There are security training options for software developers available.
The OWASP Top Ten and CWE/SANS Top 25 Most Dangerous Software Errors are great resources that explain the most common flaws to look out for and how to prevent them.
We have categorized these common issues below in a convenient way to use as a checklist during application security reviews and as a training reference. Included are links to the OWASP and CWE/SANS specific descriptions and examples that map to each category as well as the relevant UC Standard(s).
Remember to consider the entire attack surface of the application (all entry points including web form URLs, AJAX URLs, web services, data feeds, service bus messages, etc) when reviewing the requirements below.
Category | UC Standard(s) | OWASP Top 10 & CWE/SANS Top 25 Elements | Coding Examples & Reference Materials |
1. Input Validation
Failure to properly server-side validate input data from untrusted sources is the most common application security weakness and it can lead to major vulnerabilities in applications such as SQL injection, command injection, remote/local file inclusion, buffer overflow, invalidated redirects, etc. Bad input can also lead to Denial of Service (DoS) attacks on the application. As such it is important to always validate input data based on data type and range. Rather than using denylist techniques to filter out bad input, it is recommended to use allowlist techniques to accept only allowed characters or values as valid input. JavaScript/client-side validation alone is not adequate. |
SSD 4.2
SSD 4.4 SSC 4.2.20 |
OWASP A03:2021 – Injection
OWASP A10:2013 – Unvalidated Redirects and Forwards OWASP A10:2021 – Server-Side Request Forgery (SSRF) OWASP A08:2017 – Insecure Deserialization CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-94: Improper Control of Generation of Code (‘Code Injection’) CWE-918: Server-Side Request Forgery (SSRF) CWE-611: Improper Restriction of XML External Entity Reference CWE-601: URL Redirection to Untrusted Site CWE-807: Reliance on Untrusted Inputs CWE-502: Deserialization of Untrusted Data CWE-131: Incorrect Calculation of Buffer Size CWE-134: Uncontrolled Format String CWE-190: Integer Overflow or Wraparound CWE-676: Use of Potentially Dangerous Function
|
OWASP – Input Validation Cheat Sheet
OWASP – Deserialization Cheat Sheet OWASP – Testing for Input Validation OWASP – Unvalidated Redirects and Forwards Cheat Sheet OWASP – Injection Prevention Cheat Sheet OWASP – SQL Injection Prevention Cheat Sheet OWASP – Query Parameterization Cheat Sheet OWASP – Testing for SQL Injection OWASP – OS Command Injection Defense Cheat Sheet |
2. Output Escaping/Encoding
Output escaping/encoding is how an application handles data output. Output can often contain input data supplied from users, databases, external systems, etc. Secure output handling is often associated with preventing cross-site scripting and its purpose (as it relates to security) is to convert untrusted input into a safe form where it is displayed as data to the user without executing as code in the destination (i.e. browser, database, OS). Escape/encode all output data unless they are known to be safe for the intended destination. Consider also implementing Content Security Policy (CSP) if possible.
|
SSD 4.4 | OWASP A07:2017 – Cross-Site Scripting (XSS)
CWE-116: Improper Encoding or Escaping of Output
|
OWASP – Cross Site Scripting Prevention Cheat Sheet
OWASP – DOM based XSS Prevention Cheat Sheet |
3. Authentication & Credential Management
Authentication is the process of verifying that an individual or entity is who they claim to be. Proper use of an external centralized authentication system will significantly reduce the likelihood of a problem in this area. Enforce multi-factor authentication where possible. Create a password policy to address key concerns when it comes to authentication and password management including proper password strength controls, password lifecycle, password reset process, password storage, protecting credentials in transit, browser caching, number of login attempts, etc. For unauthenticated/anonymous page submits, consider using CAPTCHA technology to prevent spam and automated attacks. In the case of application authenticating to external systems (like databases, file servers, web services), the credentials (passwords or keys) should be encrypted at rest with proper access controls and never stored in source code.
|
SSD 4.8
SSD 4.10 SSC 4.2.8 SSC 4.2.11
|
OWASP A07:2021 – Identification and Authentication Failures
CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-522: Insufficiently Protected Credentials CWE-798: Use of Hard-Coded Credentials
|
OWASP – Authentication Cheat Sheet
OWASP – Forgot Password Cheat Sheet OWASP – Choosing and Using Security Questions Cheat Sheet OWASP – Password Storage Cheat Sheet |
4. Session Management
Session management ensures that authenticated users have a robust and cryptographically secure association with their session.
|
SSD 4.9
SSC 4.2.14
|
OWASP A07:2021 – Identification and Authentication Failures
OWASP A08:2013 – Cross-Site Request Forgery (CSRF) CWE-613: Insufficient Session Expiration CWE-352: Cross-Site Request Forgery (CSRF)
|
OWASP – Session Management Cheat Sheet
OWASP – Cross-Site Request Forgery Prevention Cheat Sheet |
5. Authorization & Access Control
Once an identity (subject) is authenticated, authorization is the decision process where requests to (create, read, update, delete, etc) a particular resource (object) should be granted or denied. Access control is the method used for authorization enforcement with the most popular being role-based access control (RBAC). It is preferred to use an external centralized authorization system where role membership is centrally managed and audited, then map those roles to specific permissions within the application. Implement least privilege policy between all subjects and objects. Ensure that the access control list covers all possible scenarios. Enforce timely authorization checks on every request (from both server and client side) and at each layer of abstraction to prevent “time of check”/”time of use” (TOC/TOU) attacks. |
SSD 4.5 | OWASP A01:2021 – Broken Access Control
OWASP A04:2021 – Insecure Design CWE-250: Execution with Unnecessary Privileges CWE-434: Unrestricted Upload of File with Dangerous Type CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-862: Missing Authorization CWE-863: Incorrect Authorization CWE-276: Incorrect Default Permissions CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) CWE-732: Incorrect Permission Assignment for Critical Resource
|
OWASP – Authorization Cheat Sheet |
6. Cryptographic Practices
Proper encryption should be used when handling sensitive data at any tier of the application. Choose carefully whether “two-way” shared key symmetric encryption, “two-way” public/private key asymmetric encryption, or “one-way” salted hash encryption is best for each case. Ensure cryptographic modules used by the application are compliant with FIPS 140-2 or an equivalent standard both from vendor and algorithm perspectives. Only use approved cryptographic modules for secure random number generators.
|
SSC 4.2.23 | OWASP A02:2021 – Cryptographic Failures
CWE-311: Missing Encryption of Sensitive Data |
OWASP – Key Management Cheat Sheet |
7. Error Handling, Auditing & Logging
The application should handle its own application errors and not rely on the server. Do not display sensitive, debug or stack trace information to the user in the production environment. Ensure audit logging controls are in place to log both successful/failure security events, especially authentication/authorization attempts, access to sensitive data, and other privileged actions with useful audit information based on the “Who/What/When/Where” principal. Use a standard format for the log event details to make parsing and analysis easier. Sensitive data itself should never be logged, instead use other unique and traceable identifiers. |
SSD 4.3
SSD 4.6 SSC 4.2.21
|
OWASP A09:2021 – Security Logging and Monitoring Failures
CWE-754: Improper Check for Unusual or Exceptional Conditions CWE-400: Uncontrolled Resource Consumption CWE-532: Insertion of Sensitive Information into Log File CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Information Exposure Through an Error Message
|
OWASP – Error Handling Cheat Sheet |
8. Data Protection
Limit access to data based on the least privilege principal. Encrypt sensitive data and information like stored passwords, connection strings and properly protect decryption keys. Make sure all cached or temporary copies of sensitive data are protected from unauthorized access and get purged as soon as they are no longer required. Do not allow sensitive production data in non-production environments. Do not include sensitive information in HTTP GET URL. Consider using the following HTTP headers: Cache-Control: no-cache, no-store; Expires: 0 and Cache-Control: max-age=0.
|
SSC 4.2.10
SSC 4.2.24
|
OWASP A02:2021 – Cryptographic Failures
CWE-312: Cleartext Storage of Sensitive Information CWE-311: Missing Encryption of Sensitive Data CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-759: Use of a One-Way Hash without a Salt
|
OWASP – Cryptographic Storage Cheat Sheet |
9. Communication Security
When transmitting sensitive information, at any tier of the application or network architecture, encryption-in-transit should be used. TLS is by far the most common and widely supported model. Use a trusted certificate authority to generate public and private keys whenever possible. In the case of using in-house CA make sure proper security controls are in place to protect the private keys from unauthorized access. Make sure that the server only supports approved strong cipher modules. |
SSD 4.7
SSC 4.2.2 SSC 4.2.3 SSC 4.2.4 SSC 4.2.27
|
OWASP A02:2021 – Cryptographic Failures
CWE-295: Improper Certificate Validation CWE-319: Cleartext Transmission of Sensitive Information CWE-311: Missing Encryption of Sensitive Data CWE-327: Use of a Broken or Risky Cryptographic Algorithm
|
OWASP – Transport Layer Protection Cheat Sheet |
10. System Configuration & Hardening
Make sure that every piece of software from the OS, system components, software libraries, software framework, web servers, etc. are running the latest non-vulnerable version and they are patched with latest security patches. Lock down the server and remove any unnecessary files and functions. Isolate development environments from production environments. Use version control software so that all code changes deployed to production are reviewed and have an audit trail. |
SSD 4.12
SSD 4.13 SSD 4.14 SSC 4.2.5 SSC 4.2.7 SSC 4.2.9 SSC 4.2.12 SSC 4.2.13 SSC 4.2.16 SSC 4.2.17 SSC 4.2.18 SSC 4.2.19 SSC 4.2.22 SSC 4.2.25 SSC 4.2.26
|
OWASP A05:2021 – Security Misconfiguration
OWASP A06:2021 – Vulnerable and Outdated Components OWASP A08:2021 – Software and Data Integrity Failures CWE-250: Execution with Unnecessary Privileges CWE-732: Incorrect Permission Assignment for Critical Resource CWE-494: Download of Code Without Integrity Check CWE-829: Inclusion of Functionality from Untrusted Control Sphere |
OWASP – Testing for Configuration Management
OWASP – DotNet Security Cheat Sheet |
11. Database Security
Use parameterized queries even if using a data persistence layer. Don’t try to build dynamic SQL queries. The application should use the lowest possible level of privilege when accessing the database or API. Lock down the database by turning off any unnecessary features and functions. Connection strings, database passwords, and API credentials should not be hard coded within the application. Keep them in secure, separate and encrypted configuration files. |
SSC 4.2.15 | OWASP A03:2021 – Injection
CWE-732: Incorrect Permission Assignment for Critical Resource CWE-759: Use of a One-Way Hash without a Salt CWE-863: Incorrect Authorization
|
OWASP – Database Security Cheat Sheet |
12. File Management
Ensure authentication is required before file uploads. Limit file types & prevent any file types that may be interpreted by the web server as well as validate the file types by checking the file header. Do not save the uploaded file in the same web context as the application. Do not pass directory or file paths to the user, use index values mapped to pre-defined paths. Never send absolute file path to client. Scan uploaded files for malware where possible.
|
SSD 4.11
SSC 4.2.6
|
OWASP A01:2021 – Broken Access Control
CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type
|
OWASP – File System Management |