DEV Community

loading...
Cover image for OWASP - Who?

OWASP - Who?

dotnetcoreblog profile image Jamie Updated on ・4 min read

I recently wrote a short post about five recommended podcasts for all developers, regardless of their technology stack; you can read that at the following link:

In the comments for that post, my good friend Sung Kim had this to say:

Wow Jamie, thanks for the list and synopsis of each podcast 💃.

First of all, it's amazing that there is a podcast dedicated on Git.
And I totally wasn't aware of Shawn Wildermuth's podcast.

It's amazing how much time & effort you are putting in for your podcasts and helping others to become concerned with security with OWASP with your OwaspHeaders.Core library.

It seems like both you and Martin have a great interest in security.
He has a whole section of podcasts for InfoSec

I'd love to see if you can later post about what OWASP is and why we should be concerned about security more 😉

Based on that, I thought I'd throw together a post all about OWASP, what it is, and what their goal is.

OWASP

You've heard of NIST, right? How about the UK's National Cyber Security Centre? These are organisations whose goals are to outline best practises and advice for increasing the security of your applications.

However, most of the advice they give is usually vague enough to apply to most services, or about a specific service.

But what about all of us developers who want to increase the security of their apps? That's where OWASP comes in.

OWASP, or the Open Web Application Security Project, is a non-profit whose goal is best described in their own words:

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

Source

But How Does That Help Me?

We all want to create the most secure apps possible, right? Of course we do, but hacking into your own applications (or those created by your organisation) can be a little of a grey area.

That's one of the reasons that OWASP was created: to collate all of the best security advice for all technology stacks.

I usually work in the .NET suite of technologies (as you can probably tell from some of my projects) and when it came time to submit one of my projects for a code review and pen test, I had no idea where to turn to (quickly) learn how to secure the app.

Luckily, OWASP have a series of cheat sheets to help developers get up to speed with securing their applications, regardless of their technology stack. Most of their advice is pretty self explanatory (avoid SQL injection attacks by either parameterising your SQL inputs, or by using an Object-Relation Manager like Entity Framework), but some things can't easily be implemented in code (such as IIS set up).

Implementing OWASPs Advice

Just like with Unit or Behavioural tests, it's much easier to design security into an app rather than implement it after the fact. That's not to say that it can't be done for a code base which already exists, but it will take a lot more effort and consideration to implement. This is because, by it's very nature, implementing security best practises will break your current code - especially if you've built your application in a rush and not thought about things correctly.

As such, it's much better to get a handle on their advice and implement it into the code base as early as possible. The same can be said about physical architecture - in that it is easier to make a building more secure before it has been built.

Exactly how you implement the OWASP advice is dependant on the frameworks, technologies, and languages that you use to build your application. I usually work with the .NETs (.NET Framework, .NET Core), so implementing the list of OWASP recommended HTTP headers looks a little like the following:

httpContext.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
Enter fullscreen mode Exit fullscreen mode

In fact, the above block of code adds the X-XSS-Protection header with a value which tells the browser to stop rendering the page when it detects a possible Cross Site Scripting attack.

For HTTP headers, there are two ways to ensure that they are added to all responses generated by your site:

  • in code (like the above)
  • at the web server/reverse proxy level

I prefer to do it in code, that way your application is web server/reverse proxy agnostic. However, let's say that you wanted to implement the same header with nginx. It would look like this:

add_header X-XSS-Protection "1; mode=block";
Enter fullscreen mode Exit fullscreen mode

as a side note: if, like me, do a lot of development with ASP.NET Core, then you might want to check out my OwaspHeaders.Core project, or it's NuGet package

Conclusion

You should now have a better idea of who and what OWASP are, and how their work and advice can help to make your apps a little more secure.

It's out of the scope of this post to show you how to implement all of OWASPs advice and best practises, but hopefully you should now have enough information to get your past the "unknown unknowns" stage.

Let's make the Internet more secure place.

Discussion (11)

pic
Editor guide
Collapse
striderhnd profile image
Erick Gonzales

Thanks for this post Jamie,

I'm working in a project that we are using a lot of the OWASP guidelines, at first was a little confusing for me because I'm mainly a iOS developer, but the company required I need to join to the backend / security team, there is really a lot of stuff going on and very important ones, like the ones you discussed here.

Collapse
dotnetcoreblog profile image
Jamie Author

Always a pleasure to write something that folks find useful.

The crazy thing about the OWASP guidelines is that there are guidelines for all kinds of applications, not just web based ones.

Collapse
dance2die profile image
Sung M. Kim

Thank you again Jamie for following up with the comment 🤜

I believe that this post is a lot more relevant due to NewEgg breach that happened yesterday.

Collapse
dotnetcoreblog profile image
Jamie Author

You're very welcome. 🤜

Unfortunately, my recent posts seem to have been a little too late for NewEgg, but they are early enough for everyone else to implement the advice.

Collapse
simonhaisz profile image
simonhaisz

One of the ways to learn how to write secure software is to learn how to attack software. OWASP knows this, which is why they built Juice Shop. It's an intentionally in-secure web site for people to try to hack with a built in scoreboard to track your progress. Not only is it educational but it's really fun :)

There's even a guide doc you can read that will help teach you how to do different attacks and walkthroughs for challenges you cannot figure out on your own. I recently did some security training with Juice Shop being used as the first site to hack, and everyone who took part thought it was great.

github.com/bkimminich/juice-shop

Collapse
dotnetcoreblog profile image
Jamie Author

Yeah, juice-shop is a little like Tory Hunt's Hack Yourself First website.

Both are definitely worth trying out, for sure.

Collapse
shostarsson profile image
Rémi Lavedrine • Edited

I am always very happy to see someone explaining about what OWASP is, that it is useful, that you should and more than anything that we should all be concerned about security.
OWASP is one of the first project where I contributed as an open-sourcerer and I am still doing it. :-)

I hope that a looot of people are going to read that post.

Collapse
mrtnrdl profile image
Martin Riedel

Thanks for the description - let's hope (and work for) a better internet every day! Learn, Teach, Fix, Repeat.

Collapse
xlebenny profile image
Benny Leung

Here have some visual way to lean security

Collapse
dotnetcoreblog profile image
Jamie Author

Doh!

Thank you for pointing that out. I'll go fix it now.