From OWASP

This project has produced a book that can be downloaded or purchased. Feel free to browse the full catalog of available OWASP books.

---

PROJECT IDENTIFICATION
Project Name	OWASP Application Security Desk Reference (ASDR) Project
Short Project Description	This project is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk. The ASDR provides that basic information to help ensure all stakeholders are involved.
Project key Information	Project Leader Leonardo Cavallari Militelli	Project Contributors (if any)	Mailing List Subscribe here	License Creative Commons Attribution Share Alike 3.0	Project Type Documentation	Sponsors OWASP SoC 08 iBLISS Segurança&Inteligência

Release Status	Main Links	Related Projects
Alpha Quality Please see here for complete information.	OWASP ASDR Workplan Old Honeycomb Roadmap	OWASP Honeycomb Project Common Weakness Enumeration (CWE) Software Assurance Metrics and Tool Evaluation (SAMATE)

---

The OWASP Application Security Desk Reference

Welcome to the OWASP Application Security Desk Reference Project! This project is the comprehensive reference for all OWASP projects and application security in general. All of the materials here are free and open source.

By now you can:

• Use the latest materials on the wiki
• Download a free 600 page PDF
• Purchase a printed book for the cost of printing
• Volunteer to help this project!

Status

We are currently seeking volunteers who will help developing stub/empty articles listed bellow and bring it up to a production level of quality. Join us now to take part in this historic effort, just drop a line to Leonardo Cavallari!

What's In It?

The ASDR is a reference volume that contains basic information about all the foundational topics in application security. The top level categories in the ASDR are listed below. These are implemented as "categories" in the wiki, so that it is easy to group and link related topics.

ASDR Table of Contents

• Section 1: Category:Principle
• Section 2: Category:Threat Agent
• Section 3: Category:Attack
• Section 4: Category:Vulnerability
• Section 5: Category:Control
• Section 6: Category:Technical Impact
• Section 7: Category:Business Impact

Note that any application security risk has a threat agent (attacker) who is using an attack to target a vulnerability (typically a missing or broken control). If successful, this attack will have both a technical impact and a business impact. There may be one or more associated principles as well. Please refer to the OWASP Risk Rating Methodology for more information about how this works.

What's It For?

The ASDR is helpful as basic reference material when performing such activities as threat modeling, security architecture review, security testing, code review, and metrics. We intend to encourage understanding and consistency when discussing these basic foundational elements of application security. Security only works if people can make informed decisions about risk. The ASDR provides that basic information to help ensure all stakeholders are involved.

Why This Approach?

Application security information cannot be organized into a one-dimensional taxonomy that is useful for all purposes, although many have tried. For example, organizing application security by vulnerability helps tool vendors, but makes it very difficult for architects to select controls. We've adopted the folksonomy tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these categories to help get different views into the complex, interconnected set of topics that is application security.

How Is It Maintained?

The ASDR is the result of work that started in 2000, across projects like VulnXML, WAS-XML, Top Ten, WebScarab, WebGoat, Testing Project, Guide, and others. Although there is already a wealth of information here, we are just starting on this project. We need volunteers to help us complete articles, categorize articles appropriately, eliminate duplication, and more.

Related Projects

The Common Weakness Enumeration (CWE) project at Mitre is a formal list of software weaknesses created to serve as a common language for describing software security weaknesses in architecture, design, or code; serve as a standard measuring stick for software security tools targeting these weaknesses; and provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

The Software Assurance Metrics and Tool Evaluation (SAMATE) project from NIST "supports the Department of Homeland Security's Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods."

Feedback and Participation:

We hope you find the OWASP ASDR Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org or to leo.cavallari@owasp.org. To join the OWASP ASDR Project mailing list or view the archives, please visit the subscription page.

Articles

Listed on the pages below are all the articles that are a part of the ASDR project. It is interesting to browse, but it is just an unstructured alphabetical list. All the articles are tagged with various categories that are a part of this project to help you find the article you're looking for. Note: the portal only lists categories that start with the letters of the first 200 articles. To view other categories, select the "next 200" button.

(previous 200) (next 200)(previous 200) (next 200)