We're building the future of Supply Chain Security. View Roles

03) Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)?

August 31, 2022 Software Development Security Best Practice OWASP

Answer yes if your organisation's developers are instructed to build applications and systems using defined security best practice (for example, as defined by OWASP, The Open Web Application Security Project). Please state in the notes the best practise guidance followed and if your developers receive any additional security training.

What is it?

As part of promoting more secure software development practices, certain best practices have been established. The best known of these is likely those by the Open Web Application Security Project (OWASP).

While focused on web applications, the best practices provided by OWASP are often universal and apply to many types of applications. As such they are an excellent starting point for development practices to implement in your Software Development Life-Cycle (SDLC).

Why should I have it?

As mentioned previously, having an SDLC that has security consideration built in results in higher quality code with fewer defects and therefore greater stability and fewer vulnerabilities.

This helps reduce risk and increase assurance around the use of your software. OWASP is not only an excellent starting point for introducing security concepts to developers and into your software development process but is also the best-known set of best-practices and therefore often requested specifically by clients when performing due diligence on suppliers.

How to implement the control:

OWASP is ubiquitously known throughout the security industry. The best practices can be looked up on the OWASP website here and numerous other sources. Ensure these are integrated into your secure SDLC policies and processes.

While it’s very likely they already do, ensure that your developer training platform/programme as well as your code testing platform(s) cover the full set of OWASP best practices.

There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and implementing an SDLC that includes security best practice in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.