portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Security 101: OWASP

posted on Tuesday 3rd of March 2020 in ,

One of the questions I am often asked when offering office hours for startups as a part of SpinLab is how they can step up their security game without hiring additional people or bringing in a consultant. I would love to have a silver bullet that magically secures your system for free. I really do. But in the absence of magic we have to work with the tools at hand, one of them being the OWASP Top 10.

OWASP – the Open Web Application Security Project – offers tons of resources, but the one most people are likely aware of is the OWASP Top 10. It is a collection of the ten most critical risks for web applications. And best of all? It is being kept up to date – which makes it even more sad that some of these risks are still on the list considering we are dealing with them for over… what, two decades?

But this is not all! Assuming you take the time to read through the top 10 list you’ll see “A10-Insufficient Logging & Monitoring” with a two sentence outline giving you a summary of the problem. What exactly does this mean? How can you prevent it? What is the risk? Easy. Click the link and read a lot more about it. It will actually answer all those questions.

Okay, now you know the full extend of the risk and you have a basic understanding of how to mitigate it. But where can you get some more information and examples? OWASP Cheatsheet Series to the rescue! Another resource provided by OWASP is an amazing collection of cheatsheets with enough info to keep you busy for days and weeks. Hopefully not months, that would be bad for an early stage startup. I would actually recommend reading as many cheatsheets as you can and internalising the information. Most of them will come in handy at some point.

Two additional resources which are part of the Top 10 you should read are the What’s Next For Developers and What’s Next for Organisations. This will likely be the point where you decide that you do not have the time to work through all of the advice you find in there and have to do it at a later date. Which is fine. What those two resources provide you with right now is the knowledge that there is a lot more work waiting for you and it hopefully acts as a reminder to constantly work on the security aspects of your application.

OWASP provides lots of great resources. It is out there, it is free to use. It requires some time, but it is in my opinion approachable for any software engineer, no matter how much prior exposure to the security field they had.

Engineering time is usually a constraining factor for an early stage startup, nearly as much as capital. So it might feel counter intuitive to ask engineers to spend time on learning more about security instead of letting them write code and bringing in external resources to help you out with securing your system. But let me tell you an open secret: many engagements start with establishing basics and testing for vulnerabilities covered by OWASP.

If your team is already well versed in the basics you do not only reduce the constantly existing risk of new vulnerabilities being introduced into your system. When you decide to bring in a third party the basics and training portion is often completed a lot faster allowing your consultant and engineers to spend the remaining time working on the finer details, alternative approaches, different thread models,… that often have to be ignored when there is a hard limit on time and / or budget. Or, for the business savvy readers of this post: Your ROI will be significantly higher.

If you want to follow this article series you can either subscribe to the general RSS feed or to the tag specific one if you only care about startup security posts.