OWASP SCP

Summary

OWASP Secure Coding Practices Reference Guide (OWASP SCP) defines a set of general controls that cover software security coding practices that can be integrated into the software development lifecycle. Its implementation will mitigate most common software vulnerabilities. The version used in this section is OWASP SCP v2.0.1, December 2022.

Definitions

Definition	Requirements
1. Input validation	173. Discard unsafe inputs 321. Avoid deserializing untrusted data 324. Control redirects 342. Validate request parameters 345. Establish protections against overflows
2. Output encoding	160. Encode system outputs
3. Authentication and password management	025. Manage concurrent sessions 032. Avoid session ID leakages 077. Avoid disclosing technical information 126. Set a password regeneration mechanism 127. Store hashed passwords 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 138. Define lifespan for temporary passwords 153. Out of band transactions 238. Establish safe recovery 301. Notify configuration changes 332. Prevent the use of breached passwords 333. Store salt values separately 367. Proper generation of temporary passwords
4. Session management	023. Terminate inactive user sessions 025. Manage concurrent sessions 027. Allow session lockout 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 141. Force re-authentication 305. Prioritize token usage 349. Include HTTP security headers 357. Use stateless session tokens 369. Set a maximum lifetime in sessions
5. Access control	026. Encrypt client-side session information 034. Manage user accounts 095. Define users with privileges 096. Set user's required privileges 141. Force re-authentication 144. Remove inactive accounts periodically 176. Restrict system objects 186. Use the principle of least privilege 229. Request access credentials 319. Make authentication options equally secure
6. Cryptographic practices	145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 151. Separate keys for encryption and signatures 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 351. Assign unique keys to each device 361. Replace cryptographic keys
7. Error handling and logging	075. Record exceptional events in logs 077. Avoid disclosing technical information 078. Disable debugging events 079. Record exact occurrence time of events 083. Avoid logging sensitive data 085. Allow session history queries 341. Use the principle of deny by default 344. Avoid dynamic code execution 376. Register severity level 378. Use of log management system
8. Data protection	156. Source code without sensitive information 171. Remove commented-out code 177. Avoid caching and temporary files 183. Delete sensitive data securely 185. Encrypt sensitive information 186. Use the principle of least privilege 266. Disable insecure functionalities 320. Avoid client-side control enforcement 329. Keep client-side storage without sensitive data 360. Remove unnecessary sensitive information
9. Communication security	024. Transfer information using session objects 037. Parameters without sensitive data 160. Encode system outputs 181. Transmit data using secure protocols 336. Disable insecure TLS versions 338. Implement perfect forward secrecy
10. System configuration	167. Close unused resources 176. Restrict system objects 186. Use the principle of least privilege 262. Verify third-party components 266. Disable insecure functionalities 374. Use of isolation methods in running applications
11. Database security	142. Change system default credentials 152. Reuse database connections 160. Encode system outputs 167. Close unused resources 169. Use parameterized queries 172. Encrypt connection strings 173. Discard unsafe inputs 229. Request access credentials 266. Disable insecure functionalities
12. File management	040. Compare file format and extension 041. Scan files for malicious code 173. Discard unsafe inputs 176. Restrict system objects 264. Request authentication 324. Control redirects 339. Avoid storing sensitive files in the web root 340. Use octet stream downloads
13. Memory management	062. Define standard configurations 160. Encode system outputs 167. Close unused resources 172. Encrypt connection strings 173. Discard unsafe inputs 345. Establish protections against overflows
14. General coding practices	155. Application free of malicious code 178. Use digital signatures 229. Request access credentials 262. Verify third-party components 266. Disable insecure functionalities 330. Verify Subresource Integrity 337. Make critical logic flows thread safe 338. Implement perfect forward secrecy 344. Avoid dynamic code execution

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.