Security Fundamentals
2.1 Security fundamentals
The fundamental principles of application security rely on the security concepts referenced in this developer guide. This section aims to provide an introduction to fundamental principles that any development team must be familiar with.
Software Assurance Maturity Model
The Software Assurance Maturity Model (SAMM) provides context for the scope of software security and the foundations of good security practice:
The SAMM model describes these foundations of software security as Business Functions, which are further divided into Business Practices. The OWASP Software Assurance Maturity Model (SAMM) is used throughout this Developer Guide; most of the sections in the Developer Guide reference at least one of the Business Functions or Practices from SAMM.
CIA triad
Security is simply about controlling who can interact with your information, what they can do with it, and when they can interact with it. These characteristics of security can be described using the CIA triad.
CIA stands for Confidentiality, Integrity and Availability, and it is usually depicted as a triangle representing the strong bonds between its three tenets. This triad is considered the pillars of application security, often Confidentiality, Integrity or Availability are used as a properties of data or processes within a given system. The CIA triad can be extended with the AAA triad: Authorization, Authentication and Auditing.
Confidentiality
Confidentiality is the protection of data against unauthorized disclosure; it is about ensuring that only those with the correct authorization can access the data and applies to both data at rest and to data in transit. Confidentiality is also related to the broader concept of data privacy.
Integrity
Integrity is about protecting data against unauthorized modification, or assuring data trustworthiness. The concept contains the notion of data integrity (data has not been changed accidentally or deliberately) and the notion of source integrity (data came from or was changed by a legitimate source).
Availability
Availability is about ensuring the presence of information or resources. This concept relies not just on the availability of the data itself, for example by using replication of data, but also on the protection of the services that provide access to the data, for example by using load balancing.
AAA triad
The CIA triad is often extended with Authentication, Authorization and Auditing as these are closely linked to CIA concepts. CIA has a strong dependency on Authentication and Authorization; the confidentiality and integrity of sensitive data can not be assured without them. Auditing is added as it can provide the mechanism to ensure proof of any interaction with the system.
Authentication
Authentication is about confirming the identity of the entity that wants to interact with a secure system. For example the entity could be an automated client or a human actor; in either case authentication is required for a secure application.
Authorization
Authorization is about specifying access rights to secure resources (data, services, files, applications, etc). These rights describe the privileges or access levels related to the resources that are being secured. Authorization is usually preceded by successful authentication.
Auditing
Auditing is about keeping track of implementation-level events, as well as domain-level events taking place in a system. This helps to provide non-repudiation, which means that changes or actions on the protected system are undeniable. Auditing can provide not only technical information about the running system, but also proof that particular actions have been performed. The typical questions that are answered by auditing are “Who did What, When and potentially How?”
Vulnerabilities
NIST defines a vulnerability as ‘Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’
There are many weaknesses or bugs in every large application, but the term vulnerability is generally reserved for those weaknesses or bugs where there is a risk that a threat actor could exploit it using a threat vector.
Well known security vulnerabilities are :
- Clickjacking
- Credential Stuffing
- Cross-site leaks
- Denial of Service (DoS) attacks
- DOM based XSS attacks including DOM Clobbering
- IDOR (Insecure Direct Object Reference)
- Injection including OS Command injection and XXE
- LDAP specific injection attacks
- Prototype pollution
- SSRF attacks
- SQL injection and the use of Query Parameterization
- Unvalidated redirects and forwards
- XSS attacks and XSS Filter Evasion
HTTP and HTML
Although not a security fundamental as such, web applications rely on HTTP communications and HTML. Both application developers and security engineers should have a good understanding of HTTP and the HTML language along with their various security controls.
Most application development teams will be familiar with HTTP communications and the HTML standard, but if necessary refer to the training from the W3 Consortium or the W3 Schools. The OWASP Cheat Sheet Series provide web application developers with the information needed to produce secure software :
- The HTML5 Security cheat sheet describes a wide range of controls, aligned with the current HTML Living Standard
- Refer to the Securing Cascading Style Sheets cheat sheet for CSS
- The HTTP headers need to be secure, see the HTTP Security Response Headers cheat sheet
- Strongly consider HTTP Strict Transport Security
- If the application has a file upload feature, follow the File Upload cheat sheet
- Ensure content security policy is in place with the Content Security Policy cheat sheet
- Using JWTs for a Java application? Refer to the JSON Web Token cheat sheet
- Storing or sending objects? Check out the Deserialization cheat sheet
References
- WHATWG HTML Living Standard
- OWASP Cheat Sheet Series
- OWASP Software Assurance Maturity Model (SAMM)
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.