Skip to content

How to Get Started in Application Security

    
How to Get Started in Application Security

XSS_Prevention_Rules_Summary_OWASP_XSS_Cheat_Sheet_by_Jeff_Williams
My OWASP Cheat Sheet for Cross-site Scripting (XSS) just passed 1M views, and I'm proud of that. It ain't Shakespeare, so that means a lot of people are actually interested in knocking out XSS.

Making application security accessible and actionable to all developers is a key part of OWASP's mission. Application security is needed in all ranks of developers, particularly computer science students who typically receive little or no training about secure coding techniques. The whole series of OWASP Cheat Sheets is a great way to dig into appsec.

But there is one thing we can't do for you, we can't fix your code for you. You'll have to do that yourself. The good news is that there are PLENTY of free resources throughout the web that can teach you how to code more securely.

Here are our recommendations for learning more about application security, and how to code in secure ways, for free:

  1. The Open Web Application Security Project, aka OWASP. I was the Global Chair of OWASP for eight years. I have a soft spot in my heart for OWASP. Rigorously non-commercial in their treatment of vulnerabilities and fixes, they do an excellent job educating on what vulnerabilities are and how you can fix them. If you've got the time, they've got the content. Of course I recommend the OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet and the Other OWASP cheat sheets, which have much to offer someone seeking to learn application security from a developers standpoint.
     
  2. OWASP Application Security Verification Standard (ASVS). If you want to learn application security testing,  learn the OWASP ASVS and OWASP testing guide. You should also learn how to use security testing proxies, like Burp or ZAP.  And you'll need a vulnerable application like OWASP's WebGoat.
     
  3. OWASP Enterprise Security API (ESAPI). According to Jarret Raim, "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development."
     
  4. "The Tangled Web."  This book, by Michal Zalewski of Google, is a fascinating trip through the insides of the browser and web applications. You'll learn about standards, browser features, and more.
 
Using Contrast to Get Started 

My most recent venture, Contrast Security, is designed to make application security accessible to every developer, tester, and architect -- even if they don't know much (or anything) about application security. By harnessing the power of instrumentation to monitor your applications for vulnerabilities, Contrast provides real time feedback on the security of your code with an industrial-strength security engine, not a scaled down toy spell checker.

Yes, we can find vulnerabilities inside of libraries and frameworks, even if they are third-party applications that you are only using portions of. We use instrumentation to gather information from HTTP, the code, data flow, control flow, configuration files, and even backend connections.  All this information makes it possible to accurately identify a far broader range of vulnerabilities than traditional tools, including injection vulnerabilities, XSS, XXE, encryption problems, verb tampering, and many many more. Our dashboard is intuitive, our results prioritized based on criticality, and we support a host of different languages.

Using Contrast to find *real* vulnerabilities in your organization's code is a great way to learn what kinds of mistakes they are making and exactly how they work.  Once you understand, you can choose the best strategy for fixing your code.  Not just one application, but all of them.

Perfect Practice Makes Perfect
I once heard the story about a child taking piano lessons. Some children read music well, and others try and "cheat" by playing by ear e.g. practicing what they hear. When the piano teacher hears the music being played nicely, but not as written, they can tell who is practicing and who is using perfect practice, meaning they play it as written over and over again. After all, practicing the music incorrectly still qualifies as practice, but it's not the kind of practice you write home about. Contrast's deep analysis and immediate feedback enables perfect practice when people are writing code. Because, unfortunately, you can write code all day long and still not be any good at writing secure code.
 
And since learning by itself can be fun, practicing in a real environment that won't threaten the security of your current project is probably best. For that, we recommend using http://appseclive.org/ or 
https://code.google.com/p/owaspbwa/ to learn about application security from vulnerable applications. Both tools will let you code in the real world without harming your current security methods.

I'll leave you with a mantra I heard growing up that motivates me from day to day,


"You are what you were yesterday,
with or without improvement."
 



continuous-application-security

 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.