Category:OWASP Guide Project

Guide Table of Contents

Overview
The OWASP Guide to Building Secure Web Applications v2 is now released. Its release was announced at Black Hat in Las Vegas in late July 2005. This new version of the OWASP Guide is a major overhaul of the original document, containing nearly three times as much material. The project is currently steered by Andrew van der Stock.

The original OWASP Guide had become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for web application security.

The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

Volunteers Needed
Much work remains to be done in these sections:
 * Distributed Computing
 * Deployment

Downloads
You can download the lastest version of Guide here.

Contents
You can find the full Guide Table of Contents to see all the details. Here are some hightlights:


 * An Overview – describing what web applications and web services are.
 * How Much Security Do You Really Need – explaining how to assess the security need and perform risk assessments.
 * Phishing - Peer reviewed technical and process controls to reduce the risk from this most insidious form of fraud.
 * Architecture – Discussion on how Architecture considerations can ensure security where it's needed.
 * Authentication – Describes the different types of authentication possible and the common problems.
 * Authorization – Describes access control concepts.
 * Session Management – Describes the right way to manage sessions and generate session tokens.
 * Error handling, Audit and Logging – Describes how to handle errors appropriately, what to log and how to log user and system events.
 * Data Validation – Describes strategies for dealing with unexpected input and what you need to block.
 * Interpreter Injections - includes all form of injections: SQL, XML, LDAP, ORM, code, user agent (includes XSS) and more.
 * Privacy – Discusses privacy issues that may face your application.
 * Cryptography – How to use cryptography and describes some common mistakes.
 * File system - how to protect your most sensitive of files from being destroyed or made visible.
 * Canonicalization and Unicode issues
 * Deployment, Configuration, and more