Home

Application Security Quick Solution Guide

Introduction

Mission

The purpose of this guide is to offer quick solutions for common application security issues for all applications based on the devonfw platform. It’s often the case that we need our systems to comply to certain sets of security requirements and standards. Each of these requirements needs to be understood, addressed and converted to code or project activity. We want this guide to prevent the wheel from being reinvented over and over again and to give clear hints and solutions to common security problems.

Is this guide for me?

All presented examples are based on the devonfw Java and JavaScript platform. Projects using this platform can benefit and accelerate their activity by using this guide the most. Projects not using the devonfw platform, but relying on the Spring framework, can still find plenty of working examples. Projects not using the Spring framework or Java language might still find it interesting to see what security requirements and standards are about.

NOTE

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

We use the expression "secure by design" to indicate, that the solution to the requirement is covered by the devonfw platform or language itself. It usually never means (unless stated otherwise), that the platform/language guarantees the requirement to be always satisfied. The developer can try to fight the frameworks or bypass the language features. "Secure by design" means, that the natural solution given by the environment mitigates the security threat.

Content

The entry point to this guide is based on the OWASP Application Security Verification Standard and the OWASP Top 10 list, as the compliance with these is a common project requirement we face today.

• OWASP Application Security Verification Standard (ASVS) v3.0.1

• OWASP Top 10 2017

Please note, although we do support OWASP Top 10, we do not consider it to be the right tool for application security assurance. To name only one reason: no list limited to n items can be used as a base for a comprehensive security assurance plan. If in doubt, please refer to the OWASP ASVS standard instead.

---

Basic Requirements

guide-security-quick-owasp-asvs

guide-security-quick-owasp-top-10-2017

Basic Solutions

guide-security-quick-s1-basic-architecture-and-design

guide-security-quick-s2-basic-authentication-security

guide-security-quick-s3-basic-session-protection

guide-security-quick-s4-basic-access-control

guide-security-quick-s5-basic-input-validation

guide-security-quick-s6-basic-cryptography

guide-security-quick-s7-basic-error-handling

guide-security-quick-s8-basic-data-protection

guide-security-quick-s9-basic-communication-security

guide-security-quick-s10-basic-security-configuration

guide-security-quick-s11-basic-files-and-resources-protection

guide-security-quick-s12-basic-web-services-security

guide-security-quick-s13-basic-configuration