Security controls

OWASP Top 10 proactive controls:

https://www.owasp.org/index.php/OWASP_Proactive_Controls

o C1: Verify for Security Early and Often

o C2: Parameterize Queries
o C3: Encode Data
o C4: Validate All Inputs
o C5: Implement Identity and Authentication Controls
o C6: Implement Appropriate Access Controls
o C7: Protect Data
o C8: Implement Logging and Intrusion Detection
o C9: Leverage Security Frameworks and Libraries
o C10: Error and Exception Handling

OWASP Secure Coding Practices Checklist

https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

o Input Validation
o Output Encoding
o Authentication and Password Management
o Session Management
o Access Control
o Cryptographic Practices
o Error Handling and Logging
o Data Protection
o Communication Security
o System Configuration
o Database Security
o File Management
o Memory Management
o General Coding Practices

OWASP Security principles

https://www.owasp.org/index.php/Category:Principle

o Create unpredictable defenses (code modification prevention)

o Defense in depth
o Defense in depth (code modification prevention)
o Detect integrity violation incidents (code modification prevention)
o Detect intrusions
o Don't trust user input
 o Don’t trust infrastructure
o Don’t trust local resources (code modification prevention)
o Don’t trust mobile OS infrastructure (code modification prevention)
o Don’t trust services
o Establish secure defaults
o Establish secure defaults (code modification prevention)
o Fail securely
o Fix security issues correctly
o Keep security simple
o Least privilege
o Minimize attack surface area
o Positive security model
o Positive security model (code modification prevention)
o Security by Design Principles
o Separation of duties
o The Insecure-Bootstrapping Principle
o Use encapsulation

OWASP Security Controls- Application threat modelling

https://www.owasp.org/index.php/Application_Threat_Modeling#Security_Controls

o Authentication:

o Ensure all internal and external connections (user and entity) go through an
appropriate and adequate form of authentication. Be assured that this
control cannot be bypassed.
o Ensure all pages enforce the requirement for authentication.
o Ensure that whenever authentication credentials or any other sensitive
information is passed, only accept the information via the HTTP “POST”
method and will not accept it via the HTTP “GET” method.
o Any page deemed by the business or the development team as being outside
the scope of authentication should be reviewed in order to assess any
possibility of security breach.
o Ensure that authentication credentials do not traverse the wire in clear text
form.
o Ensure development/debug backdoors are not present in production code.

o Authorization:

o Ensure that there are authorization mechanisms in place.

o Ensure that the application has clearly defined the user types and the rights
of said users.
o Ensure there is a least privilege stance in operation.
o Ensure that the Authorization mechanisms work properly, fail securely, and
cannot be circumvented.
o Ensure that authorization is checked on every request.
o Ensure development/debug backdoors are not present in production code.
o Cookie Management:

o Ensure that sensitive information is not comprised.

o Ensure that unauthorized activities cannot take place via cookie
manipulation.
o Ensure that proper encryption is in use.
o Ensure secure flag is set to prevent accidental transmission over “the wire” in
a non-secure manner.
o Determine if all state transitions in the application code properly check for
the cookies and enforce their use.
o Ensure the session data is being validated.
o Ensure cookies contain as little private information as possible.
o Ensure entire cookie is encrypted if sensitive data is persisted in the cookie.
o Define all cookies being used by the application, their name, and why they are
needed.

o Data/Input Validation:

o Ensure that a DV mechanism is present.

o Ensure all input that can (and will) be modified by a malicious user such as
HTTP headers, input fields, hidden fields, drop down lists, and other web
components are properly validated.
o Ensure that the proper length checks on all input exist.
o Ensure that all fields, cookies, http headers/bodies, and form fields are
validated.
o Ensure that the data is well formed and contains only known good chars if
possible.
o Ensure that the data validation occurs on the server side.
o Examine where data validation occurs and if a centralized model or
decentralized model is used.
o Ensure there are no backdoors in the data validation model.
o Golden Rule: All external input, no matter what it is, is examined and
validated.

o Error Handling/Information leakage:

o Ensure that all method/function calls that return a value have proper error
handling and return value checking.
o Ensure that exceptions and error conditions are properly handled.
o Ensure that no system errors can be returned to the user.
o Ensure that the application fails in a secure manner.
o Ensure resources are released if an error occurs.

o Logging/Auditing:

o Ensure that no sensitive information is logged in the event of an error.

 o Ensure the payload being logged is of a defined maximum length and that the
logging mechanism enforces that length.
o Ensure no sensitive data can be logged; e.g. cookies, HTTP “GET” method,
authentication credentials.
o Examine if the application will audit the actions being taken by the application
on behalf of the client (particularly data manipulation/Create, Update, Delete
(CUD) operations).
o Ensure successful and unsuccessful authentication is logged.
o Ensure application errors are logged.
o Examine the application for debug logging with the view to logging of
sensitive data.

o Cryptography:

o Ensure no sensitive data is transmitted in the clear, internally or externally.

o Ensure the application is implementing known good cryptographic methods.

o Secure Code Environment:

o Examine the file structure. Are any components that should not be directly
accessible available to the user?
o Examine all memory allocations/de-allocations.
o Examine the application for dynamic SQL and determine if it is vulnerable to
injection.
o Examine the application for “main()” executable functions and debug
harnesses/backdoors.
o Search for commented out code, commented out test code, which may
contain sensitive information.
o Ensure all logical decisions have a default clause.
o Ensure no development environment kit is contained on the build directories.
o Search for any calls to the underlying operating system or file open calls and
examine the error possibilities.

o Session Management:

o Examine how and when a session is created for a user, unauthenticated and
authenticated.
o Examine the session ID and verify if it is complex enough to fulfill
requirements regarding strength.
o Examine how sessions are stored: e.g. in a database, in memory etc.
o Examine how the application tracks sessions.
o Determine the actions the application takes if an invalid session ID occurs.
o Examine session invalidation.
o Determine how multithreaded/multi-user session management is performed.
o Determine the session HTTP inactivity timeout.
o Determine how the log-out functionality functions.
ISO 27001: Information technology - Security techniques

o Context of the organization

o Understanding the organization and its context
o Understanding the needs and expectations of interested parties
o Determining the scope of the information security management system
o Information security management system
o Leadership
o Leadership and commitment
o Policy
o Organizational roles, responsibilities and authorities
o Planning
o Actions to address risks and opportunities
o Information security objectives and planning to achieve them
o Support
o Resources
o Competence
o Awareness
o Communication
o Documented information
o Operation
o Operational planning and control
o Information security risk assessment
o Information security risk treatment
o Performance evaluation
o Monitoring, measurement, analysis and evaluation
o Internal audit
o Management review
o Improvement
o Nonconformity and corrective action
o Continual improvement

ISO 27001: Annex- Reference control objectives and controls

o Information security policies
o Management direction for information security
 Policies for information security
 Review of the policies for information security

o Organization of information security

 o Internal organization
 Information security roles and responsibilities
 Segregation of duties
 Contact with authorities
 Contact with special interest groups
 Information security in project management
o Mobile devices and teleworking
 Mobile device policy
 Teleworking

o Human resource security

o Prior to employment
 Screening
 Terms and conditions of employment
o During employment
 Management responsibilities
 Information security awareness, education and training
 Disciplinary process
o Termination and change of employment
 Termination or change of employment responsibilities

o Asset management
o Responsibility for assets
 Inventory of assets
 Ownership of assets
 Acceptable use of assets
 Return of assets
o Information classification
 Classification of information
 Labelling of information
 Handling of assets
o Media handling
 Management of removable media
 Disposal of media
 Physical media transfer

o Access control
o Business requirements of access control
 Access control policy
 Access to networks and network services
o User access management
 User registration and de-registration
 User access provisioning
 Management of privileged access rights
 Management of secret authentication information of users
 Review of user access rights
 Removal or adjustment of access rights
o User responsibilities
 Use of secret authentication information
 o System and application access control
 Information access restriction
 Secure log-on procedures
 Password management system
 Use of privileged utility programs
 Access control to program source code
o Cryptography
o Cryptographic controls
 Policy on the use of cryptographic controls
 Key management

o Physical and environmental security

o Secure areas
 Physical security perimeter
 Physical entry controls
 Securing offices, rooms and facilities
 Protecting against external and environmental threats
 Working in secure areas
 Delivery and loading areas
o Equipment
 Equipment siting and protection
 Supporting utilities
 Cabling security
 Equipment maintenance
 Removal of assets
 Security of equipment and assets off-premises
 Secure disposal or reuse of equipment
 Unattended user equipment
 Clear desk and clear screen policy

o Operations security
o Operational procedures and responsibilities
 Documented operating procedures
 Change management
 Capacity management
 Separation of development, testing and operational environments
o Protection from malware
 Controls against malware
o Backup
 Information backup
o Logging and monitoring
 Event logging
 Protection of log information
 Administrator and operator logs
 Clock synchronization
o Control of operational software
 Installation of software on operational systems
o Technical vulnerability management
 Management of technical vulnerabilities
  Restrictions on software installation
o Information systems audit considerations
 Information systems audit controls

o Communications security
o Network security management
 Network controls
 Security of network services
 Segregation in networks
o Information transfer
 Information transfer policies and procedures
 Agreements on information transfer
 Electronic messaging
 Confidentiality or nondisclosure agreements

o System acquisition, development and maintenance

o Security requirements of information systems
 Information security requirements analysis and specification
 Securing application services on public networks
 Protecting application services transactions
o Security in development and support processes
 Secure development Policy
 System change control procedures
 Technical review of applications after operating platform changes
 Restrictions on changes to software packages
 Secure system engineering principles
 Secure development environment
 Outsourced development
 System security testing
 System acceptance
o Test data
 Protection of test data

o Supplier relationships
o Information security in supplier relationships
 Information security policy for supplier relationships
 Addressing security within supplier agreements
 Information and communication technology supply chain
o Supplier service delivery management
 Monitoring and review of supplier services
 Managing changes to supplier services

o Information security incident management

o Information security continuity
 Planning information security continuity
 Implementing information security continuity
 Verify, review and evaluate information security continuity
 o Redundancies
 Availability of information Processing facilities

o Compliance
o Compliance with legal and contractual requirements
 Identification of applicable legislation and contractual requirements
 Intellectual property rights
 Protection of records
 Privacy and protection of personally identifiable information
 Regulation of cryptographic
o Information security reviews
 Independent review of information security
 Compliance with security policies and standards
 Technical compliance review