OWASP Developer Guide
Leverage Security Frameworks and Libraries Checklist
4.2.2 Checklist: Leverage Security Frameworks and Libraries
Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws.
Refer to proactive control C4: Address Security from the Start and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project.
For technology specific checklists refer to the appropriate OWASP Cheat Sheets:
- AJAX_Security
- C-Based toolchain hardening
- Django security
- Django REST framework
- Docker security
- DotNet security
- GraphQL security
- Infrastructure as Code
- Java security
- Javascript management
- Kubernetes
- Laravel security
- Microservices security
- NPM security best practices
- Node.js security
- Node.js security for Docker
- PHP configuration
- REST APIs and how to assess them
- Ruby on Rails security
- Symfony framework
- Web Services
- XML security
and use them as the starting point for a checklist that is tailored for the technology used by the project.
In addition consider the following extra checks for frameworks and libraries.
1. Security Frameworks and Libraries
- Ensure servers, frameworks and system components are running the latest approved versions and patches
- Use libraries and frameworks from trusted sources that are actively maintained and widely used
- Review all secondary applications and third party libraries to determine business necessity
- Validate safe functionality for all secondary applications and third party libraries
- Create and maintain an inventory catalog of all third party libraries using Software Composition Analysis (SCA)
- Proactively keep all third party libraries and components up to date
- Reduce the attack surface by encapsulating the library and expose only the required behaviour into your software
- Use tested and approved managed code rather than creating new unmanaged code for common tasks
- Utilize task specific built-in APIs to conduct operating system tasks
- Do not allow the application to issue commands directly to the Operating System
- Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files
- Restrict users from generating new code or altering existing code
- Implement safe updates using encrypted channels
References
- OWASP Dependency Check
- OWASP Top 10 Proactive Controls
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage