WK 2 OWASP Security Principles Flashcards
OWASP
Open Worldwide Application Security Project
OWASP security principles
Minimize attack surface area
Attack surface refers to all the potential vulnerabilities a threat actor could exploit
For example phasing emails
OWASP security principles
Principle of least privilege
Users have the least amount of access required to perform their everyday tasks
This reduces the damage to an organisation if your exposed by a threat actor
OWASP security principles
Defense in depth
Organizations should have multiple security controls that mitigate risks and threats
For example Multi-factor authentication, firewalls etc
OWASP security principles
Separation of duties
Critical actions should rely on multiple people, each of whom follow the principle of least privilege
Not one individual should have super user powers
OWASP security principles
Keep security simple
When implementing security controls, unnecessarily complicated solutions should be avoided because they can become unmanageable. The more complex the security controls are, the harder it is for people to work collaboratively.
OWASP security principles
Fix security issues correctly
When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful
Additional OWASP security principles
Establish secure defaults
This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.
Additional OWASP security principles
Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.
Additional OWASP security principles
Don’t trust services
Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.
Additional OWASP security principles
Avoid security by obscurity
The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016):
The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.
