Software security plays an increasingly important role. Legislators are increasingly obliging institutions to implement state-of-the-art software security. The OWASP Top 10 is a list of the top ten security risks, that web applications face. It is a guide to implement and maximize software security.
This task consists of an analytical part in which a standardized installation of Production is to be checked (to the best of our knowledge and belief) for possible violations of the CVEs mentioned in the ten risks. Other developers should be given the chance to bring in their knowledge here.
In a second part, measures should be put in place to remedy these violations or to avoid them as best as possible. The measures are to be taken in three areas:
programming,
modification of the example configuration, that is supplied with releases, and
documentation of necessary procedures during installation.
Examples:Programming: A hard-coded encryption algorithm, which is known to be insecure, is swapped out for an algorithm that is currently considered secure.
Configuration: Removal of default default passwords from the example configuration.
Documentation: Explain how to set up an encrypted connection to the database during installation.
This task is intended to be the cornerstone for raising awareness of software security among developers and administrators, and based on this, for thinking about and maintaining software security even more in the future.
Related Issues
4576
4611
4769
4427
4548
4851
5013
Expected Benefits of this Development
For both, directors and administrators, a security incident means that they have to sacrifice (often also leisure) time, and get a lot of extra work. They have to do painful communication, perform technical measures (like restoring a back-up), they may be interviewed by government agencies, may have to testify in court, or, at worst, are legally prosecuted. For sales, it is increasingly important to explain how software strives to meet software security requirements.
Software with higher security makes attackers more likely to fail if they are unsuccessful for too long. This will better prevent security incidents.
Should a security incident nevertheless occur, it is helpful to be able to demonstrate, that software used is secure to the best of knowledge and belief.
Estimated Costs and Complexity
Aiming for software security is a never-ending story, so I suggest to set a time limit on these points: I propose to allocate 5 days for each part of the work, so 10 days in total.
First part:
Understand the 10 risks
Questioning the application to potentially affected areas
Documentation of problems that have become aware and unresolved detailed questions as Github issues
Conducting an open online developer conference, presenting the results so far.
Documenting further issues that come from other developers.
Prioritization of the problems found according to their urgency (may be supported by the community commenting on the issues)
Second part:
Processing of found problems according to priority
The aim of this work package is not that everything has to be solved.
Possibly other developers, release management, or documentation management may be involved for some issues.
solth
commented
8 months ago
Description
Software security plays an increasingly important role. Legislators are increasingly obliging institutions to implement state-of-the-art software security. The OWASP Top 10 is a list of the top ten security risks, that web applications face. It is a guide to implement and maximize software security.
Examples: Programming: A hard-coded encryption algorithm, which is known to be insecure, is swapped out for an algorithm that is currently considered secure. Configuration: Removal of default default passwords from the example configuration. Documentation: Explain how to set up an encrypted connection to the database during installation.
This task is intended to be the cornerstone for raising awareness of software security among developers and administrators, and based on this, for thinking about and maintaining software security even more in the future.
Related Issues
4576
4611
4769
4427
4548
4851
5013
Expected Benefits of this Development
For both, directors and administrators, a security incident means that they have to sacrifice (often also leisure) time, and get a lot of extra work. They have to do painful communication, perform technical measures (like restoring a back-up), they may be interviewed by government agencies, may have to testify in court, or, at worst, are legally prosecuted. For sales, it is increasingly important to explain how software strives to meet software security requirements.
Estimated Costs and Complexity
Aiming for software security is a never-ending story, so I suggest to set a time limit on these points: I propose to allocate 5 days for each part of the work, so 10 days in total.
First part:
Second part: