Skip to main content

OWASP SCP

logo

Summary

OWASP Secure Coding Practices Reference Guide (OWASP SCP) defines a set of general controls that cover software security coding practices that can be integrated into the software development lifecycle. Its implementation will mitigate most common software vulnerabilities. The version used in this section is OWASP SCP v2.0, November 2010.

Definitions

DefinitionRequirements
1. Input validation173. Discard unsafe inputs
321. Avoid deserializing untrusted data
324. Control redirects
342. Validate request parameters
345. Establish protections against overflows
2. Output encoding160. Encode system outputs
3. Authentication and password management025. Manage concurrent sessions
032. Avoid session ID leakages
077. Avoid disclosing technical information
126. Set a password regeneration mechanism
127. Store hashed passwords
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
134. Store passwords with salt
135. Passwords with random salt
138. Define lifespan for temporary passwords
153. Out of band transactions
238. Establish safe recovery
301. Notify configuration changes
332. Prevent the use of breached passwords
333. Store salt values separately
367. Proper generation of temporary passwords
4. Session management023. Terminate inactive user sessions
025. Manage concurrent sessions
027. Allow session lockout
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
141. Force re-authentication
305. Prioritize token usage
349. Include HTTP security headers
357. Use stateless session tokens
369. Set a maximum lifetime in sessions
5. Access control026. Encrypt client-side session information
034. Manage user accounts
095. Define users with privileges
096. Set user's required privileges
141. Force re-authentication
144. Remove inactive accounts periodically
176. Restrict system objects
186. Use the principle of least privilege
229. Request access credentials
319. Make authentication options equally secure
6. Cryptographic practices145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
151. Separate keys for encryption and signatures
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
351. Assign unique keys to each device
361. Replace cryptographic keys
7. Error handling and logging075. Record exceptional events in logs
077. Avoid disclosing technical information
078. Disable debugging events
079. Record exact occurrence time of events
083. Avoid logging sensitive data
085. Allow session history queries
341. Use the principle of deny by default
344. Avoid dynamic code execution
376. Register severity level
378. Use of log management system
8. Data protection156. Source code without sensitive information
171. Remove commented-out code
177. Avoid caching and temporary files
183. Delete sensitive data securely
185. Encrypt sensitive information
186. Use the principle of least privilege
266. Disable insecure functionalities
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
360. Remove unnecessary sensitive information
9. Communication security024. Transfer information using session objects
037. Parameters without sensitive data
160. Encode system outputs
181. Transmit data using secure protocols
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
10. System configuration167. Close unused resources
176. Restrict system objects
186. Use the principle of least privilege
262. Verify third-party components
266. Disable insecure functionalities
374. Use of isolation methods in running applications
11. Database security142. Change system default credentials
152. Reuse database connections
160. Encode system outputs
167. Close unused resources
169. Use parameterized queries
172. Encrypt connection strings
173. Discard unsafe inputs
229. Request access credentials
266. Disable insecure functionalities
12. File management040. Compare file format and extension
041. Scan files for malicious code
173. Discard unsafe inputs
176. Restrict system objects
264. Request authentication
324. Control redirects
339. Avoid storing sensitive files in the web root
340. Use octet stream downloads
13. Memory management062. Define standard configurations
160. Encode system outputs
167. Close unused resources
172. Encrypt connection strings
173. Discard unsafe inputs
345. Establish protections against overflows
14. General coding practices155. Application free of malicious code
178. Use digital signatures
229. Request access credentials
262. Verify third-party components
266. Disable insecure functionalities
330. Verify Subresource Integrity
337. Make critical logic flows thread safe
338. Implement perfect forward secrecy
344. Avoid dynamic code execution