# Open Web Application Security Project (OWASP)
# Introduction
OWASP is an open community effort to create guidelines for organizations to improve security for web applications. The group has identified the top 10 most critical web application security risks that must be addressed during software development. ABB considers these risks as critical items. A list of these risks appears under Top 10 Identified Security Risks (following). For a guided tutorial on managing web application security, register for the OWASP Client Success Team Training module in the ABB MyLearning online tutorial library.
# Top 10 Identified Security Risks
- Broken Authentication
- Sensitive Data Exposure
- Injection
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure De-serialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
All software development engineers in the Digital ABB Engineering organization must understand these risks and embrace building security into the development process - not addressing it after the fact.
# Requirements
Every software engineer in the Digital ABB Engineering organization must complete two sets of mandatory training every two years.
For a comprehensive explanation of training requirements, see the OWASP Top 10 document here. Upon completion, each engineer must complete the relevant MyLearning course and certify that they have read and understand the material and are competent in applying techniques to safeguard against vulnerabilities.
A list of mandatory security training courses, based on role, may be found in the MyLearning online tutorial library (following). Upon completion, compliance with the requirements must be demonstrated. To do this, log into ABB MyLearning and register for T1204 - OWASP Client Success Team Training here.
# Course List
| Role | Training Module | Title |
|---|---|---|
| Development | SDIP150e | Cyber Security - Security Development Lifecycle |
| Product Management | SDIP301e | Requirements Engineering Overview |
| Product Management | SDIP310e | Writing Strong Functional Requirements |
| Product Management | SDIP320e | Writing Strong Non-functional Requirements |
| Architect | SDIP450e | Cyber Security - Threat Modeling |
| Architect | SDIP501e | Design & Implementation Overview |
| Development | SDIP510e | Performing Unit Testing |
| Development | SDIP550e | Cyber Security - Writing Secure Code |
| Development | SDIP580v | Cyber Security - How to Use Klocwork Insight to Find Security Vulnerabilities |
| Development | SDIP581e | Cyber Security - Improper Validation of Array Indices (CWE-129) |
| Development | SDIP582e | Cyber Security - Exposure of System Data to an Unauthorized Control Sphere (CWE-497) |
| Development | SDIP583e | Cyber Security - Improper Null Termination (CWE-170) |
| Development | SDIP584e | Cyber Security - Usage of Insecure Temporary Files (CWE-377) |
| Development | SDIP585e | Cyber Security - Improper Release of Memory Before Removing Last Reference (CWE-401) |
| Development | SDIP586e | Cyber Security - Double Freeing of Allocated Memory (CWE-415) |
| Development | SDIP587e | Cyber Security - Use of Uninitialized Variable (CWE-457) |
| Development | SDIP588e | Cyber Security - NULL Pointer Dereference (CWE-476) |
| Development | SDIP589e | Cyber Security - Neutralization of Special Elements Used in a Command (CWE-77) |
| Development | SDIP610e | Performing Reviews and Inspections |
| Development | SDIP620e | Static Analysis of Code |
| Common | SDIP650v | Cyber Security - Catch the Security Breach Before It's Out of Reach |
| Common | V864 | Information Security Awareness Training for End Users V864 – Basic Module |
| Common | V865 | Information Security Awareness Training for End Users V865 – Phishing Module |
| Common | V866 | Information Security Awareness Training for End Users V866 – Cyber Security Module |
| Common | V867 | Information Security Awareness Training for End Users V867 – IS Workplace Security Module |
| Common | V2836 | Information Security Awareness Training for End Users V2836 – Social Engineering Module |
| Testing | SDIP601e | Verification & Validation Overview |
| Testing | SDIP602e | Testing Introduction |
| Testing | SDIP603wb | Testing Fundamentals |
| Testing | SDIP604wb | Test Design Techniques |
| General | GDPR | Global Data Protection |
# Verification
Static code analysis tools will be used as part of the CI/CD pipeline for every major platform release to ensure that the criteria for OWASP is met.
# Results
Engineers should be competent in identifying potential risks and initiating appropriate actions to eliminate any issues. Any areas that are identified and not addressed must be reported to the Development Manager.