Establish & Use Repeatable Security Processes and Standard Security Controls
Whether you are new to web application security or already very familiar with these risks, the task of producing a secure web application or fixing an existing one can be difficult. If you have to manage a large application portfolio, this task can be daunting.
To help organizations and developers reduce their application security risks in a cost-effective manner, OWASP has produced numerous free and open resources that you can use to address application security in your organization. The following are some of the many resources OWASP has produced to help organizations produce secure web applications and APIs. On the next page, we present additional OWASP resources that can assist organizations in verifying the security of their applications and APIs.
Application Security Requirements:
Application Security Architecture:
Rather than retrofitting security into your applications and APIs, it is far more cost effective to design the security in from the start. OWASP recommends the OWASP Prevention Cheat Sheets
as a good starting point for guidance on how to design security in from the beginning.
Security Standard Controls:
Building strong and usable security controls is difficult. Using a set of standard security controls radically simplifies the development of secure applications and APIs. The OWASP Prevention Cheat Sheets
is a good starting point for developers, and many modern frameworks now come with standard and effective security controls for authorization, validation, CSRF prevention, etc.
Secure Development Lifecycle:
To improve the process your organization follows when building applications and APIs, OWASP recommends the OWASP Software Assurance Maturity Model (SAMM)
. This model helps organizations formulate and implement a strategy for software security that is tailored to the specific risks facing their organization.
Application Security Education:
There are numerous additional OWASP resources available for your use. Please visit the OWASP Projects page
, which lists all the Flagship, Labs, and Incubator projects in the OWASP project inventory. Most OWASP resources are available on our website
, and many OWASP documents can be ordered in hardcopy or as eBooks