Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Current »

List of key requirements for OWASP TOP 10:2021

A01:2021-Broken Access Control

  • Enforce authorization and implement appropriate access constraints.

  • Make sure users can only access resources and carry out approved actions.

  • Apply security regulations uniformly throughout the application.

A02:2021-Cryptographic Failures

  • To protect sensitive data, use cryptographic algorithms and robust encryption.

  • Make sure to use safe key management procedures.

  • Defend against known vulnerabilities and cryptographic flaws.

A03:2021-Injection

  • To stop injection threats (such as SQL injection and OS command injection), implement input validation and output encoding.

  • For database queries, use prepared statements or parameterized queries.

  • Avoid dynamic commands or searches built from user input.

A04:2021-Insecure Design

  • Beginning with the application's design, consider security.

  • To find potential security issues early in the development process, use threat modeling.

  • Implement appropriate access controls and security architecture.

A05:2021-Security Misconfiguration

  • Implement secure default settings.

  • Review and update configurations frequently to reduce security flaws.

  • Keep sensitive information from being displayed in error messages or by improperly configured permissions.

A06:2021-Vulnerable and Outdated Components

  • Update all of the components (libraries, frameworks, and dependencies).

  • To find known weaknesses in components, use a dependency checker (like OWASP Dependency-Check).

  • Components having known vulnerabilities should be removed or changed.

A07:2021-Identification and Authentication Failures 

  • Set up reliable user identification and authentication systems.

  • When necessary, employ multi-factor authentication (MFA).

  • Avoid typical flaws that allow for authentication bypass.

A08:2021-Software and Data Integrity Failures 

  • Implement secure data transmission (like HTTPS) to ensure data integrity.

  • Ensure that data is not altered while it is in transit or at rest and take precautions against data manipulation.

  • Use cryptographic hashes to check the accuracy of your data.

A09:2021-Security Logging and Monitoring Failures

  • Implement efficient security incident and event logging.

  • Make proactive arrangements for monitoring and alerting for atypical or suspicious activity.

  • Keep logs in a secure location and check them frequently for security flaws.

A10:2021-Server-Side Request Forgery

  • To stop harmful input, validate and sanitize user input.

  • Avoid enabling direct requests from user-supplied URLs to internal resources.

  • Use allowlists or particular whitelists to manage accessible external resources.

List of Python sonar security rules categorized by OWASP TOP 10:2021

A01:2021-Broken Access Control

A02:2021-Cryptographic Failures

A03:2021-Injection

A04:2021-Insecure Design

A05:2021-Security Misconfiguration

A06:2021-Vulnerable and Outdated Components

Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.

https://owasp.org/www-project-dependency-check/

  • Vulnerability:

  • Security Hotspot

A07:2021-Identification and Authentication Failures 

A08:2021-Software and Data Integrity Failures 

A09:2021-Security Logging and Monitoring Failures

A10:2021-Server-Side Request Forgery

List of JavaScript sonar security rules categorized by OWASP TOP 10:2021

A01:2021-Broken Access Control

A02:2021-Cryptographic Failures

A03:2021-Injection

A04:2021-Insecure Design

A05:2021-Security Misconfiguration

A06:2021-Vulnerable and Outdated Components

Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.

https://owasp.org/www-project-dependency-check/

  • Vulnerability:

  • Security Hotspot

A07:2021-Identification and Authentication Failures 

A08:2021-Software and Data Integrity Failures 

A09:2021-Security Logging and Monitoring Failures

A10:2021-Server-Side Request Forgery

List of Docker sonar security rules categorized by OWASP TOP 10:2021

A01:2021-Broken Access Control

  • Vulnerability:

  • Security Hotspot:

A02:2021-Cryptographic Failures

A03:2021-Injection

  • Vulnerability:

  • Security Hotspot:

A04:2021-Insecure Design

  • Vulnerability:

  • Security Hotspot:

A05:2021-Security Misconfiguration

A06:2021-Vulnerable and Outdated Components

Sonar doesn’t have an ability to detect this. There is a tool available on OWASP site to check dependencies.

https://owasp.org/www-project-dependency-check/

  • Vulnerability:

  • Security Hotspot

A07:2021-Identification and Authentication Failures 

A08:2021-Software and Data Integrity Failures 

  • Vulnerability:

  • Security Hotspot:

A09:2021-Security Logging and Monitoring Failures

  • Vulnerability:

  • Security Hotspot:

A10:2021-Server-Side Request Forgery

  • Vulnerability:

  • Security Hotspot

Note: Understanding the Limitations of Sonar in OWASP Security Analysis

Sonar is generally effective at detecting many OWASP-related security issues. However, there may be certain limitations and aspects that Sonar might not effectively detect or address:

  1. False Positives: Like many automated code analysis tools, Sonar can sometimes produce false positives, flagging code as vulnerable when it is not. This can lead to noise in the results and require manual validation.

  2. Contextual Understanding: Sonar primarily relies on static analysis, which means it may not fully understand the context in which the code operates. This can lead to issues with detecting some complex vulnerabilities or providing false negatives.

  3. Business Logic Flaws: Sonar is primarily focused on identifying common security vulnerabilities rather than business logic flaws, which may require manual testing or specialized tools.

  4. Zero-Day Vulnerabilities: Sonar's rules and plugins are based on known vulnerabilities and attack patterns. It may not detect brand new or zero-day vulnerabilities until they are documented and added to its rule sets.

  5. Non-Code Security Issues: Sonar primarily focuses on code-level vulnerabilities. It may not detect other security issues related to server configuration, network architecture, or deployment environments.

To ensure that the project is thoroughly secure, it's recommended to consider the following:

  • OWASP Application Security Verification Standard (ASVS): To achieve a comprehensive level of security, the project should aim to pass the official OWASP ASVS. This standard provides a detailed checklist of security controls and verification requirements. https://owasp.org/www-project-application-security-verification-standard/

  • OWASP Web Security Testing Guide: Refer to the OWASP Web Security Testing Guide for guidance on performing security testing and assessments beyond what automated tools like Sonar can offer. It provides insights into various testing techniques and methodologies. https://owasp.org/www-project-web-security-testing-guide/

  • Vulnerable and Outdated Components (A06:2021-Vulnerable and Outdated Components): Note that Sonar may not effectively detect this category of vulnerabilities. To address it, consider using the OWASP Dependency-Check tool, available on the OWASP website. This tool helps identify and manage vulnerable components and libraries in your project's dependencies. https://owasp.org/www-project-dependency-check/

By combining the capabilities of Sonar with these additional measures and tools, you can enhance the security of the project and minimize the risk of OWASP-related vulnerabilities going undetected.

  • No labels

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/