How Are You Implementing Compensating Controls for OWASP Top 10?
OWASP’s Top 10 vulnerabilities continue to challenge security professionals on the compensating controls they need to implement. These vulnerabilities crop up year after year in application code and have been the cause of major data breaches over the past decade.
The top 5 critical risks in most apps include:
- SQL Injection
- Cross-site scripting (XSS)
- Sensitive data exposure
- Broken Access Controls
- Broken Authentication & Session Management.
The good news is that there are several prudent compensating measures that security teams can take in the near term to ensure OWASP compliance.
What are the compensating measures to adopt for OWASP compliance?
The accepted standard practice has mostly been to deploy firewall tools, like Web Application Firewalls (WAF), to improve application security.
WAFs are signature-based tools and block incoming traffic, if a signature hit is detected. They are good at detecting traditional OWASP Top 10 flaws, like injection flaws, which have slipped through your development and QA processes.
The problem with traditional WAFs is that they are rule-based and could generate a lot of false positives. These false positives may need time-consuming interventions from security teams to ensure that legitimate traffic is not blocked. Many enterprises deploy WAF just to ensure compliance with PCI mandates.
In fact, Runtime Application Security Protection (RASP) tools can prevent real time attacks in the production environment.
RASP solutions sit inside the application and have access to the full application context to monitor its behavior in real time. Unlike WAFs, they do not rely on preset patterns or signatures.
What are my firewall options in today’s DevOps environments?
Modern applications are deployed across cloud, on-premise and hybrid environments. Built using DevOps processes, they undergo frequent configuration changes and policy updates.
Traditional firewalls were not designed to handle all types of web application attacks. Meanwhile, today’s risks have shifted from the network layer to the application layer.
Next generation firewalls are combining the functionality of WAF and RASP into a single appliance. This is a good alternative. They are designed to handle other emerging threat vectors, including API abuse, BOT attacks, Web Scraping and Denial of Service attacks.
Most importantly, they do a good job in blocking malicious payloads, while allowing legitimate traffic to flow to the applications. They are easy to deploy and tune in a production environment.
How can AppSec training for developers be a strong compensating control?
Growing DevOps adoption has resulted in “left shifting” of security in the software lifecycle. Developers have had to move to the frontlines of security.
However, most developers lack formal training in secure coding practices in their IT education or in their work environment. Early adopters are proving that a continual AppSec training program is crucial for developers to up their game. Here’s why:
- AppSec training builds a hacker’s mindset in developers, making them more effective
- Hands-on labs provide them with opportunities to fix real world code vulnerabilities, ensuring learning retention
- Ongoing training builds and propagates a “security by design” culture in the organization.
Investment in AppSec should be one of your best compensating controls against OWASP vulnerabilities. Consider it a table stake requirement for today’s modern web applications.
Are you ready for Developer AppSec Training?
Our virtual labs will give you the real skinny on OWASP Top 10 vulnerabilities.