Getting Started With Application Security Practice

Consider this as a very basic step by step guide to getting started with application security practice for your organisation. We begin by looking at an overall framework and pick the Microsoft SDL which is the gold standard for building applications in enterprises. Once we have the overall framework defined we can look at web and mobile application specific resources for guidance and benchmarking against.

STEP 1 - Get introduced to Microsoft Security Development Lifecycle

STEP 2 - Get familiar with OWASP Application Security Verification Standard

OWASP is a global body for application security research. The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls.

The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications. The requirements were developed with the following objectives in mind:

  • Use as a metric - Provide application developers and application owners with a yardstick with which to assess the degree of trust that can be placed in their Web applications,
  • Use as guidance - Provide guidance to security control developers as to what to build into security controls in order to satisfy application security requirements, and
  • Use during procurement - Provide a basis for specifying application security verification requirements in contracts.

Some of the text from OWAPS ASVS web page

STEP 3 - Test against OWASP Top 10 and then later against OWASP Testing Guide

Use the following two documents to test for application security vulnerabilities in your web and mobile applications.

Cheat a bit with OWASP Cheatsheets

Sometimes, there is no time to complete full fledged testing. At times like these the following OWASP cheatsheets might be useful to peruse.

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. text from https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series#tab=Main

Full list Master Cheat Sheet

STEP 4 - Aim for covering TOP 20 Critical Security Controls for your network

The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on “What Works” - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness.

Text from https://www.sans.org/critical-security-controls/

Akash Mahajan avatar
About Akash Mahajan
That Web Application Security Guy long time ago. Co-Founder @AppseccoUK | Community Manager @null0x00 | Author - Burp Suite Essentials, Security Automation with Ansible2. Writing about application security, being part of communities like null, OWASP and other technically inclined topics. Sometimes about my company and books