Implement OWASP Secure Coding to harden the web application security

Task checklist:

Input Validation

• Conduct all input validation on a trusted system (server side not client side)
• Identify all data sources and classify them into trusted and untrusted
• Validate all data from untrusted sources (databases, file streams, etc)
• Use a centralized input validation routine for the whole application
• Specify character sets, such as UTF-8, for all input sources (canonicalization)
• Encode input to a common character set before validating
• Validate all client provided data before processing

Output Encoding

• Conduct all output encoding on a trusted system (server side not client side)
• Utilize a standard, tested routine for each type of outbound encoding
• Specify character sets, such as UTF-8, for all outputs
• Contextually output encode all data returned to the client from untrusted sources

General Coding Practices

• Use tested and approved managed code rather than creating new unmanaged code for common tasks
• Utilize task specific built-in APIs to conduct operating system tasks. Do not allow the application to issue commands directly to the Operating System
• Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files
• Avoid calculation errors by understanding your programming language's underlying representation

Data Protection

• Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks
• Encrypt highly sensitive stored information, such as authentication verification data, even if on the server side[4]
• Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client side

Communication Security

• Implement encryption for the transmission of all sensitive information. This should include TLS for protecting the connection and may be supplemented by discrete encryption of sensitive files or non-HTTP based connections
• Utilize TLS connections for all content requiring authenticated access and for all other sensitive information

Documentation request for backend code

Objective: Create simple documentation for easier collaboration

• Provide description of the overall control flow and functions
• Functions that interacts with the outside should be prioritized

Example:

1. functionA(type arg1,type arg2, ...) outputs (type output)

• description: this function is used for xyz

Need a "presentable" front end to show
Prerequisite: issue #1

Task checklist:

• Finish the check list (lol)

OWASP ASVS Compliance

Update the web application to comply with OWASP ASVS

Task checklist

OWASP ASVS Compliance Checklist

1. Architecture, Design and Threat Modeling Requirements

• 1.1 Verify the use of an up-to-date threat model for all high-risk features.
• 1.2 Verify all security controls are identified and have a clear separation of duties.
• 1.3 Verify that all sensitive data is identified and classified into protection levels.

2. Authentication Verification Requirements

• 2.1 Verify that all authentication controls are enforced on a trusted system.
• 2.2 Verify that all authentication controls are enforced on the server side.
• 2.3 Verify that user IDs are unique and not reusable.
• 2.4 Verify that strong passwords are enforced.

3. Session Management Verification Requirements

• 3.1 Verify that session tokens are unique and generated using a cryptographically secure random number generator.
• 3.2 Verify that session tokens are securely stored and not exposed in URLs.
• 3.3 Verify that session timeouts are enforced for inactivity.

4. Access Control Verification Requirements

• 4.1 Verify that all requests to access sensitive data are authorized.
• 4.2 Verify that users can access only the data they are authorized to access.
• 4.3 Verify that there is no way to escalate privileges or bypass access controls.

5. Validation, Sanitization and Encoding Verification Requirements

• 5.1 Verify that input validation is enforced on all user input.
• 5.2 Verify that output encoding is applied to all user-supplied data.
• 5.3 Verify that all user input is properly sanitized.

6. Stored Cryptography Verification Requirements

• 6.1 Verify that sensitive data is encrypted at rest using strong cryptographic algorithms.
• 6.2 Verify that encryption keys are stored securely.
• 6.3 Verify that cryptographic algorithms are up to date and strong.

7. Error Handling and Logging Verification Requirements

• 7.1 Verify that error messages do not leak sensitive information.
• 7.2 Verify that all security-relevant events are logged.
• 7.3 Verify that logs are protected from unauthorized access and tampering.

8. Data Protection Verification Requirements

• 8.1 Verify that all sensitive data is encrypted in transit.
• 8.2 Verify that data integrity is protected during transmission.
• 8.3 Verify that data is not exposed to unauthorized users.

9. Communications Verification Requirements

• 9.1 Verify that secure protocols are used for all communications.
• 9.2 Verify that certificates are validated properly.
• 9.3 Verify that secure configurations are applied to communication protocols.

10. Malicious Code Verification Requirements

• 10.1 Verify that the application is protected against common injection attacks.
• 10.2 Verify that all third-party libraries are up to date and free from known vulnerabilities.
• 10.3 Verify that the application is scanned regularly for malicious code.

11. Business Logic Verification Requirements

• 11.1 Verify that business logic flows are designed to prevent security breaches.
• 11.2 Verify that critical business operations are protected against abuse.
• 11.3 Verify that anti-automation controls are in place.

12. Files and Resources Verification Requirements

• 12.1 Verify that file uploads are validated and sanitized.
• 12.2 Verify that file download locations are protected.
• 12.3 Verify that files are securely stored.

13. API and Web Services Verification Requirements

• 13.1 Verify that all APIs are authenticated and authorized.
• 13.2 Verify that all API data is validated and sanitized.
• 13.3 Verify that all sensitive API data is encrypted.

14. Configuration Verification Requirements

• 14.1 Verify that security configurations are enforced and not bypassed.
• 14.2 Verify that default configurations are changed to secure settings.
• 14.3 Verify that configuration files are protected from unauthorized access.

15. Mobile Verification Requirements

• 15.1 Verify that mobile applications use secure communication channels.
• 15.2 Verify that mobile applications securely store sensitive data.
• 15.3 Verify that mobile applications are free from known security vulnerabilities.

16. Compliance Verification Requirements

• 16.1 Verify that the application complies with relevant security standards and regulations.
• 16.2 Verify that regular security audits are conducted.
• 16.3 Verify that compliance documentation is up to date.

Additional Steps

• Perform a gap analysis to identify missing controls.
• Implement missing controls and remediate identified issues.
• Conduct regular security training for development and operations teams.
• Establish a process for continuous monitoring and improvement of security controls.