The SWAP checklist groups its suggested best practices into the following areas: authentication, session management, access control, input and output handling, data protection, error handling and logging, configuration and operations. These are hopefully familiar; here are some similar categories elsewhere:
|SANS Institute||David Rook||Open Web Application Security Project|
|SWAT Checklist Category||AppSec Principle||Cornucopia Suit||Proactive Control|
|Authentication||Authentication||Authentication||Establish identity and authentication controls|
|Session management||Session management||Session management|
Secure resource access
|Authorization||Implement appropriate access controls|
|Input and output handling||Input validation,
|Data validation and encoding||Validate all inputs,
|Data protection||Secure communications,
|Protect data and privacy|
|Error handling and logging||Error handling||Cornucopia||Implement logging, error handling and intrusion detection|
|Configuration and operations||-||Cornucopia||-|
|-||-||(all requirements)||Leverage security features of frameworks and security libraries,
Include security-specific requirements,
Design and architect security in
So, a good overlap, albeit each of these has somewhat different intent. The SWAT best practices are cross-referenced to Common Weakness Enumeration (CWE) list of software weaknesses where applicable.
The What Works in Application Security part provides suggestions for application security programmes in four areas — govern, design, test and fix — showing how security needs to be built into multiple aspects of the software development lifecycle (SDLC).
The file can be downloaded without registration.
Posted on: 02 December 2014 at 06:16 hrs