Summary
The objectives of the module were to explain:
- learned about the threat landscape and risks involving unsecure software
- what OWASP Top 10 is and its importance
- how can it be used as a reference in writing more secure code.
We started by explaining the threat landscape and complexity associated with modern day application security. Going one by one through the recently updated list OWASP Top 10 equipped us in methods and techniques used by malicious actors to compromise an app. More importantly we learned how we, the authors and maintainers of any size codebase, can improve its security posture.
No matter if you're designing a brand new green field application or contributing to large-scale open source project best, security principles apply. Shift security left and conduct security requirement and design reviews, perform threat modeling, use automation to scan for vulnerabilities as you write code (with static code analysis tools) and as part of the CI/CD process. Follow compartmentalization best practices zero trust and least-privilege principles.
The developers shouldn't only be focusing on just their own code. Single codebase monolith applications of the past give place to microservice architecture. Distributed applications are made up of lots of moving parts, all of which are integral to their operation.
Shift left security. Don't treat security as an afterthought. The sooner you start addressing security considerations the easier and cheaper it's to implement them. Remember the Zero Trust principles and apply them in your apps in systems
Security code reviews, automation of security checks with SAST, DAST and SCA, and threat modeling can identify most of the OWASP Top 10 items.
Be on a look out for unverified user input.
Finally, security is a journey, not a destination. With the right mindset, you can improve the quality and security standpoint of an application before you’ve even written a single line of code. Try thinking about the design. What files you include in the project? What choices do you make about libraries you reference in your code? How do you handle security and authorization? Where do you store and build your code? How you deploy the application?
Learn more
- ASP.NET Core security topics.
- Vulnerability Scanning Tools | OWASP Foundation.
- OWASP Secure Coding Practices Quick Reference Guide.
- OWASP Code Review Guide.