Where can you find this free positive guidance? The Open Web Application Security Project (OWASP), for one.
Theyre a non-profit organization that is doing a ton of great things to help software developers build secure products. If youve heard of OWASP, youve probably heard of their Top10 list of the most common web application security defects that, ironically, is not one of the examples of positive things Im referring to. Its good work, but its not positive.
If youre a regular reader of my column here, youve probably heard me speak of positive practices like positive input validation. By that I mean proving something to be safe, otherwise it is presumed to be dangerous.
That same way of thinking can and should be applied to secure software development. In fact, if we applied it all the time in our IT shops, the world would be a far more secure place. But in software development, in general, its an approach thats worthy of our attention.
Dont just tell your dev team what mistakes to avoidlike, say, the OWASP Top 10 but tell them what safe practices to follow like, say, positive input validation, parameterized SQL queries, etc.
Where can you find out about these positive practices? Well, if youre dealing with web or web-related technologies (e.g., SOA), OWASP is a fabulous place to start, and since all their stuff is released as open source, it wont even break your budget.
Here are some examples of the great work Ive seen coming out of OWASP, other than the Top10:
Without a doubt, the most powerful weapon against security defects is knowledge, and Ive yet to encounter a better learning tool than OWASPs WebGoat. Every single technologist in your organization who touches web technologies should run through WebGoats extensive lessons. It lays out these lessons in an easy to follow way. Give WebGoat to your team and have them work through one exercise a day. You wont regret it.
WebScarab is a general purpose web application testing tool. It is a web equivalent of a program debugger that allows you to single-step through an application to watch it work, from behind a GUI interface. It is an absolute must-have for testing and validating the security of web applications, including SOAP interfaces to web applications.
Feel intimidated by installing WebGoat and WebScarab, or you just dont want to install them on your system? Grab the OWASP LiveCD instead. Its a scaled-down Linux distribution with many of the OWASP tools already installed, including WebGoat and WebScarab. Boot the LiveCD and you can use those tools without having to ever install anything on your system. (It runs great on a virtual box in VMware or Parallels also.)
Weve all heard of XSS; it is the most prevalent web security defect according to the OWASP Top 10, after all. But preventing it from getting into our web applications isnt as trivial as wishing it were gone. Well, the OWASP folks have been drafting a cheat sheet for software developers to work through while theyre coding. Its actionable, positive guidance that every software developer should study and use.
Security issues in software go way beyond the OWASP Top-10, as Ive said. Thinking positively about practices, after all, is my topic today. The folks at OWASP have been thinking about the bigger picture as well. Theyve been working on their Enterprise Security Application Programming Interface, or ESAPI. Its a security API that provides classes and methods for doing many security things that pretty much all enterprise software requires, from authentication and access control to input validation. It wont solve all your problems, but it sure does provide a pretty slick starting point for many of them in particular that pesky OWASP Top10.
These are just a few things, but theyre all worth looking at, especially if, like me, youre tired of hearing about the badness parade day in and day out. Heres the proverbial breath of fresh air where you can find some useful positive things that you can start using today in your web applications.
Dont get me wrong here. There is still much to do ESAPI, for example, is currently only available in Java (but other languages are being worked). Its still great to see this sort of stuff available, however.
Kudos and thanks to the folks at OWASP for their efforts!