owasp.org
Open in
urlscan Pro
2606:4700:10::6816:1a4d
Public Scan
Submitted URL: https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=OWASP_Proactive_Controls_2016
Effective URL: https://owasp.org/www-project-proactive-controls/
Submission: On October 24 via api from GB — Scanned from GB
Effective URL: https://owasp.org/www-project-proactive-controls/
Submission: On October 24 via api from GB — Scanned from GB
Form analysis 2 forms found in the DOM
GET https://owasp.org/search
<form role="search" method="get" action="https://owasp.org/search">
<div class="search-div"><input id="searchString" aria-label="search input" name="searchString" class="search-bar" type="search" placeholder="Search OWASP.org" required="true"><button id="search-button" aria-label="search button" type="submit"
class="fa fa-search" style="padding-left: 8px;"></button></div>
</form>GET https://owasp.org/search
<form style="display:inline-block;" role="search" method="get" action="https://owasp.org/search">
<div class="search-div"><input id="searchString" name="searchString" class="mini-search-bar" type="search" placeholder="Search OWASP.org" required="true"><button id="search-button" type="submit" class="fa fa-search"></button></div>
</form>Text Content
For full functionality of this site it is necessary to enable JavaScript. Here
are the instructions how to enable JavaScript in your web browser.
Please support the OWASP mission to improve software security through open
source initiatives and community education. Donate Now!
*
*
PROJECTS
* Browse All Projects...
* OWASP Top Ten
* Dependency Track
* Juice Shop
* Mobile Application Security
* ModSecurity Core Rule Set
* Software Assurance Maturity Model (SAMM)
* Web Security Testing Guide
* Start a New Project...
* Community Contributions
* Google Summer of Code 2023
CHAPTERS
* Find a Local Chapter...
* Africa
* Asia
* Caribbean
* Central America
* Europe
* North America
* Oceania
* South America
* Start a Local Chapter...
EVENTS
* OWASP Global AppSec DC 2023
* OWASP LASCON 2023
* OWASP BeNeLux2023
* OWASP AppSec Days Pacific Northwest 2024
* OWASP Global AppSec Lisbon 2024
* Upcoming Chapter Events
* Browse All Events...
ABOUT
* About OWASP
* Awards
* Careers
* Committees
* Contact Us
* Contributed Content
* Corporate Supporters
* Donate
* Finance
* Get OWASP Gear
* Global Board
* Global Board EU
* Governance
* Membership
* Membership Portal
* Opinions & News
* Policies
* Staff
* Staff Projects & Procedures
* Subscribe to our Mailing List
* Video
* MAKE A DONATION
* BECOME A MEMBER
* SITEMAP
* PROJECTS
* Browse All Projects...
* OWASP Top Ten
* Dependency Track
* Juice Shop
* Mobile Application Security
* ModSecurity Core Rule Set
* Software Assurance Maturity Model (SAMM)
* Web Security Testing Guide
* Start a New Project...
* Community Contributions
* Google Summer of Code 2023
* CHAPTERS
* Find a Local Chapter...
* Africa
* Asia
* Caribbean
* Central America
* Europe
* North America
* Oceania
* South America
* Start a Local Chapter...
* EVENTS
* OWASP Global AppSec DC 2023
* OWASP LASCON 2023
* OWASP BeNeLux2023
* OWASP AppSec Days Pacific Northwest 2024
* OWASP Global AppSec Lisbon 2024
* Upcoming Chapter Events
* Browse All Events...
* ABOUT
* About OWASP
* Awards
* Careers
* Committees
* Contact Us
* Contributed Content
* Corporate Supporters
* Donate
* Finance
* Get OWASP Gear
* Global Board
* Global Board EU
* Governance
* Membership
* Membership Portal
* Opinions & News
* Policies
* Staff
* Staff Projects & Procedures
* Subscribe to our Mailing List
* Video
* *
* Member Login
Store Donate Join
This website uses cookies to analyze our traffic and only share that information
with our analytics partners.
Accept
x
Store
Donate
Join
* Main
* OWASP Proactive Controls 2018
* News
* Numbering
* Translations
* Roadmap
OWASP PROACTIVE CONTROLS
WHAT IS THIS?
The OWASP Top Ten Proactive Controls describes the most important controls and
control categories that every architect and developer should absolutely, 100%
include in every project.
OWASP TOP 10 PROACTIVE CONTROLS 2018
Software developers are the foundation of any application. In order to achieve
secure software, developers must be supported and helped by the organization
they author code for. As software developers author the code that makes up a web
application, they need to embrace and practice a wide variety of secure coding
techniques. All tiers of a web application, the user interface, the business
logic, the controller, the database code and more – all need to be developed
with security in mind. This can be a very difficult task and developers are
often set up for failure. Most developers did not learn about secure coding or
crypto in school. The languages and frameworks that developers use to build web
applications are often lacking critical core controls or are insecure by default
in some way. It is also very rare when organizations provide developers with
prescriptive requirements that guide them down the path of secure software. And
even when they do, there may be security flaws inherent in the requirements and
designs. When it comes to software, developers are often set up to lose the
security game.
The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that
should be included in every software development project. They are ordered by
order of importance, with control number 1 being the most important. This
document was written by developers for developers to assist those new to secure
development.
* C1: Define Security Requirements
* C2: Leverage Security Frameworks and Libraries
* C3: Secure Database Access
* C4: Encode and Escape Data
* C5: Validate All Inputs
* C6: Implement Digital Identity
* C7: Enforce Access Controls
* C8: Protect Data Everywhere
* C9: Implement Security Logging and Monitoring
* C10: Handle All Errors and Exceptions
For more information, see the complete document in the tab to the right.
PRESENTATION
Use the extensive project presentation that expands on the information in the
document.
KEY CONTRIBUTORS
* Massimiliano Graziani (Italian Translation)
* Taras Ivashchenko (Russian Translation)
* Jay Zudilin (Russian Translation)
* Danny Harris
* Hiroaki Kuramochi (Japanese Translation)
* Hiroshi Fujimoto (Japanese Translation)
* Hidenori Nagai (Japanese Translation)
* Riotaro OKADA (Japanese Translation)
* Robert Dracea (Japanese Translation)
* Koichiro Watanabe (Japanese Translation)
* Tony Hsu Hsiang Chih (Chinese Translation)
* Abdessamad Temmar
* Eyal Estrin (Hebrew Translation)
* Cyrille Grandval (French Translation)
* Frédéric Baillon (French Translation)
* Danny Harris
* Stephen de Vries
* Andrew Van Der Stock
* Gaz Heyes
* Colin Watson
* Jason Coleman
* Cassio Goldschmidt
* Wallace Soares (Brazilian Portuguese Translation)
* Chris Romeo
* Dan Anderson
* David Cybuck
* Dave Ferguson
* Josh Grossman
* Osama Elnaggar
* Rick Mitchell
RELATED PROJECTS
* OWASP Top Ten Project
* OWASP Mobile Security Project
* OWASP Cheat Sheet Series
--------------------------------------------------------------------------------
OWASP PROACTIVE CONTROLS 2018
OWASP Proactive Controls 2018 is currently available in the following formats:
* Top 10 Proactive Controls 2018 PDF version
* Top 10 Proactive Controls 2018 PPT download.
* Top 10 Proactive Controls 2018 DOCX download.
--------------------------------------------------------------------------------
NEWS
* [July 2019] Featured in Coursera course from UCDavies Identifying Security
Vulnerabilities
* [23 June 2019] Featured on HackerCombat: Implement OWASP Proactive Controls
to Work
* [7 June 2019] Feature on OWASP DevSlop Show Proactive Controls
* [15 May 2019] Featured in TechBeacon: Put OWASP Top 10 Proactive Controls to
work
* [2 Mar 2019] Webinar: The OWASP Top Ten Proactive Controls with Jim Manico
* [Dec 2018] Featured as the resource for Security “Shifting to the Left”! in
the ISC2 course: “DevSecOps: Integrating Security into DevOps”
* [20 Sep 2018 Featured in TechBeacon: OWASP Top 10 Proactive Controls 2018:
How it makes your code more secure
* [17 Sep 2018] Binary Blogger Podcast Episodes: OWASP Top 10 Proactive
Controls Podcast Episodes
* [9 May 2018] Featured in Developer’s security guide: 50 online resources to
shift left
* [7 May 2018] 3.0 released!
* [11 Aug 2017] Presented at Northeast PHP Conference
* [25 July 2017] Podcast about at OWASP Top 10 Proactive Controls
* [12 May 2017] Presented at AppSec EU’17 - Belfast
* [14 Feb 2017] Featured in Managing Cloud Infrastructure to Prevent Security
Gaps
* [Feb 2017 ] Featured in “Application Security Program: Protect Against Data
Breaches”
* [1 Oct 2016] Presented at PHPNW16
* [5 July 2016] Featured in Incorporating Security Best Practices into Agile
Teams
* [June 2016 ] Featured in A Transformative Approach to Secure Systems Delivery
* [2 June 2016] Featured in DevOpsSec - Securing Software through Continuous
Delivery
* [30 Apr 2016] Added Hebrew Translation for 2016 version
* [28 Apr 2016] Added Chinese Translations for 2016 version
* [12 Apr 2016] Added Hebrew translation for 2016 version
* [29 Feb 2016] Added Japanese Translation
* [14 Jan 2016] 2.0 released!
* [5 Dec 2015] Began final edit process for 2.0
* [29 Mar 2015] Added Hebrew Translation
* [27 Jan 2015] Added Top Ten Mapping
* [31 Oct 2014] Project presentation uploaded
* [10 Mar 2014] [Request for review]
* [04 Feb 2014] New Wiki Template!
--------------------------------------------------------------------------------
FORMAL NUMBERING
2018 NUMBERING
* OWASP-2018-C1: Define Security Requirements
* OWASP-2018-C2: Leverage Security Frameworks and Libraries
* OWASP-2018-C3: Secure Database Access
* OWASP-2018-C4: Encode and Escape Data
* OWASP-2018-C5: Validate All Inputs
* OWASP-2018-C6: Implement Digital Identity
* OWASP-2018-C7: Enforce Access Controls
* OWASP-2018-C8: Protect Data Everywhere
* OWASP-2018-C9: Implement Security Logging and Monitoring
* OWASP-2018-C10: Handle All Errors and Exceptions
2016 NUMBERING
* OWASP-2016-C1: Verify for Security Early and Often
* OWASP-2016-C2: Parameterize Queries
* OWASP-2016-C3: Encode Data
* OWASP-2016-C4: Validate All Inputs
* OWASP-2016-C5: Implement Identity and Authentication Controls
* OWASP-2016-C6: Implement Appropriate Access Controls
* OWASP-2016-C7: Protect Data
* OWASP-2016-C8: Implement Logging and Intrusion Detection
* OWASP-2016-C9: Leverage Security Frameworks and Libraries
* OWASP-2016-C10: Error and Exception Handling
2014 NUMBERING
* OWASP-2014-C1: Parameterize Queries
* OWASP-2014-C2: Encode Data
* OWASP-2014-C3: Validate All Inputs
* OWASP-2014-C4: Implement Appropriate Access Controls
* OWASP-2014-C5: Establish Identity and Authentication Controls
* OWASP-2014-C6: Protect Data and Privacy
* OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
* OWASP-2014-C8: Leverage Security Features of Frameworks and Security
Libraries
* OWASP-2014-C9: Include Security-Specific Requirements
* OWASP-2014-C10: Design and Architect Security In
--------------------------------------------------------------------------------
TRANSLATIONS
2018 VERSION
* Top 10 Proactive Controls 2018 Italian Translation: PDF Download
* Top 10 Proactive Controls 2018 Chinese Translation: PDF Download
* Top 10 Proactive Controls 2018 Russian Translation: PDF Download
* Top 10 Proactive Controls 2018 Polish Translation: PDF Download
* Top 10 Proactive Controls 2018 Arabic Translation: PDF Download
2016 VERSION
* Top 10 Proactive Controls 2016 Traditional Chinese Translation:PDF Download
* Top 10 Proactive Controls 2016 Simplified Chinese Translation:PDF Download
* Top 10 Proactive Controls 2016 Japanese Translation: PDF Download
* Top 10 Proactive Controls 2016 Hebrew Translation: PDF Download
2014 VERSION
* Hebrew and French translations of the Top 10 Proactive Controls 2014 can be
found on the 2014 archive tab.
--------------------------------------------------------------------------------
ROADMAP
Welcome to the OWASP Top 10 Proactive Controls Project!
2018 ROADMAP
* Create new PowerPoint and other artifacts for 2018 version (done)
* Create wiki for 2018 version (work in progress)
2016 ROADMAP
* Create new PowerPoint and other artifacts for 2016 version (done)
* Proactive Control Mapping to Cheatsheet (done)
STATUS
* January 15, 2016: 2016 Proactive Controls Released!
* August 6, 2015: Kickoff for 2.0 effort, in progress
* March 10, 2014: We released an early beta of this document to the OWASP
leaders list for review and commentary.
* February 21, 2014 Moved 2014 info to archive tab
* February 3, 2014: We are currently working towards a beta release of this
document and have begun working with a designer for the final release PDF.
--------------------------------------------------------------------------------
Edit on GitHub
The OWASP® Foundation works to improve the security of software through its
community-led open source software projects, hundreds of chapters worldwide,
tens of thousands of members, and by hosting local and global conferences.
QUICK ACCESS
* Top10 Proactive Controls 2018 PDF
* Top10 Proactive Controls 2018 PPT
* Top10 Proactive Controls 2018 Doc
* Mapping to OWASP and IEEE Top 10
TRANSLATIONS
* Top10 Proactive Controls 2018 Italian
* Top10 Proactive Controls 2018 Chinese
* Top10 Proactive Controls 2018 Russian
* Top10 Proactive Controls 2018 Polish
* Top10 Proactive Controls 2018 Arabic
* Top10 Proactive Controls 2018 Brazilian Portuguese
PROJECT INFORMATION
* Documentation
* Builder
* Defender
LATEST NEWS AND EVENTS
* [Dec 2019] 3.0 Chinese Translation Released!
* [Aug 2018] 3.0 Polish Translation Released!
* [May 2018] 3.0 Released!
* [June 2016] Featured in A Transformative Approach to Secure Systems Delivery
* [June 2016] Featured in DevOpsSec Please see the News tab for more.
CODE REPOSITORIES
* OWASP Top 10 Proactive Controls
LICENSING
Creative Commons ShareAlike 3 License
LEADERS
* Jim Manico
* Katy Anton
* Andreas Happe
UPCOMING OWASP GLOBAL EVENTS
* OWASP Global AppSec Washington DC 2023
* October 30 - November 3, 2023
* OWASP Global AppSec Lisbon 2024
* June 24-28, 2024
* OWASP Global AppSec San Francisco 2024
* September 23-27, 2024
* OWASP Global AppSec Washington DC 2025
* November 3-7, 2025
* OWASP Global AppSec San Francisco 2026
* November 2-6, 2026
SPOTLIGHT: 42CRUNCH
42Crunch provides continuous API security to protect the digital business. Our
unique developer-first API security platform enables developers to build and
automate security into their API development pipeline and gives security teams
full visibility and control of security policy enforcement throughout the API
lifecycle. Deployed by Global 2500 enterprises and over 500,000 developers
worldwide, 42Crunch enables a seamless DevSecOps experience to reduce governance
costs and accelerate the rollout of secure APIs. Visit https://42crunch.com to
learn more and sign up to the industry’s
CORPORATE SUPPORTERS
Become a corporate supporter
* HOME
* PROJECTS
* CHAPTERS
* EVENTS
* ABOUT
* PRIVACY
* SITEMAP
* CONTACT
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec
Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the
OWASP Foundation, Inc. Unless otherwise specified, all content on the site is
Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of
service or accuracy. For more information, please refer to our General
Disclaimer. OWASP does not endorse or recommend commercial products or services,
allowing our community to remain vendor neutral with the collective wisdom of
the best minds in software security worldwide. Copyright 2023, OWASP Foundation,
Inc.