OWASP Proactive Controls

= Project About =

= Top Ten Proactive Controls =

Authentication
- Password Storage - Forgot Password Workflow - Multi-Factor AuthN

Access Control
- Permission based access control - Limits of RBAC

Validation
- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)

Encoding
- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection
- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)

Secure Requirements
- Core requirements for any project (technical) - Business logic requirements (project specific)

Secure Architecture and Design
- When to use request, session or database for data flow