Top 10 Proactive Controls
5.1.1 Top 10 Proactive Controls
The OWASP Top 10 Proactive Controls describes the most important controls and control categories that security architects and development teams should consider in web application projects.
What are the Top 10 Proactive Controls?
The OWASP Top 10 Proactive Controls is a list of security techniques that should be considered for web applications. They are ordered by order of importance, with control number 1 being the most important:
- C1: Implement Access Control, ref Cheat Sheets
- C2: Use Cryptography the proper way, ref Cheat Sheets
- C3: Validate all Input & Handle Exceptions, ref Cheat Sheets
- C4: Address Security from the Start, ref Cheat Sheets
- C5: Secure By Default Configurations, ref Cheat Sheets
- C6: Keep your Components Secure, ref Cheat Sheets
- C7: Implement Digital Identity, ref Cheat Sheets
- C8: Leverage Browser Security Features, ref Cheat Sheets
- C9: Implement Security Logging and Monitoring, ref Cheat Sheets
- C10: Stop Server Side Request Forgery, ref Cheat Sheets
Why use them?
The Proactive Controls are a well established list of security controls, first published in 2014 and revised in 2018, so considering these controls can be seen as best practice. Following best practice is always encouraged: at the very least an organization should avoid the avoidable exploits.
Putting these proactive controls in place can help remediate common security vulnerabilities, for example:
- Clickjacking
- Credential Stuffing
- Cross-site leaks
- Denial of Service (DoS) attacks
- DOM based XSS attacks including DOM Clobbering
- IDOR (Insecure Direct Object Reference)
- Injection including OS Command injection and XXE
- LDAP specific injection attacks
- Prototype pollution
- SSRF attacks
- SQL injection and the use of Query Parameterization
- Unvalidated redirects and forwards
- XSS attacks and XSS Filter Evasion
How to apply them
The OWASP Spotlight series provides an overview of how to use this documentation project: ‘Project 8 - Proactive Controls’.
During development of a web application, consider using each security control described in the sections of the Proactive Controls that are relevant to the application.
The OWASP Cheat Sheets have been indexed specifically for each Proactive Control, which can be used as additional information on implementing the control.
References
- OWASP Proactive Controls project
- OWASP Cheat Sheet Proactive Controls index
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage