Web Application Security Controls Based on the OWASP Top 10 Recommendations

Posted by Serge Truth on September 20, 2011 at 10:40 AM
The following list is the summary of the recommended controls in the OWASP Top 10 2010 document. OWASP has become the de-facto international standard body in the field of Web Application Security. The recommendations below are then the state of the art for Web Application Security. Following these guidelines should improve the overall security posture of most Web Applications.

01. Prevent Injection Vulnerabilities

+ Use Parameterized APIs for Data Access
+ Use Positive Input Validation
+ Avoid Using Command Interpreters
+ Escape Special Characters, If Parameterized APIs Are Not Available
https://www.owasp.org/index.php/Top_10_2010-A1
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet


02. Prevent XSS Vulnerabilities

+ Escape All Untrusted Data in HTML Contexts
+ Use Positive Input Validation
https://www.owasp.org/index.php/Top_10_2010-A2
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet


03. Secure Authentication and Session Management Functionality

+ Centralize Authentication and Session Management Controls
+ Protect Session IDs from XSS
https://www.owasp.org/index.php/Top_10_2010-A3
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet


04. Prevent Insecure Direct Object Reference Vulnerabilities

+ Use Per-User or Per-Session Indirect Object References
+ [OR] Check Access Control Permissions Whenever Performing Direct Object References
+ Disable Directory Browsing
https://www.owasp.org/index.php/Top_10_2010-A4


05. Prevent Cross-Site Request Forgery Vulnerabilities

+ Include Unique Tokens in HTTP Requests
https://www.owasp.org/index.php/Top_10_2010-A5
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet


06. Prevent Security Misconfiguration Vulnerabilities

+ Establish A Repeatable Hardening Process
+ Keep Up with Security Updates
+ Design a Strong Application Architecture
+ Run Scans and Perform Audits
https://www.owasp.org/index.php/Top_10_2010-A6
https://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet


07. Prevent Insecure Cryptographic Storage Vulnerabilities

+ Consider the Threats You Plan to Protect Data from
+ Encrypt Off-site Backups
+ Ensure Strong Algorithms Are Used
+ Hash and Salt Passwords
+ Protect Keys and Passwords
https://www.owasp.org/index.php/Top_10_2010-A7
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet


08. Prevent Failure to Restrict URL Access Vulnerabilities

+ Require Authentication and Authorization for Each Sensitive Page
+ Use Role-based Authentication and Authorization
+ Make Authentication and Authorization Policies Configurable
+ Deny All Access by Default
https://www.owasp.org/index.php/Top_10_2010-A8


09. Prevent Insufficient Transport Layer Protection Vulnerabilities

+ Enable SSL
+ Use SSL for All Sensitive Pages
+ Set the Secure Flag on All Sensitive Cookies
+ Use Only Strong SSL Algorithms
+ Use Valid SSL Certificates
+ Secure Backend Connections
https://www.owasp.org/index.php/Top_10_2010-A9
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet


10. Prevent Unvalidated Redirects and Forwards Vulnerabilities

+ Don't Use Redirects or Forwards, If Possible
+ Don't Use User Input for Calculating Destinations of Redirects or Forwards
+ Use Mapping Values When Calculating Destinations of Redirects or Forwards
https://www.owasp.org/index.php/Top_10_2010-A10


A-1. Authentication Requirements

+ Require Authentication for All Private Pages
+ All Password Fields Are Masked
+ Lock Accounts After Multiple Failed Authentication Attempts
+ Use Server-side Authentication
+ Centralize All Authentication Controls
+ Make Sure Authentication Controls Fail Securely
+ Require Strong Authentication Credentials
+ Secure the Account Management Functions
+ Secure the Credential (Password) Changing Functions
+ Require Re-authentication for Sensitive Operations
+ Force Authentication Credentials to Expire
+ Log Authentication Events
+ Hash and Salt Passwords
+ Protect Authentication Credentials for External Resources
http://code.google.com/p/owasp-asvs/wiki/Verification_V2


A-2. Session Management Requirements

+ Use Session Management Offered by the Framework
+ Invalidate Sessions when Users Log Out
+ Make Inactive Sessions Time-out
+ Make Sessions Time-out
+ Place Logout Links on All Pages that Require Authentication
+ Protect Session IDs
+ Change Session IDs on Login
+ Change Session IDs on Reauthentication
+ Change Session IDs on Logout
+ Reject Invalid Session IDs
+ Use Strong Session IDs
+ Set the Domain and Path Values of Session Cookies
http://code.google.com/p/owasp-asvs/wiki/Verification_V3

Topics: application security, owasp

Serge Truth

Written by Serge Truth

Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.