Last Updated on October 29, 2020
Building secure web applications takes more than checking some boxes on a generic list. Different size teams, different tools, different programming languages, different application scopes… Every team’s approach will end up being a little different.
But there are some core informational commonalities that apply to pretty much every development team. Lining those up at the outset will give you a big head start and help all your subsequent efforts fall into place.
To share the best possible guidance on this potentially bottomless topic, we invited Jim Manico to be our guest on The Virtual CISO Podcast. Jim is one of the top global thought leaders in web application security. He’s the founder of Manicode Security, an application security training firm, and a major contributor to multiple Open Web Application Security Project (OWASP) offerings.
Step 1: Give your team access to a skilled secure coding expert
Episode host John Verry, Pivot Point Security’s CISO and Managing Partner, kicks off the conversation by asking, “What does it take for a developer to really leverage the guidance that [OWASP ASVS] is providing?”
Jim’s answer is a blockbuster: “If you look at the Automotive Linux Group studies on secure coding, they said that the single most important factor regarding whether or not your project will be successful from a security point of view is whether or not you have a skilled expert in secure coding embedded within your team. Without that, security is just not going to happen. And with that, you have a good chance of getting there.”
The ASVS is a pointer to deeper knowledge. So having a security champion to explain and apply the guidance is a huge benefit.
But that person doesn’t have to be a full-time employee. A significant portion of Jim and John’s conversation centers on how to make the most of virtual/”fractional” resources to drive web app security.
Step 2: Format the ASVS to fit your screen
“I rarely think you should use the [ASVS] standard out of the box,” Jim states. “The standard is like a template. You fork it with your team, to make it more relevant to the work that you’re doing.” “For example, I don’t build authentication systems anymore; I use identity providers,” explains Jim. “So I drop all those authentication requirements and I convert those to a couple of requirements on how to implement the identity provider.”
Step 3: Blend in other OWASP guidance
To help educate developers (or support lone developers), Jim encourages use of the OWASP Cheat Sheet Series, which he calls “.. a living encyclopedia on secure coding knowledge.” It provides detailed explanations on how to handle the ASVS requirements. “ASVS by itself is not effective. You need that support system around it, absolutely,” Jim summarizes.
Jim also suggests applying the OWASP Web Security Testing Guide, which explains how to test for the security issues outlined in the ASVS and detailed in the Cheat Sheets.
His three straightforward suggestions pull the key information sources that every team needs to get the best possible start into a cohesive whole.
If you’re a developer or manager seeking real-world advice on how best to approach web app security from your particular starting point, this episode of The Virtual CISO Podcast was tailor-made for you and your team. To hear the episode with Jim Manico end-to-end, and enjoy the many other episodes in The Virtual CISO Podcast series, click here.
If you don’t use Apple Podcasts, you can access all our episodes here.
“ASVS by itself is not effective. You need that support system around it, absolutely,” Jim summarizes.