Projects/OWASP Development Guide/Releases/Guide 2.0/Notes
Welcome to the OWASP Guide 2.0!
- We have re-written Guide from the ground up, dealing with all forms of web application security issues, from old hoary chestnuts such as SQL injection, through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, and compliance and privacy issues.
- In Guide 2.0, you will find details on securing most forms of web applications and services,with practical guidance using J2EE, ASP.NET, and PHP samples. We now use the highly successful OWASP Top 10 style, but with more depth, and references to take you further.
- Security is not a black and white field; it is many shades of grey. In the past, many organizations wished to buy a simple silver security bullet – “do it this way or follow this check list to the letter, and you’ll be safe.” The black and white mindset is invariably wrong, costly, and ineffective.
- Threat Risk Modeling is the most important mitigation development in web application security in the last three years. We introduce the basics of Microsoft’s Threat Risk Modeling methodology, and provide details of several other competing strategies, include Trike, CVSS, AS4360, and Octave. We strongly urge you to adopt one of them today. If you carefully analyze and select controls via threat risk modeling, you will end up implementing systems that demonstrably reduce business risk, which usually leads to increased security and reduced fraud and loss. These controls are usually cheap, effective, and simple to implement.
- In some countries, risk-based development is not an optional extra, but legally mandated. For our US readers, Sarbanes Oxley compliance seems deceptively simple: prove that adequate controls are in place for financial systems, and that senior management believes the controls are effective. How does an organization really believe they comply? They audit against an agreed standard, which differs from country to country, but common standards include COBIT, ISO 17799, and so on. The Guide provides keys into COBIT to help fast track your SOX compliance regime and provide a baseline for your vendors and penetration testers. Future editions of the Guide will extend this to ISO 17799.
- As with any long-lived project, there is a need to keep the material fresh and relevant. Therefore, some older material has been migrated to OWASP’s portal or outright replaced with updated advice.
- On a personal note, I wish to extend my thanks to the many authors, reviewers, and editors for their hard work in bringing this guide to where it is today. We stand on the shoulders of giants, and this Guide is no exception.
- If you have any comments or suggestions on the Guide, please e-mail the Guide mail list (see our web site for details) or contact me directly.
- Andrew van der Stock, firstname.lastname@example.org
- Melbourne, Australia
- July 26, 2005