Document Structure

This document is structured as a list of security controls. The list is ordered by importance with list item number 1 being the most important:

• C1: Implement Access Control
• C2: Use Cryptography the right way
• C3: Validate, Escape, Sanitize or Parameterize Untrusted Data
• C4: Use Secure Architecture Patterns
• C5: Secure By Default Configurations
• C6: Assess and Update your Components
• C7: Implement Digital Identity
• C8: Help the Browser defend its User
• C9: Implement Security Logging and Monitoring
• C10: Stop Server Side Request Forgery

Security Controls

The description of each control has the same structure. The control itself has an unique name preceeded by the control number: Cx: Control Name, e.g., C1: Implement Access Control.

Each control has the same sections:

• Description: A detailed description of the control including some best practices to consider.
• Threat(s): A threat or threats that this control counters.
• Implementation: Best practices and examples to illustrate how to implement each control.
• Vulnerabilities Prevented: List of prevented vulnerabilities or risks addressed (OWASP TOP 10 Risk, CWE, etc.)
• References: List of references for further study (OWASP Cheat sheet, Security Hardening Guidelines, etc.)
• Tools: Set of tools/projects to easily introduce/integrate security controls into your software.