The OWASP Application Security Verification Standard is used in the development of web applications.
Maintain secure configurations to minimize security risks arising from misconfigurations and outdated software. For example, enforce secure default settings, remove unnecessary features in production environments, and regularly apply patches and updates; Implement strict access controls for administrative configurations and prevent exposure of sensitive settings; Continuously audit system configurations, monitor for vulnerabilities, and enforce best practices to maintain a secure and resilient environment.
V14.1 Build Ensure the build process incorporates security checks, such as static analysis and code scanning, to identify vulnerabilities early in the development cycle. Use CI/CD pipelines that integrate automated security testing and enforce secure coding practices. V14.2 Dependency Regularly update and patch dependencies, ensuring that all third-party libraries and components are secure and up-to-date. Use dependency management tools like OWASP Dependency-Check and SCA tools to detect known vulnerabilities in dependencies. V14.3 Unintended Security Disclosure Requirements Minimize security disclosures by ensuring that sensitive information such as debugging output and stack traces are never exposed in production environments. Implement proper error handling to return generic error messages and log detailed errors on the server side only. V14.4 HTTP Security Headers Requirements Enforce critical HTTP security headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, and X-Frame-Options to protect against a variety of attacks (e.g., XSS, clickjacking). Use Secure and HttpOnly flags for cookies to prevent JavaScript access and ensure secure transmission. V14.5 Validate HTTP Request Header Requirements Validate incoming HTTP request headers to ensure they conform to expected formats and do not contain malicious or unexpected content (e.g., restricting the User-Agent or Referer headers). Implement rate limiting and input sanitization for header values to prevent header injection attacks and mitigate abuse. By adhering to secure build practices, managing dependencies, and implementing essential HTTP headers, organizations can strengthen their web application security posture and reduce vulnerability to attacks.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-11-14-01-01 | Implement secure default configurations | Ensure that all systems and applications are configured with secure default settings to prevent misconfigurations that could lead to vulnerabilities. Disable unnecessary features and services by default. | Preparation | Security Teams, IT Operations |
| SSS-02-11-14-01-02 | Enforce software updates and patch management | Implement policies and mechanisms to ensure timely software updates and patch management, reducing the risk of vulnerabilities due to outdated software components. | Deployment | IT Operations, Security Teams |
| SSS-02-11-14-01-03 | Remove unnecessary features in production | Ensure that unnecessary features, such as debug modes or verbose error messages, are removed or disabled in production environments to prevent potential attack vectors. | Deployment | Development Teams, IT Operations |
| SSS-02-11-14-01-04 | Configure proper security headers | Implement necessary security headers such as Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection, and others to enhance security and prevent attacks like clickjacking, XSS, and content injection. | Development | Security Engineers, Web Developers |
| SSS-02-11-14-01-05 | Ensure secure dependency management | Implement secure dependency management practices, including regular checks for outdated libraries and known vulnerabilities, and enforce the use of trusted and up-to-date dependencies. | Development | Security Teams, DevOps Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0971) OWASP Application Security Verification Standard OWASP Application Security Verification Standard |