OWASP Developer Guide

Leverage Security Frameworks and Libraries Checklist

4.2.2 Checklist: Leverage Security Frameworks and Libraries

Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws.

Refer to proactive control C4: Address Security from the Start and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project.

For technology specific checklists refer to the appropriate OWASP Cheat Sheets:

and use them as the starting point for a checklist that is tailored for the technology used by the project.

In addition consider the following extra checks for frameworks and libraries.

1. Security Frameworks and Libraries

  1. Ensure servers, frameworks and system components are running the latest approved versions and patches
  2. Use libraries and frameworks from trusted sources that are actively maintained and widely used
  3. Review all secondary applications and third party libraries to determine business necessity
  4. Validate safe functionality for all secondary applications and third party libraries
  5. Create and maintain an inventory catalog of all third party libraries using Software Composition Analysis (SCA)
  6. Proactively keep all third party libraries and components up to date
  7. Reduce the attack surface by encapsulating the library and expose only the required behavior into your software
  8. Use tested and approved managed code rather than creating new unmanaged code for common tasks
  9. Utilize task specific built-in APIs to conduct operating system tasks
  10. Do not allow the application to issue commands directly to the Operating System
  11. Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files
  12. Restrict users from generating new code or altering existing code
  13. Implement safe updates using encrypted channels

References


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.