Developer Documentation
Conventions
Conventions
  • File and Folder Structure
  • Logging
  • Code Quality
  • Security
  • Code Style
  • Tools and Platforms
Powered by GitBook
On this page

Was this helpful?

Security

We will adhere to the OWASP top 10 when it comes to making sure our application is secure. This means we'll have to look at the top 10 things that make an application insecure, and do the opposite.

PreviousCode QualityNextCode Style

Last updated 1 year ago

Was this helpful?

Introduction

When it comes to security, we want to make sure that most of the things that we do inside of our Urapolku project is secure by design. This means we'll have to comply with industry standards for security. Which in the world of web applications, is the OWASP guidelines. Let's take a look at the top 10 security mistakes a application can have, and let's do the opposite of that!

  1. Broken Access Control :

    • Implement robust access control mechanisms and reuse them throughout the application.

    • Deny access by default, except for public resources.

    • Enforce record ownership and domain models for unique application business limit requirements.

    • Disable web server directory listing and ensure no sensitive metadata or backup files are present within web roots.

    • Log access control failures and alert admins for repeated failures.

    • Rate limit API and controller access to minimize automated attack tooling harm ​​.

  2. Cryptographic Failures :

    • Classify and identify sensitive data and encrypt it both at rest and in transit.

    • Use up-to-date and strong standard algorithms, protocols, and proper key management.

    • Use secure protocols like TLS with forward secrecy for data in transit and disable caching for responses that contain sensitive data.

    • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2 ​​.

  3. Injection :

    • Use safe APIs that avoid the use of the interpreter entirely, provide a parameterized interface, or migrate to Object Relational Mapping Tools (ORMs).

    • Implement positive server-side input validation, though this isn't a complete defense as many applications require special characters.

    • Escape special characters for any residual dynamic queries using the specific escape syntax for that interpreter​.

  4. Insecure Design :

    • Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls.

    • Use a library of secure design patterns or ready-to-use components.

    • Employ threat modeling for critical authentication, access control, business logic, and key flows.

    • Write unit and integration tests to validate that all critical flows are resistant to the threat model​.

  5. Security Misconfiguration :

    • Ensure your application, server, and database configurations are secure, and unnecessary features are disabled or removed.

    • Regularly update and patch all systems to fix known vulnerabilities.

    • Use automated tools to verify security settings and to detect misconfigurations, and other vulnerabilities.

  6. Vulnerable and Outdated Components :

    • Ensure to use up-to-date and trusted libraries and frameworks.

    • Regularly check for and apply updates or patches for the components you use.

    • Remove any unused dependencies, libraries, or features that are not needed.

    • Employ tools like OWASP Dependency-Check to identify and mitigate issues related to component usage.

  7. Identification and Authentication Failures :

    • Use multi-factor authentication to enhance security.

    • Implement strong password policies and ensure secure password storage.

    • Use OAuth with OpenID Connect or SAML for Single Sign-On (SSO) implementations.

    • Ensure secure session management, including regenerating session IDs after login.

  8. Software and Data Integrity Failures :

    • Employ checksums and digital signatures to verify the integrity of data.

    • Ensure that the software update process is secure and verifies the integrity of updates.

    • Implement input validation to prevent data integrity issues.

  9. Security Logging and Monitoring Failures :

    • Ensure that logging is configured to capture relevant security events.

    • Monitor logs and alerts in real-time to identify and respond to security incidents promptly.

    • Store logs securely to prevent tampering and ensure they are reviewed regularly.

  10. Server-Side Request Forgery :

    • Validate and sanitize all inputs to ensure they conform to expected formats.

    • Block or whitelist incoming requests to prevent malicious requests from reaching the server.

    • Employ monitoring and logging to detect and respond to SSRF attacks.

It is going to be tough to follow all of these, but we'll be using tools that will make our life easier to apply these standards in our project.

(A01:2021)
1
(A02:2021)
2
(A03:2021)
(A04:2021)
(A05:2021)
(A06:2021)
(A07:2021)
(A08:2021)
(A09:2021)
(A10:2021)