Application Security

3 Steps to Success with OWASP Guidance for WebAppSec

Reading Time: 2 minutes

Last Updated on October 29, 2020

3 steps to secure applications
 
Building secure web applications takes more than checking some boxes on a generic list. Different size teams, different tools, different programming languages, different application scopes…  Every team’s approach will end up being a little different.

But there are some core informational commonalities that apply to pretty much every development team. Lining those up at the outset will give you a big head start and help all your subsequent efforts fall into place.

To share the best possible guidance on this potentially bottomless topic, we invited Jim Manico to be our guest on The Virtual CISO Podcast. Jim is one of the top global thought leaders in web application security. He’s the founder of Manicode Security, an application security training firm, and a major contributor to multiple Open Web Application Security Project (OWASP) offerings.

Step 1: Give your team access to a skilled secure coding expert

Episode host John Verry, Pivot Point Security’s CISO and Managing Partner, kicks off the conversation by asking, “What does it take for a developer to really leverage the guidance that [OWASP ASVS] is providing?”
Jim’s answer is a blockbuster: “If you look at the Automotive Linux Group studies on secure coding, they said that the single most important factor regarding whether or not your project will be successful from a security point of view is whether or not you have a skilled expert in secure coding embedded within your team. Without that, security is just not going to happen. And with that, you have a good chance of getting there.
The ASVS is a pointer to deeper knowledge. So having a security champion to explain and apply the guidance is a huge benefit.
But that person doesn’t have to be a full-time employee. A significant portion of Jim and John’s conversation centers on how to make the most of virtual/”fractional” resources to drive web app security.

Step 2Format the ASVS to fit your screen

I rarely think you should use the [ASVS] standard out of the box,” Jim states“The standard is like a template. You fork it with your team, to make it more relevant to the work that you’re doing.For example, I don’t build authentication systems anymoreI use identity providers,” explains Jim. “So I drop all those authentication requirements and I convert those to a couple of requirements on how to implement the identity provider.

Step 3: Blend in other OWASP guidance

To help educate developers (or support lone developers), Jim encourages use of the OWASP Cheat Sheet Series, which he calls “.. a living encyclopedia on secure coding knowledge.” It  provides detailed explanations on how to handle the ASVS requirements.
Jim also suggests applying the OWASP Web Security Testing Guide, which explains how to test for the security issues outlined in the ASVS and detailed in the Cheat Sheets.

“ASVS by itself is not effective. You need that support system around it, absolutely,” Jim summarizes.


His three straightforward suggestions pull the key information sources that every team needs to get the best possible start into a cohesive whole.

If you’re a developer or manager seeking real-world advice on how best to approach web app security from your particular starting point, this episode of The Virtual CISO Podcast was tailor-made for you and your team. To hear the episode with Jim Manico end-to-end, and enjoy the many other episodes in The Virtual CISO Podcast series, click here.
If you don’t use Apple Podcasts, you can access all our episodes here. 

OWASP ASVS Testing Guide ThumbnailFree OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!

Get your download here!

Back to list

Related Posts

3 thoughts on “3 Steps to Success with OWASP Guidance for WebAppSec

  1. John smith says:

    Very well said! I won’t be stingy to mention that your efforts are highly appreciated. Because your work reflects how much are you working hard to collect and provide this useful information for your readers. It is also a great contribution to the well-being of the healthcare community.
    I’ve been working in a medical billing company for more than a decade now. Although, we are responsible to manage and grow the accounts of physicians and doctors. But we also have to make sure that those healthcare providers also maintain a healthy relationship with insurance companies and more particularly with their patients. So we also provide medical billing solutions to sustain a good reputation for their practice. For this purpose, we also learn about their problems and challenges to sustain an ever-growing healthcare business. Due to this factor, I am well-familiar with the frustrations/ problems of almost every physician out there. Therefore, I recommend that they should spend a little portion of their valuable time to read such articles that can help them to better insights into successful healthcare practice.

    1. Jeremy Sporn says:

      Hi John, thanks for the encouraging words. We really do try to bring value to our audience. Wish you nothing but success in all you do!

Leave a Reply

Your email address will not be published. Required fields are marked *