Image without description
  • Jacco Meijer
  • |
  • Mar 15, 2024

OWASP and CISSP

OWASP recommendations from the independent information security certification CISSP.

OWASP

Open Worldwide Application Security Project (OWASP) is an independent organisation that publises articles on application security. Many of the articles are recommendations and best practices.

CISSP

A Certified Information Security Professional (CISSP) is a well known independent information security certification.

The CISSP Common Body of Knowlegde (CBK) defines security terms and principles and contains many references to OWASP resources.

OWASP Resources

This blog provides a closer look to these specific OWASP resources. Very useful material for every (web) application developer.

Besides these resources, OWASP offers much more on application security. The cheat sheet series, of which some are listed below, provide security best practices on many topics.

OWASP Top ten

The well known OWASP Top 10 creates security awareness for web developers by listing the most critical risks of web applications.

https://owasp.org/www-project-top-ten/

Software Composition Analysis

This is a Slide deck authored in 2019 on mitigating the risks of composing (Open Source) software from multiple sources.

http://wiki.owasp.org/images/b/bd/Software_Composition_Analysis_OWASP_Stammtisch_-_Stanislav_Sivak.pdf

Abuse Case Cheat Sheet

This sheet defines what a Abuse Case is and why they are important. It describes how to build a list of abuse cases and how to track them.

https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html

Input Validation Cheat Sheet

This sheet provides guidance on Input Validation security.

https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html

REST Security Cheat Sheet

A list of best practices on how to use REST is a secure way.

https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Session Management Cheat Sheet

This sheet describes how to keep sessions secure by explaining these topics:

  • The session lifecycle
  • Client side defenses
  • Session attack detection and:
  • Secure session management implementation
  • Security features of cookies
  • Securing HTML 5 web storage
  • Securing Web Workers
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

SQL Injection Prevention Cheat Sheet

Prevent SQL injection flaws in your applications. Where do flaws occur and how to defending against SQL injection attacks.

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Secure Coding Practices checklists

Written in 2010 and stil useful. Technology agnostic with checklists on general software security coding practices.

https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf

API Security Top 10 2023

How to mitigate the risks of an Application Programming Interface (API).

https://owasp.org/www-project-api-security/

Software Assurance Maturity Model

A measurable way to improve software security. As with most other software maturity models, this model defines five maturiy stages:

  • Governance
  • Design
  • Implementation
  • Verification
  • Operations
https://owaspsamm.org

Other posts

Image without description

Visualizing IT Architecture in three languages, UML, C4 and ArchiMate

What are the differences and what are these languages most used for?

Image without description

OAuth 2.0 and OpenID Connect Sequence Diagrams

Technical specs can be hard to read. While still highly technical, the UML Sequence Diagrams provided in this blog are a lot easier to understand.

Image without description

UI Library with MDX documentation

Using the simple Render JSX plugin for Esbuild this post shows how to setup a simple UI library.

Image without description

Render JSX plugin for Esbuild

Transform Esbuild generated JSX bundles to HTML pages.

Image without description

Esbuild as a static site generator for MDX

Static site generators gain popularity. This blog is about using Esbuild as a static site generator for MDX.

Image without description

11ty and Github pages

Simplifying the Contentful-Gatsby-Netlfy trio.

Image without description

OWASP and CISSP

OWASP recommendations from the independent information security certification CISSP.

Image without description

NPM7 and @npmcli/arborist

@npmcli/arborist is a powerful library that handles the new NPM 7 workspaces. This blog is about a simple make tool that uses the library.

Image without description

Comparing React app, Nextjs and Gatsby

A new React project starts with a React toolchain. Main tools in the chains are SSR, React server components and GraphQL.

Image without description

Versioning strategy for NPM modules

It is important to be able to bump the version of a NPM package without side effects.

Image without description

React component themes and CSS variables

Creating React components with flexible themes by using CSS variables.

Image without description

Content modeling with variants

The efficiency of a variant field in a content model.

Image without description

Documentation

Documenting a software project is challenging. Here's a few simple guidelines that help a team writing clear documentation.

Image without description

Javascript history

In 1986 David Ungar and Randall B. Smith developed Self at Xerox PARC. Inspired by Java, Scheme and Self Brendan Eich created Javascript in 1995.

Image without description

On Javascript transpilers, bundlers and modules

There's Javascript transpilers, modules, bundles and bundlers. This is a brief overview of all of these.

Image without description

Agile Scrum

The Agile Scrum framework is flexible enough to be used in many different ways. Here's one way of working.

Image without description

What happened to Wheelroom?

Founded in 2018. Started to fly in 2020 and abandoned in 2021. What happened?

Image without description

Contentful, Netlify and Gatsby four years later

What did we learn from using Contentful for four years?

Image without description

Typescript interface for React UI components

How to define an interface for React UI components that prevents breaking changes.

Image without description

Naming React components

What's in a name? A clear naming strategy helps developers communicate. Most devs rather spend time writing component code than wasting time on a good component name.