OWASP Developer Guide


5. Implementation

The Implementation business function is described by the OWASP Software Assurance Maturity Model (SAMM). Implementation is focused on the processes and activities related to how an organization builds and deploys software components and its related defects. Implementation activities have the most impact on the daily life of developers, and an important goal of Implementation is to ship reliably working software with minimum defects.

Implementation should include security practices such as :

  • Secure Build
  • Secure Deployment
  • Defect Management

Implementation is where the application / system begins to take shape; source code is written and tests are created. The implementation of the application follows a secure development lifecycle, with security built in from the start.

The implementation will use a secure method of source code control and storage to fulfil the design security requirements. The development team will be referring to documentation advising them of best practices, they will be using secure libraries wherever possible in addition to checking and tracking external dependencies.

Much of the skill of implementation comes from experience, and taking into account the Do’s and Don’ts of secure development is an important knowledge activity in itself.


5.1 Documentation
5.1.1 Top 10 Proactive Controls
5.1.2 Go Secure Coding Practices
5.1.3 Cheatsheet Series
5.2 Dependencies
5.2.1 Dependency-Check
5.2.2 Dependency-Track
5.2.3 CycloneDX
5.3 Secure Libraries
5.3.1 Enterprise Security API library
5.3.2 CSRFGuard library
5.3.3 OWASP Secure Headers Project
5.4 Implementation Do’s and Don’ts
5.4.1 Container security
5.4.2 Secure coding
5.4.3 Cryptographic practices
5.4.4 Application spoofing
5.4.5 Content Security Policy (CSP)
5.4.6 Exception and error handling
5.4.7 File management
5.4.8 Memory management

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.