Write secure code using Open Web Application Security Project guidelines | Opensource.com

Write secure code using Open Web Application Security Project guidelines

Posted 29 May 2014 by 

Rating: 
(6 votes)
Image by : 

opensource.com

submit to reddit

The Open Web Application Security Project (OWASP) is a not-for-profit charitable organization focused on improving software security. OWASP works on the principles of open source software, particularly the idea that the community is the force of creation and contribution. The unique aspect here is that OWASP is not software, rather a set of guidelines created by the community to help developers plug security holes in their code.

Security has become a very important aspect of software development lately, but not everyone is aware of ways to write secure code. You may think, "my team of developers is very experienced/skilled/efficient, they can write 100% secure code," but if you follow the news you are aware that even bigshot websites are regularly brought down or have their user data compromised. Your website should be well-prepared to avoid such attacks by following these guidelines by OWASP.

For example: Jim is a developer working on a software tool which lets people save their daily routine and track their fitness regime. Of course, this app has a login/sign up mechanism and a database to save the users' details, among other features. With deadlines closing in, Jim has little time to care about the code security, and he finishes the functionality. Later, during internal security review (or worse in the production phase) several gaping holes are found. Jim had to bear the brunt of the criticism, but was he to blame?

The vast field that software development has grown into, combined with shrinking deadlines, is the perfect storm for producing code that is prone to security attacks. Even other factors like ignorance or laziness on the part of the developer can introduce security holes. While there is little to be done about the size of the growing software field or about shrinking deadlines, developers can be trained to write inherently secure code with OWASP guidelines.

Developers, security analysts, and others can use OWASP guidelines and at the same time, contribute knowledge back to the guidelines. How?

4 ways to use OWASP

Cheat sheets

Cheat sheets contain high quality, concise data that is relevant to a specific feature. You spend less time searching for the answers and more time understanding them.

Suppose you are developing a "Forgot Password" feature for your website and are curious to know what guidelines should be followed. In the "Cheat Sheets" section on the OWASP website, look up the "Forgot Password Cheat Sheet."

Developer guide

Find comprehensive information on software development, from "foundation" and "architecture" to "configuration" and "operation."

The developer guide was the original OWASP project, started in 2002.

Appsec tutorial series

This is the video tutorial section on the website aimed at delivering the more complex information in an easy to digest format. Videos are typically 5 --- 10 minutes in length and based on security concepts, tools, or methodologies.

Testing guide

Like the developer's guide, there is also a tester's guide which aims to train testers on how to find bugs in security critical areas of the software.

submit to reddit

Comment now

Nitish is a software developer by profession & an open source enthusiast by heart. As a tech author for Linux based magazines, he covers new Open Source tools. He loves to read and explore anything open source. In his free time, he likes to read motivational books, listen to songs, and sleep. Tweets here @tiwari_nitish.

Open source project management