The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure applications and systems are configured securely by default to minimize the risk of exploitation without requiring manual adjustments. For example, enforce **hardened default settings**, such as strong authentication, encrypted communications, and least privilege access, reducing the likelihood of misconfigurations; Design software to **require explicit actions** to weaken security rather than relying on users to enable protections manually; Reduce developer and administrator burden by **providing pre-configured security measures**, ensuring products remain protected over time; Continuously review and update default security settings to adapt to evolving threats and maintain resilience against attacks.
1. Enforce Secure Default Configurations -Apply least privilege principles in infrastructure-as-code (IaC) configurations. -Disable unused accounts, software, and demo features to reduce attack surfaces. 2. Automate Configuration Audits -Use configuration scanning tools to detect security misconfigurations. -Implement CI/CD security checks to enforce secure settings before deployment. By ensuring secure defaults and automating verification, organizations reduce misconfiguration risks and strengthen system security.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-05-01-01 | Ensure secure defaults in configuration | Ensure that software starts in a secure state by default, with configurations that follow the principle of least privilege. Disable unnecessary accounts, services, and features that are not required. | Development | Security Engineers, DevOps Teams |
| SSS-02-12-05-01-02 | Continuous configuration verification | Continuously verify that configurations remain secure by default throughout the development lifecycle. Automate security checks to prevent misconfigurations. | Development | Security Engineers, QA Teams |
| SSS-02-12-05-01-03 | Disable unnecessary features and services | Disable unused capabilities, such as demo accounts, software, and non-essential features, to minimize the attack surface. | Development | Software Developers, IT Operations |
| SSS-02-12-05-01-04 | Adopt the principle of least privilege | Ensure that each component and user has the minimum level of access necessary to perform its functions, reducing potential risks from excess permissions. | Development | Security Engineers, System Administrators |
| SSS-02-12-05-01-05 | Review and update default security settings regularly | Periodically review and update default security settings to align with emerging threats and security best practices. Keep security configurations up to date. | Post-deployment | Security Teams, Compliance Officers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |