To create your journey, you can choose a familiar space such as your office, a room in your home, or at a place where you lived in the past, a conference room, or anywhere that you can comfortably navigate in your mind. It can be any space as long as you can clearly see it in your imagination when you close your eyes. If you can’t think of an area to pick, then imagine your bedroom. For demonstration I’m going to use a bedroom from an old house I lived in years ago to create a journey. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.
This document is intended to provide initial awareness around building secure software. This document will also provide a good foundation of topics to help drive introductory software security developer training. These controls should be used consistently and thoroughly throughout all applications. However, this document should be seen as a starting point rather than a comprehensive set of techniques and practices. Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for.
OWASP Proactive Controls 2018
This article demonstrates a pragmatic formula on how to use your mind and imagination in the most effective way to make cybersecurity memorable. As application developers, we are used to logging data that helps us debug and trace issues concerning wrong business flows or exceptions thrown. Security-focused logging is another type of data logs that we should strive to maintain in order to create an audit trail that later helps track down security breaches and other security issues. This list was originally created by the current project leads with contributions from several volunteers. The document was then shared globally so even anonymous suggestions could be considered. Hundreds of changes were accepted from this open community process.
- By making the imagery more vivid, it amps up the energy and ridiculousness.
- Learning will become fun again, much easier, and will take a fraction of the time that you used to spend.
- If you want to take the easy path you can use my REV-ed Up Imagery shown below.
- Security-focused logging is another type of data logs that we should strive to maintain in order to create an audit trail that later helps track down security breaches and other security issues.
REV-ing up imagery to make mnemonic representations of information requires some practice. Learning will become fun again, much easier, and will take a fraction of the time that you used to spend. Now that we have images for our top ten list items we are on to step 2 of the method of loci where we put these images on the journey so that we can remember them for later. The OWASP top 10 of proactive controls aims to lower this learning curve.
Objective 3. Memorize the 2018 OWASP Top Ten Proactive Controls
In the Snyk app, as we deal with data of our users and our own, it is crucial that we treat our application with the out-most care in terms of its security and privacy, protecting it everywhere needed. Databases are often key components for building rich web applications as the need for state and persistency arises. The list goes on from injection attacks protection to authentication, secure cryptographic APIs, storing sensitive data, and so on. To address these concerns, use purposely-designed security libraries.
- Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code.
- It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software.
- For this, I use a timer or a checklist program with timed reminders.
- This list was originally created by the current project leads with contributions from several volunteers.
- Fortunately, image memorability, or how well they stick in your memory, is something that you can improve with practice and innovation.
Other examples that require escaping data are operating system (OS) command injection, where a component may execute system commands that originate from user input, and hence carry the risk of malicious commands being executed. Make sure you track the use of open source libraries and maintain an inventory of versions, their licenses OWASP Proactive Controls Lessons and vulnerabilities such as OWASP’s top 10 vulnerabilities using tools like OWASP’s Dependency Check or Snyk. Recently, I was thinking back at a great opening session of DevSecCon community we had last year, featuring no other than Jim Manico. Use the extensive project presentation that expands on the information in the document.
OWASP Proactive Control 3 — securing database access
During development of a web application, consider using each security controldescribed in the sections of the Proactive Controls that are relevant to the application. Again, maintaining the order of these locations is an absolute must for a successful outcome. The journey you’ve selected is the one you will use to memorize the OWASP Top Ten Proactive Controls.
It really is a spaced investment of a few minutes of rehearsal at a time amounting too much less time altogether than if you were to have to learn this by rote memorization. You will find that as you become more proficient in using the method of loci that the rehearsal schedule will not take much time at all. There are many, many ways that you can REV-up placing the images on the journey locations.