Security Practices

There are many different types of vulnerabilities and weaknesses to consider when developing new applications. The Open Worldwide Application Security Project (OWASP) has published a list of the 10 most common types of vulnerabilities since 2004, primarily aimed at web applications. Although this list does not cover everything, it is often used as a starting point for vulnerabilities that must be addressed in development projects.

Current Points on the OWASP Top 10:

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

If the team has no processes around secure development, this would be a good start. For teams with greater maturity in application security, other checklists, such as the Application Security Verification Standard - also from OWASP, are a further option. This is divided into three different levels; level 1 covers the main points and requires only general competence, while level 3 goes more in-depth and requires specific competence and support tools.

OWASP publishes much more in addition, including other Top 10 lists and what they call "Cheatsheets"; detailed information on specific security-related topics.

More Information

• OWASP Top 10 (2021)
• OWASP Application Security Verification Standard
• The 18 CIS Critical Security Controls
• CISA - Secure by design
• OWASP: Cheatsheets