The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure security is embedded in application design from the beginning to prevent vulnerabilities and reduce future remediation costs. For example, follow secure design principles such as keeping architectures simple (KISS) to make security easier to implement and audit; Enforce secure defaults, ensuring applications are protected out-of-the-box without requiring user intervention; Avoid security by obscurity, ensuring transparency without relying on hidden mechanisms for protection; Minimize the attack surface by reducing exposed components and eliminating unnecessary functionalities; Apply Defense-in-Depth, layering security controls to contain potential breaches and limit their impact; Continuously assess and refine security architecture to proactively address emerging threats.
1. Design for Clarity and Transparency -Ensure clear security policies and explicitly define system behavior to avoid ambiguity. 2. Make it Easy to Do the Right Thing -Set secure defaults so users and developers follow best practices effortlessly. 3. Define and Enforce Trust Relationships -Clearly specify who/what is trusted and enforce strict access controls. 4. Minimize the Attack Surface -Reduce exposed components, unnecessary services, and open endpoints. 5. Use Well-Known Architecture Patterns -Follow proven security frameworks (e.g., Zero Trust, Defense-in-Depth) for consistent protection. By prioritizing clarity, secure defaults, and attack surface reduction, organizations strengthen security while simplifying compliance and enforcement.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-04-01-01 | Development for clarity and transparency | Ensure security policies are clear, and system behavior is explicitly defined to avoid ambiguity. This helps developers and users understand the security measures in place. | Development | Software Architects, Security Teams |
| SSS-02-12-04-01-02 | Make it easy to do the right thing | Set secure defaults to ensure users and developers follow best practices effortlessly. Any action that could compromise security should require an explicit, conscious choice. | Development | Software Architects, Product Managers |
| SSS-02-12-04-01-03 | Define and enforce trust relationships | Clearly specify who and what is trusted in the system and enforce strict access controls to minimize the risk of unauthorized access. | Development | Security Engineers, DevOps Teams |
| SSS-02-12-04-01-04 | Minimize the attack surface | Reduce the exposed components, unnecessary services, and open endpoints that attackers can target, thus minimizing the areas where vulnerabilities can be exploited. | Development | Security Engineers, IT Operations |
| SSS-02-12-04-01-05 | Use well-known architecture patterns | Follow proven security frameworks such as Zero Trust and Defense-in-Depth to ensure that multiple layers of protection are in place and reduce the risk of a single point of failure. | Development | Software Architects, Security Teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |