Databases are often key components for building rich web applications as the need for state and persistency arises. Building a secure product begins with defining what are the security requirements we need to take into account. Just as business requirements help us shape the product, security requirements help us take into account security from the get-go. The first step in protecting your data is to classify it so you can map out your strategy for protecting it based on the level of sensitivity.

However, this document should be seen as a starting point rather than a comprehensive set of techniques and practices. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques.

About OWASP

We’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages. Stay tuned for the next blog posts in this series to learn more about these proactive controls in depth. I’ll keep this post updated with links to each part of the series as they come out. No matter how many layers of validation data goes through, it should always be escaped/encoded for the right context.

For this reason, you must protect the data requirements in all places where they are handled and stored. The digital identity is a unique representation of a person, it determines whether you can trust this person or who and what he claims. This is done through passwords, multi-factor authentication or cryptography. Access to all data stores, including relational and NoSQL data, must be secure.

How to Use this Document¶

Proper handling of exceptions and errors is critical to making code reliable and secure. Exception handling can be important in intrusion detection, too, because sometimes attempts to compromise an app can trigger errors that raise a red flag that an app is under attack. According to OWASP, a security requirement is a statement of needed functionality that satisfies many different security properties of software. Requirements can be drawn from industry standards, applicable laws, and a history of past vulnerabilities.

• It’s important to carefully design how your users are going to prove their identity and how you’re going to handle user passwords and tokens.
• Developers writing an app from scratch often don’t have the time, knowledge, or budget to implement security properly.
• Leveraging security-brewed libraries and frameworks lets you benefit from established security expertise and failure-based improvements, which will make your code more sound and harder to bypass.
• The OWASP Application Security Verification Standard (ASVS), catalog of security requirements and audit criteria, is a good starting point for finding criteria.
• For any of these decisions, you have the ability to roll your own–managing your own registration of users and keeping track of their passwords or means of authentication.
• In order to ascertain this, look through issues on the source repository and/or Security Advisories to see whether maintainers are actively closing security findings and publishing them to users somewhere.

This list was originally created by the current project leads with contributions from several volunteers. The document was then shared globally so even anonymous suggestions could be considered. You need to protect data whether it is in transit (over the network) or at rest (in storage).

OWASP Proactive Control 7 — enforce access control

There are very good peer-reviewed and open-source tools out there, such as Google Tink and Libsodium, that will likely produce better results than anything you could create from scratch. Cryptographic authentication is considered the highest form of authentication and requires a person or entity to have proof of possession of a key through a cryptographic protocol. It’s a owasp proactive controls good idea to encapsulate these libraries by defining your own API wrappers around the library use. This way, libraries can be easily enforced, and they can be easily replaced if needed (for example, if they become unmaintained). Running these queries on every commit or pull request, will promptly raise an alarm 🚨 if any of your defined security invariants are violated.