controls to work](https://techbeacon.com/security/put-owasp-top-10-proactive-controls-work) | ||
- \[2 Mar 2019\] Webinar: [The OWASP Top Ten Proactive Controls with Jim Manico](https://www.youtube.com/watch?v=ldXe8f5yVq8) | ||
|
||
## 2018 | ||
|
||
The OWASP Top 10 Proactive Controls 2018 (v3) were released. | ||
|
||
- \[Dec 2018\] Featured as the resource for Security “Shifting to the Left”\! in the ISC2 course: "DevSecOps: Integrating Security into DevOps” | ||
- \[20 Sep 2018\] Featured in TechBeacon: [OWASP Top 10 Proactive Controls 2018: How it makes your code more secure](https://techbeacon.com/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure) | ||
- \[17 Sep 2018\] Binary Blogger Podcast Episodes: [OWASP Top 10 Proactive Controls Podcast Episodes](https://binaryblogger.com/2018/09/17/owasp-top-10-proactive-controls-podcast-episodes/) | ||
- \[9 May 2018\] Featured in [Developer's security guide: 50 online resources to shift left](https://techbeacon.com/developer-secure-code-starter-kit-resources) | ||
- \[7 May 2018\] 3.0 released\! | ||
|
||
## 2017 | ||
|
||
- \[11 Aug 2017\] Presented at [Northeast PHP Conference](https://northeastphp2017.sched.com/event/B6uo/owasp-top-10-proactive-controls-2016) | ||
- \[25 July 2017\] Podcast about at [OWASP Top 10 Proactive Controls](https://www.appsecpodcast.org/2017/07/25/the-owasp-top-10-proactive-controls/) | ||
- \[12 May 2017\] Presented at [AppSec EU'17 - Belfast](https://appseceurope2017.sched.com/event/A652/the-path-of-secure-software) | ||
- \[14 Feb 2017\] Featured in [Managing Cloud Infrastructure to Prevent Security Gaps](http://wwpi.com/2017/02/14/managing-cloud-infrastructure-to-prevent-security-gaps/) | ||
- \[Feb 2017 \] Featured in "[Application Security Program: Protect Against Data Breaches](http://assets.unisys.com/Documents/Global/POVPapers/POV_170062_ApplicationSecurityProgramProtectAgainstDataBreaches.pdf)" | ||
|
||
## 2016 | ||
|
||
The OWASP Top 10 Proactive Controls 2016 (v2) were released on Jan 14, 2016. | ||
|
||
- \[1 Oct 2016\] Presented at [PHPNW16](http://conference.phpnw.org.uk/phpnw16/speakers/katy-anton/) | ||
- \[5 July 2016\] Featured in [Incorporating Security Best Practices into Agile Teams](https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams) | ||
- \[June 2016 \] Featured in [A Transformative Approach to Secure Systems Delivery](http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf) | ||
- \[2 June 2016\] Featured in [DevOpsSec - Securing Software through Continuous Delivery](http://www.oreilly.com/webops-perf/free/devopssec.csp) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Related OWASP Projects | ||
|
||
OWASP is a volunteer-driven organization. Those volunteers contributed many useful documents, and this section points to some related OWASP documents and projects: | ||
|
||
## OWASP Top 10 | ||
|
||
The best-known OWASP document is the [OWASP Top 10](https://owasp.org/Top10/). They detail the most common web application vulnerabilities and are also the base for this document. In contrast, this document is focused on defensive techniques and controls as opposed to risks. Each control in this document will map to one or more items in the risk-based OWASP Top 10. This mapping information is included at the end of each control description. | ||
|
||
## OWASP ASVS | ||
|
||
[The OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) is a catalog of available security requirements and verification criteria. OWASP ASVS can be a source of detailed security requirements for development teams. Security requirements are categorized into different buckets based on a shared higher order security function. For example, the ASVS contains categories such as authentication, access control, error handling / logging, and web services. Each category contains a collection of requirements that represent the best practices for that category drafted as verifiable statements. | ||
|
||
## OWASP SAMM | ||
|
||
[Software Assurance Maturity Model (SAMM)](https://www.opensamm.org/) is an open framework to help organizations implement a strategy for maturing the software security tailored to the specific risks of the organization. . [SAMM](https://owaspsamm.org/about/) supports the complete software life cycle and can be used to identify what | ||
|
||
## Threat Modeling in General | ||
|
||
Threat Modeling is an important part of secure application development, which can help identify potential security threats, derive security requirements, and tailor security controls to prevent potential threats. Successful use of security requirements involves four steps: discovery, documentation, implementation, and verification of the correct implementation of the functionality within an application. Threat modelling is one way to derive security requirements. Other sources are: industry standards, applicable laws, history of past vulnerabilities. Modeling tools, like [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) can be used to create threat model diagrams as part of a secure development life cycle. | ||
|
||
## Domain-Specific Documents | ||
|
||
It is important to notice that this document primarily focuses on web applications, but other Top 10s could apply to your application, too. Examples of those are: | ||
|
||
- OWASP API Top 10 | ||
- OWASP Mobile Application Top 10 |
Oops, something went wrong.