Security and Azure DevOps – part 2

In this new post about security in DevOps or Azure DevOps we will take some key elements that can be important in the SDLC of your organization. A better title could:

Enhancing Application Security: A Guide to OWASP ASVS in Development Lifecycles

Introduction

In an era where digital transformation is rapidly reshaping industries, the importance of robust application security cannot be overstated. As organizations strive to deliver innovative software solutions faster than ever before, they must also prioritize safeguarding sensitive data and protecting against potential cyber threats. Luckily for us and all our developers they are not alone to accomplish this task. The Open Web Application Security Project (OWASP) and the Application Security Verification Standard (ASVS) helps us with prioritizing the work and the tasks we need to have our focus on.

Understanding OWASP ASVS:

The OWASP ASVS is a comprehensive framework designed to establish a security standard for web applications and web services. It provides a set of security requirements that can be used to ensure the confidentiality, integrity, and availability of web applications. ASVS is particularly beneficial for organizations looking to integrate security into their software development lifecycle, fostering a proactive approach to identifying and addressing security concerns.

How to implement?

The ASVS consists of a set of security controls categorized into three levels (L1, L2, and L3), allowing organizations to tailor their security measures based on the specific risks associated with their applications. Each level corresponds to the sensitivity and importance of the data being processed.

The framework guides developers on how to implement security controls effectively. It offers insights into secure coding practices, data validation, and the proper use of cryptographic functions.

Levels

1. Level 1 (L1) – Standard Security
   • Purpose: Level 1 is the baseline for security requirements and is suitable for applications with lower sensitivity and fewer security concerns.
   • Applicability: Recommended for applications where security is essential but not a primary focus, and the impact of a security breach is minimal.
   • Controls: L1 includes fundamental security controls that all applications should implement. These controls cover basic security measures such as data validation, session management, and error handling.
2. Level 2 (L2) – Defense-in-Depth
   • Purpose: Level 2 is intended for applications with moderate sensitivity and a higher level of security requirements. It aims to establish a more robust defense against potential threats.
   • Applicability: Suitable for applications that process sensitive data or have a higher risk profile, warranting additional security measures.
   • Controls: L2 builds upon L1 by introducing more advanced security controls. This may include measures like secure session management, secure data storage, and protection against common injection attacks.
3. Level 3 (L3) – Application-Aware
   • Purpose: Level 3 represents the highest level of security requirements and is designed for applications with the highest sensitivity, where security is a top priority..
   • Applicability: Reserved for applications that handle extremely sensitive information or are critical to an organization’s operations, requiring the most stringent security measures.
   • Controls: L3 includes the most comprehensive set of security controls, covering a wide range of advanced threats. This may involve measures such as code review, secure communication, and protection against advanced injection attacks

Verification levels

• V1: Architecture, Design, and Threat Modelling Requirements
  • Emphasizes the importance of incorporating security into the early stages of application development.
  • Requires organizations to conduct threat modelling to identify and mitigate potential security threats.
• V2: Authentication
  • Addresses security controls related to user authentication mechanisms.
  • Includes requirements for secure password storage, multi-factor authentication, and session management.
• V3: Session Management
  • Focuses on securing user sessions to prevent unauthorized access.
  • Covers aspects such as session timeout, session fixation, and secure cookie usage.
• V4: Access Control
  • Deals with enforcing proper access controls to ensure users only have authorized access to resources.
  • Defines requirements for role-based access control (RBAC) and proper privilege management.
• V5: Validation, Sanitization, and Encoding
  • Addresses the importance of handling user input securely to prevent injection attacks.
  • Focuses on validating, sanitizing, and encoding data to ensure that user-supplied information is safe for processing.
• V6: Stored Cryptography
  • Focuses on secure use of cryptographic functions to protect sensitive data.
  • Includes requirements for encryption, key management, and secure random number generation.
• V7: Error Handling and Logging
  • Emphasizes secure error handling and logging practices to avoid information leakage.
  • Requires proper error messages, logging of security events, and protection against log injection.
• V8: Data Protection
  • Addresses security controls for protecting sensitive data throughout its lifecycle.
  • Includes encryption of data at rest and in transit, as well as secure data deletion.
• V9: Communication
  • Focuses on securing communication channels to prevent eavesdropping and man-in-the-middle attacks.
  • Requires the use of secure protocols and encryption for data in transit.
• V10: Malicious Code
  • Addresses security controls for handling and validating user inputs to prevent injection attacks.
  • Covers measures against common vulnerabilities like SQL injection and cross-site scripting (XSS).
• V11: Business Logic
  • Focuses on securing the business logic of an application.
  • Requires organizations to validate and protect critical business processes and workflows.
• V12: File and Resources
  • Addresses security controls to prevent the execution of malicious files.
  • Covers restrictions on file uploads and secure handling of uploaded files.
• V13: API and Web Service
  • Focuses on securing Application Programming Interfaces (APIs) and web services.
  • Acknowledges the increasing importance of APIs in modern web applications and the need for robust security measures.
• V14: Configuration
  • Addresses secure configuration practices to reduce the attack surface.
  • Requires organizations to follow best practices for securing servers, databases, and other components.

Using ASVS in Development Lifecycles

1. Requirements Phase: Integrate it into the requirements gathering process. Identify the security controls relevant to your application based on its sensitivity and potential risks. This ensures that security considerations are embedded in the application from the outset.
2. Design and Architecture: Leverage ASVS during the design and architecture phase to perform threat modelling. This proactive approach helps identify potential security threats and vulnerabilities early in the development process, allowing for informed design decisions that mitigate risks.
3. Implementation: Incorporate the specific security controls applicable to your application’s verification level. Utilize secure coding practices and guidelines to implement these controls effectively. Automated security testing tools can also be employed to validate the implementation.
4. Testing and Quality Assurance: It supports the development of security test cases. Security testing, including dynamic and static analysis, can be performed to verify the application’s compliance with the specified security controls. This phase ensures that security measures are actively tested and validated.
5. Deployment and Maintenance: Ongoing monitoring and maintenance are critical for sustaining a secure application. Regularly reassess your application’s security posture and update security controls as necessary. You need a foundation for continuous improvement and adaptation to emerging security threats.

Conclusion

We can conclude that ASVS is a valuable guide for organizations committed to developing secure web applications. By integrating this framework into software development lifecycle, organizations can proactively address security concerns, minimize risks, and delivery robust, secure applications on an even faster way. As the digital landscape evolves, leveraging frameworks like ASVS becomes essential in building a resilient defence against ever-evolving cyber threats.

Bronnen and readable stuff

• OWASP/ASVS at v4.0.3 (github.com)