This page is the OWASP product security guide. It has three parts:

1. How products are being attacked?
2. How to secure products?
3. Role of AI/LLM in product security

Application security focuses on code-level vulnerabilities, while product security addresses broader aspects like design flaws and supply chain risks. Rising concerns in privacy and security stem from AI/LLMs, posing threats like data breaches, biased algorithms, and manipulation of personal information. This guide serves as a document offering insights on designing, creating, testing, and procuring secure and privacy-preserving products.

See also this useful recording or the slides from Rob van der Veer’s talk at the OWASP Global appsec event in Dublin on February 15 2023.

Check out the Appsec Podcast episode on this guide (audio, video), or the September 2023 MLSecops Podcast.

If you want the short story, check out the 5-minute product security quick-talk.

Please provide your input through pull requests / submitting issues (see repo) or emailing the project lead, and let’s make this guide better and better.

Many thanks to Scott Bauer, lead product security at Qualcomm, for his great contributions.

How products are being attacked?

SDLC and supply chain vulnerabilities are exploited through various methods.

In the SDLC, attackers leverage weaknesses in development, testing, or deployment phases, injecting malicious code or compromising tools and libraries. Supply chain attacks involve infiltrating trusted vendors or third-party components to distribute malware or tamper with updates, compromising downstream systems.

Techniques like code injection, dependency confusion, or hijacking exploit authentication, authorization, or distribution weaknesses, leading to breaches, data theft, or system compromise.

These highlight the critical need for robust security measures across the software development and distribution lifecycle.

How to secure products?

Part 1: Foundations of Secure Product Design

Threat Modeling

During the early stages of development, identifying threats and vulnerabilities ensures the product is designed with security in mind.

• Identifying assets, threats, and attack vectors:
  • Assets: Determine what needs protection (e.g., sensitive data, APIs).
  • Threats: Identify potential adversaries (e.g., malicious insiders, hackers).
  • Attack Vectors: Understand how assets could be exploited (e.g., SQL injection, XSS).
• Tools and techniques:
  • STRIDE: Focuses on Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
  • PASTA: A risk-centric framework combining business and technical perspectives to identify and prioritize threats.
• Sample integration into SDLC: Include threat modeling in design reviews, ensuring high-priority risks are addressed before development begins.

Secure Architecture Principles

A secure product architecture forms the foundation for protecting the product throughout its lifecycle.

• Defense-in-depth: Layer security controls to mitigate risks from multiple angles (e.g., firewalls, encryption, authentication).
• Principle of least privilege: Ensure users and processes only have access essential for their functions.
• Secure communication and encryption:
  • Use TLS for secure data transmission.
  • Encrypt data at rest using strong algorithms (e.g., AES-256).
  • Store keys securely using key vaults.
• Sample guideline: Implement secure coding practices, such as validating input and sanitizing output, to prevent injection attacks.

Secure Configuration Management

Effective configuration management ensures the product remains secure even as it evolves.

• Hardened defaults: Disable unnecessary features and enforce strong defaults (e.g., password complexity).
• Minimizing configuration drift: Use tools like Ansible or Terraform to maintain consistent environments.
• Patch management:
  • Regularly update software to address vulnerabilities.
  • Monitor CVEs and automate updates where possible.

Part 2: Securing the Development Lifecycle (SDLC)

Security in Requirements

Identifying security considerations during the requirements phase is critical for proactive risk mitigation.

• Sample functional requirement: Allow users to upload profile images.
• Sample security consideration: Validate file types and enforce size limits to prevent malicious uploads.

Secure Development Practices

Implementing secure coding practices reduces vulnerabilities in the final product.

• Writing secure code:
  • Validate inputs, sanitize outputs, and handle errors without exposing sensitive data.
• Secure API design: Use authentication (e.g., OAuth) and enforce role-based access controls.
• Leveraging SAST and SCA: Use tools like OWASP Dependency-Check to identify vulnerabilities in third-party libraries.

Security Testing and Verification

Security testing ensures the product meets its design specifications and resists common attack vectors.

• Automated testing:
  • Use SAST tools like CodeQL for static code analysis.
  • Implement DAST tools (e.g., OWASP ZAP) for dynamic testing.
• Penetration testing: Simulate real-world attacks to identify gaps missed by automated tools.
• Sample CI/CD integration: Automate security tests in the pipeline to catch vulnerabilities early.

Secure Deployment and Operations

Ensuring secure deployment and ongoing operations minimizes risks during production.

• Configuration management: Use Infrastructure as Code (IaC) tools to enforce consistent, secure environments.
• Incident response planning: Create clear procedures for identifying, analyzing, and resolving security incidents.
• Post-deployment vulnerability management: Monitor for zero-day vulnerabilities and release patches promptly.