Simpro Knowledge Base

OWASP Developer Security Guide

OWASP Developer Security Guide visual map

Purpose

OWASP gives developers practical, open security guidance. This page turns the most useful OWASP ideas into Simpro developer habits.

OWASP should not be treated as a scary compliance word. It is a library of common mistakes the industry has already paid for. We should not pay for them again.

OWASP Top 10 Developer View

Risk Developer Meaning
Broken access control Users can do things they should not be able to do
Cryptographic failures Sensitive data is not protected correctly
Injection Untrusted input becomes command/query/code
Insecure design The architecture allows abuse even if code works
Security misconfiguration Defaults, headers, permissions, or services are unsafe
Vulnerable/outdated components Dependencies contain known vulnerabilities
Identification/authentication failures Login, sessions, tokens, or password flows are weak
Software/data integrity failures Build, update, plugin, or data integrity can be compromised
Security logging/monitoring failures Attacks happen without useful visibility
SSRF Server can be tricked into calling unintended internal/external resources

What Developers Should Do

Access Control

  • Enforce authorization on the server, not only in UI.
  • Check tenant/customer boundaries.
  • Test direct API calls.
  • Deny by default.
  • Log important permission failures.

Input And Output

  • Validate input at boundaries.
  • Use parameterized queries.
  • Avoid string-built SQL, commands, LDAP queries, or file paths.
  • Encode output based on context.
  • Use safe framework APIs.

Authentication And Sessions

  • Use approved identity providers where possible.
  • Use MFA for admin or sensitive access.
  • Avoid rolling custom auth.
  • Protect session cookies.
  • Rotate/revoke tokens where needed.

Configuration

  • Disable debug settings in production.
  • Use secure headers.
  • Restrict CORS.
  • Review cloud/network exposure.
  • Keep environment-specific configuration visible and controlled.

Dependencies

  • Keep dependencies updated.
  • Use lock files.
  • Scan dependencies.
  • Remove unused packages.
  • Review risky transitive dependencies.

Logging

  • Log security-relevant events.
  • Do not log passwords, tokens, secrets, full card numbers, or unnecessary PII.
  • Include correlation IDs.
  • Make logs useful for investigation.

OWASP ASVS

The OWASP Application Security Verification Standard, or ASVS, is useful for defining how much security verification a system needs.

Practical use:

  • Use ASVS as a checklist for important applications.
  • Pick controls based on risk.
  • Convert relevant controls into engineering standards.
  • Use it during design review, not only audit.

OWASP SAMM

OWASP SAMM helps organizations improve software assurance maturity across governance, design, implementation, verification, and operations.

Practical use:

  • Assess current maturity.
  • Pick a few improvements per quarter.
  • Use it to plan capability growth, not to shame teams.

OWASP For APIs And AI

Use OWASP API Security Top 10 for API-heavy systems:

  • Broken object property or function-level authorization.
  • Unrestricted resource consumption.
  • Broken authentication.
  • Server-side request forgery.
  • Unsafe consumption of APIs.

Use OWASP Top 10 for LLM Applications when building AI features:

  • Prompt injection.
  • Sensitive information disclosure.
  • Supply-chain risks.
  • Excessive agency.
  • Insecure output handling.

Team Reference Guide

Guidelines For Teams

  • Use OWASP Top 10 as baseline awareness.
  • Use ASVS for verification of important apps.
  • Use API Top 10 for API design and testing.
  • Use LLM Top 10 for AI-enabled features.
  • Convert OWASP lessons into tests, templates, and review checklists.

Reflection Questions

  • Which OWASP category appears most often in our work?
  • What access-control test should every API include?
  • Which dependency or configuration risk is currently invisible?
  • Which AI feature needs LLM-specific threat modeling?

Further Study

  • OWASP Top 10: https://owasp.org/www-project-top-ten/
  • OWASP ASVS: https://owasp.org/www-project-application-security-verification-standard/
  • OWASP SAMM: https://owasp.org/www-project-samm/
  • OWASP API Security Top 10: https://owasp.org/API-Security/
  • OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/
  • OWASP Cheat Sheet Series: https://cheatsheetseries.owasp.org/