Our operating systems are hardened; unnecessary services stopped, unused accounts disabled and the latest patches installed. The signature files for the anti-virus, IDS and IPS are up-to-date. The firewalls, load balancers, routers and switches are securely configured. So with all these safeguards implemented, this must mean our systems are secure, right? WRONG!!
The application layer of the OSI and TCP/IP stacks has become our Achilles heel. The complexity of code in today’s applications has increased the attack surface exponentially. Web applications compound the problem as they are browser and platform independent. But secure software need not be an oxymoron. The good folks at OWASP have demonstrated how to attain secure coding nirvana and what’s more, ALL of their resources (which include tools and accompanying documentation) are freely available at www.owasp.org – OWASP embodies altruism.
The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organisation focused on improving the security of application software. If you’re a web developer, then you need to ensure your web application isn’t vulnerable to any of the OWASP’s Top 10 Web Application Security Risks. If you want to learn the mechanics of a SQL Injection or Cross Site Scipting (XSS), then OWASP’s WebGoat will allow you to accomplish that and much, much, more.
Patch management should not be the norm and by incorporating OWASP best practices into the SDLC, we can look forward to a time when patching will be the exception rather than the rule.