Hello and welcome back. We're going to talk about OWASP Top 10 Proactive Controls and Vulnerabilities. Basically, we're going to do an overview of the OWASP Top 10 Proactive Controls, and this is a list. Basically, a document that the OWASP group has created. It's a starting point for developing secure software. It has a focus on defensive mechanisms and controls. Then, we're going to talk about the OWASP Top 10 Project, which is a list of the top 10 vulnerabilities for a particular year. It helps to identify the most serious security risks for web applications. Now I'd like to note that the contents of this presentation are based on the OWASP Top 10, and this work is under the Creative Commons Attribution-ShareAlike 3.0 License. After this lesson, you will be able to locate and examine existing best practices for web application security. Great, so let's gets started. The OWASP Top 10 Proactive Controls are controls and recommendations to apply during the software development lifecycle. I'd like to point out that it's only a starting point, but it's still good starting, still good place to start. It gives us an awareness of various things that we should perform during the software development lifecycle, in order to improve our application security. But not only do you want to use the OWASP Top 10 Proactive Controls, you also want to include in your software development lifecycle, some verification standard for testing security controls. An example of a verification standard is the OWASP ASVS. ASVS stands for Application Security Verification Standard. In addition, you would want to continually improve your processes, by using a set of activities that examines your software development lifecycle. For example, you could look at the recommendations from the OWASP SAMM, S-A-M-M, and it stands for the Software Assurances Maturity Model. Or you could also examine the BCMM which stands for Building Security and Maturity Model, and it's a survey that is performed across many companies, and it tells you the current software security practices that's common amongst those that have been surveyed. It allows for you to get a general sense for how your security practices in your company fare against what's been surveyed. The idea in this lesson is that we are going to highlight the mapping between the suggested control or defense technique, from the OWASP Top 10 Proactive Controls, to the particular security weakness or general weakness that's being addressed. Now, let's move on to the OWASP Top 10 Proactive Controls. The first one is control one. We want to define security requirements, and we want to do this right at the beginning before we do any actual application development. Defining security requirements is done as close to the beginning of the lifecycle as possible, and you want to iterate this process when some new changes are added to your application specification. The goal of this is to define a set of security requirements, such that you are able to create new security features that will address the current vulnerabilities in your application design. This control prevents many vulnerabilities, and is a broad recommendation that will help prevent lots of different things. The next thing we're going to talk about is controlled two, which is leveraging security frameworks and libraries. Basically, this means, we want to use existing tried and proven security frameworks or libraries because it helps us as developers to ramp up our web application security improvement, and we don't have to do anything from scratch. Other people have used these frameworks or libraries before, so we know that it's been tested. This control also prevents many types of vulnerabilities. The next thing we're going to talk about is control three, which is to secure database access. The idea here in general, is to make sure that any database access that you are using a secure in several ways. The first way is to perform database queries in a secure way. For example, we don't want to trust any queries that have been generated using user input because that would lead to SQL injection vulnerabilities. The next thing that you want to make sure what to do when you want to secure your database, is to set up your database with secure configurations. The reason why is because they don't normally come secure by default out of the box. You have to make sure that with the particular database that you're using, you understand what configurations need to be locked down. In general, you want to harden your database configuration before using it. The next thing you want to do, is to set up secure authentication and secure communication between your application in your database. This helps to mitigate injection vulnerabilities as well as vulnerabilities related to authentication issues. The next OWASP Top 10 Proactive Control is control four, which is to encode and escape your data. This is a defensive technique to help prevent injection attacks. We're going to go over more detail on this in a later module. But, this addresses injection in cross-site scripting vulnerabilities. The next proactive control, control five, is that you want to make sure you have in your checklist, is to validate all of your inputs. Effectively you only want to process properly formatted data. But, make sure that validating all of your inputs is not the only thing that you are using, in order to create defenses in your application. Validating all inputs has to also be done along with other defenses like, query parameterization in data escaping, which we'll talk about in a later module. The reason why we want to validate all our inputs, is because it helps us to reduce the attack surface of our web application. This means then that the attacker has to work a lot harder, in order to exploit any weaknesses in our application. Let's take a break and continue on, with control six when we come back.