back to article Open Web Application Security Project issues new secure coding bible

The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps. The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 …

  1. Ole Juul
    Facepalm

    Eureka

    "three to four years ago he and others in the industry were doing penetration testing at the end of a build. Now, the best work with builders from the start."

    This is a good idea and has been standard in other fields for a long time. For example bridge building and high-rise construction.

    1. LDS Silver badge

      Re: Eureka

      Bridge building and high-rise construction have thousands years of expertise. Big projects failures in the past taught a lot. IT is much younger, and the big security failures of the past years are starting to teach enough to change mindset.

    2. DaLo

      Re: Eureka

      It is also rather easier to fix issues in code afterwards than fix a critical flaw with a bridge or a high-rise.

      It's also easier to spot flaws in code as it doesn't have three layers of reinforced concrete poured over it.

      (Not that I'm condoning post build security reviews, I believe all programmers should program securely at all times, the same way they're expected to write good, or efficient code)

      1. Anonymous Coward
        Anonymous Coward

        Re: Eureka

        "It is also rather easier to fix issues in code afterwards than fix a critical flaw with a bridge or a high-rise."

        Yes, that's why there's so much shite code out there. The profit it now, we can/might fix/sell a new version later motivation got us to this place already.

      2. Warm Braw Silver badge

        Re: Eureka

        It is also rather easier to fix issues in code afterwards

        That simply isn't true in practice - just search this august journal for "SOHOpeless" for the evidence.

        And even if it were, critical flaws in software can cause huge economic damage before they're detected and fixed. Fixing afterwards may be pointless if the damage is already done.

        1. Anonymous Coward
          Anonymous Coward

          Re: Eureka

          "That simply isn't true in practice"

          It's talking about testing at the end of a build (QA testing) not testing after it has been publicly released.

          If you think it is easier to knock down a high rise to fix a critical flaw with the metalwork than recode some potential buffer overruns then don't get a job in the construction industry (or the software industry).

  2. John Smith 19 Gold badge

    "Developers are responsible for insecurity."

    True.

    Always.

    And to the reply "The PHB made me do it." Make sure you have a record of supplying them with an analysis of what happens (especially how much money) will be lost if the project goes live with their planned arrangements and security is breached.

    1. tony2heads

      Re: "Developers are responsible for insecurity."

      This business of recording information given to a boss reminds me of an old friend who used to be a sailor.

      He was once given an instruction by a captain which he could see was bloody risky. He insisted that he would only comply if it was written in the ship's log as an order from the captain; the captain backed down when he realised that any blame would be attached to him if the ship sank and could not be passed on.

      Perhaps something like ship's log should be kept for orders handed down (VW are you listening?).

      1. Destroy All Monsters Silver badge

        Re: "Developers are responsible for insecurity."

        > Perhaps something like ship's log should be kept for orders handed down

        It's called a JIRA

        1. Alistair Silver badge
          Windows

          Re: "Developers are responsible for insecurity."

          @DAM

          I have 17 years worth of email archived. And backed up. Intentionally. With indexes.

  3. Dan 55 Silver badge
    Trollface

    Attn publishers of these esteemed organ

    2.16: Verify that credentials are transported using a suitable encrypted link and that all pages/functions that require a user to enter credentials are done so using an encrypted link.

  4. Chris Daemon

    Web Derpvelopers

    But can they do a version for all those front-end/UX "developers"?

    Something based on a coloring book, see spot run, etc?

  5. Anonymous Coward
    Linux

    Risks associated with software today ..

    "An application achieves ASVS Level 2 (or Standard) if it adequately defends against most of the risks associated with software today."

    Your web applications are only as secure as the underlying OS. If that's insecure then no amount of ASVS will cure it. How about designing an OS that can differenciate between local software and software downloaded from the Internet and don't execute the latter. How about not using an OS that can be compromised by clicking on a malicious weblink or opening an email attachment.

    ps: I notice some broken HTML at the top of the page to get some script to run:

    html> head> script>var inDapIF true; /script> /head> body> script src "https://tpc.googlesyndication.com/safeframe/1-0-2/js/ext.js"> /script> IFRAME SRC "https://fw.adsafeprotected.com/rjsi/dc/49009/6898563/ddm/adi/N117602.126839THEREGISTER.COM/B9199301.125002745;sz 728x90;click https://adclick.g.doubleclick.net/aclk 253Fsa 253DL 2526ai

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019