OWASP Requiremnets

1 Introduction
2 List of key requirements for OWASP TOP 10:2021
3 List of Python sonar security rules categorized by OWASP TOP 10:2021
4 List of JavaScript sonar security rules categorized by OWASP TOP 10:2021
5 List of Docker sonar security rules categorized by OWASP TOP 10:2021
6 Note: Understanding the Limitations of Sonar in OWASP Security Analysis

Introduction

This document provides a focused analysis of the OWASP TOP 10:2021 guidelines, specifically mapped to the technologies used in our project. It provides:

Insights into Python code vulnerabilities and rules used for checking compliance with OWASP Standards, especially those related to server-side request forgeries.
Guidelines for Docker configurations, emphasizing the importance of SSL/TLS certificate verifications and their implications across multiple OWASP categories.
A detailed look into JavaScript security checks and potential threats, centered around server-side request vulnerabilities.

While there are comprehensive OWASP summaries available, this document stands out by aligning those guidelines directly with our project's technological stack. It serves as a practical guide for developers aiming to bolster their code's security based on our specific tech environment.

All checks are integrated into the CI/CD pipeline and are using SonarCloud Security Rules to find vulnerabilities.

List of potential vulnerabilities was prepared on 11th October 2023.

List of key requirements for OWASP TOP 10:2021

A01:2021-Broken Access Control

Enforce authorization and implement appropriate access constraints.
Make sure users can only access resources and carry out approved actions.
Apply security regulations uniformly throughout the application.

A02:2021-Cryptographic Failures

To protect sensitive data, use cryptographic algorithms and robust encryption.
Make sure to use safe key management procedures.
Defend against known vulnerabilities and cryptographic flaws.

A03:2021-Injection

To stop injection threats (such as SQL injection and OS command injection), implement input validation and output encoding.
For database queries, use prepared statements or parameterized queries.
Avoid dynamic commands or searches built from user input.

A04:2021-Insecure Design

Beginning with the application's design, consider security.
To find potential security issues early in the development process, use threat modeling.
Implement appropriate access controls and security architecture.

A05:2021-Security Misconfiguration

Implement secure default settings.
Review and update configurations frequently to reduce security flaws.
Keep sensitive information from being displayed in error messages or by improperly configured permissions.

A06:2021-Vulnerable and Outdated Components

Update all of the components (libraries, frameworks, and dependencies).
To find known weaknesses in components, use a dependency checker (like OWASP Dependency-Check).
Components having known vulnerabilities should be removed or changed.

A07:2021-Identification and Authentication Failures

Set up reliable user identification and authentication systems.
When necessary, employ multi-factor authentication (MFA).
Avoid typical flaws that allow for authentication bypass.

A08:2021-Software and Data Integrity Failures

Implement secure data transmission (like HTTPS) to ensure data integrity.
Ensure that data is not altered while it is in transit or at rest and take precautions against data manipulation.
Use cryptographic hashes to check the accuracy of your data.

A09:2021-Security Logging and Monitoring Failures

Implement efficient security incident and event logging.
Make proactive arrangements for monitoring and alerting for atypical or suspicious activity.
Keep logs in a secure location and check them frequently for security flaws.

A10:2021-Server-Side Request Forgery

To stop harmful input, validate and sanitize user input.
Avoid enabling direct requests from user-supplied URLs to internal resources.
Use allowlists or particular whitelists to manage accessible external resources.