The OWASP (Open Web Application Security Project) is an NGO that aims to improve the security of web applications. The organisation makes all help and materials available free of charge to everyone on its website. The OWASP Framework provides organisations with a systematic guide to implementing secure standards, processes and solutions in the development of a web application. We introduce the framework and explain how to use it to develop more secure web applications.
In Five Phases, Systematically Achieve More Security for Web Applications
In the OWASP framework, application development is divided into several phases. The focus is not on pure development, but on the entire development process - from the definition of standards, system design, development and delivery to regular maintenance of the application.
Planning: Defining and Documenting Standards
Even before the actual development, the prerequisites for a secure web application must be created. In the software development lifecycle, you define which security measures you implement in which phase and how. Appropriate standards, best practices and corresponding documentation should be available for each phase. In this way, you create a common, uniform frame of reference for later developers and ensure consistency and comprehensibility beyond the original team.
In this phase, you should also establish measurement criteria for the security of the application. Only with clear, uniform measurement criteria can you carry out tests and thereby make security gaps visible and fix them.
Design: Define and Test Specific Security Requirements
The design phase is about defining security requirements to be implemented in the later application. These requirements need to be tested because each defined requirement is based on speculative assumptions that may not necessarily be true. You should then develop realistic threat scenarios and check whether these scenarios are made impossible by the architecture developed.
Development: From Code Walkthrough to Code Review
Development is about translating the previously gained design decisions into code. Most of the time, however, even in the actual development, new small design decisions become again and again, because a detail was not considered by the design document or there are no guidelines. Therefore, the code must also be checked for possible security risks during development. A good platform for automated security scans is turingsecure.
As a first step, developers should perform a code walkthrough, explaining to the security manager how the code is structured in its overall logic and how it works. A checklist for this is provided by Microsoft. Then, in a second step, he can perform a static code review and systematically check the code for security vulnerabilities. The basis for this is a document that defines certain errors. The OWASP Top 10, for example, describes the 10 most frequent security vulnerabilities in web applications. The list is based on OWASP research and is updated every year. Programming languages and development environments also often provide documents for code reviews.
Delivery: Checking Security in Practice with Penetration Tests
Static code reviews can identify and fix many standard errors during development. But some errors are not covered by the documents because they are specific to the application or unique. Therefore, tests are also necessary after go-live. In a penetration test, an external consultant checks the application for security vulnerabilities. To do this, he uses the same tools and strategies that a real attacker would use. We have explained what a penetration test is here.
Maintenance: Regular Health Checks for Lasting Security
Web applications in particular are regularly updated: The user interface changes, new features are added, existing features change. This can also affect the security of the application - even with seemingly small and harmless changes. Regular health checks ensure that no new security risks have arisen. These health checks should be carried out at least quarterly. If updates are frequent, the OWASP advises monthly health checks. Again, every change must be tested to rule out any unexpected effects on security.
Conclusion: Safer Web Application with the OWASP Framework
The OWASP Framework provides a guide for companies to consider security aspects at every stage of the development of a web application from the very beginning. The strength of the framework is that security is understood as a cross-cutting requirement that must be considered at every stage. This means that with the OWASP framework, companies have a tool at hand to react proactively to possible security threats. This not only reduces the probability of a successful attack, but is also more cost-efficient than a reactive approach. Because security aspects are already considered in the design phase, costly interventions in the architecture are avoided at a later stage. More detailed information can be found in the book "Web Security Testing Approaches: Comparison Framework".