Leverage Security Frameworks and Libraries

Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws.

Refer to proactive control C6: Keep your Components Secure and its cheatsheets for more context from the OWASP Top 10 Proactive Controls project.

For technology specific checklists refer to the appropriate OWASP Cheat Sheets:

• AJAX_Security
• C-Based toolchain hardening
• Django security
• Django REST framework
• Docker security
• DotNet security
• GraphQL security
• Infrastructure as Code
• Java security
• Javascript management
• Kubernetes
• Laravel security
• Microservices security
• NPM security best practices
• Node.js security
• Node.js security for Docker
• PHP configuration
• REST APIs and how to assess them
• Ruby on Rails security
• Symfony framework
• Web Services
• XML security

and use them as the starting point for a checklist that is tailored for the technology used by the project.

In addition consider the following extra checks for frameworks and libraries.

1. Security frameworks and libraries (SFL)

1. Ensure servers, frameworks and system components are running the latest approved versions and patches
2. Use libraries and frameworks from trusted sources that are actively maintained and widely used
3. Review all secondary applications and third party libraries to determine business necessity
4. Validate safe functionality for all secondary applications and third party libraries
5. Create and maintain an inventory catalog of all third party libraries. It is recommended to automatically create SBOMs (Software-Bill-Of-Materials) from within the build pipeline.
6. Proactively keep all third party libraries and components up to date
7. Reduce the attack surface by encapsulating the library and expose only the required behavior into your software
8. Use tested and approved managed code rather than creating new unmanaged code for common tasks
9. Utilize task specific built-in APIs to conduct operating system tasks
10. Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files
11. Restrict users from generating new code or altering existing code
12. Implement safe updates using encrypted channels
13. Use cryptographic signatures when updating your code and ensure the package manager verify those signatures
14. Use your SBOMs together with periodic or SCA tools to automatically detect well-known publicly disclosed vulnerabilities.
15. integrate SCA tools in early stages of software development

References

• OWASP Dependency Check
• OWASP Top 10 Proactive Controls

---

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.