Difference between revisions of "Category:Security Focus Area"

From OWASP
Jump to: navigation, search
 
(The current list of SFAs)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Security Focus Areas
+
==What is a Security Focus Area (SFA)?==
  
==What is a Security Focus Area?==
+
The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.
  
A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.  
+
To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects ([[Top 10]], [[Guide]], [[Testing Guide]], [[Code Review]], etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.  
  
==Why this category?==
+
==What goes into a SFA?==
  
To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.
+
Each SFA provides:
  
===The Problem===
+
* A short, management-level introduction to the area
 +
* A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
 +
* Links to guidelines for testing, code reviewing, and architecting this area
 +
* Other articles covering this topic
  
During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area.  
+
Therefore a SFA category acts as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.  
  
Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.
+
==What makes a good SFA?==
  
The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
+
Here are some criteria for a SFA:
 +
* It should be a specific topic instead of a big/generic title
 +
** For example, "SQL Injection" instead of "Injection Flaws"
 +
* It should be a well-known and commonly used topic area
 +
* It should overlap as little as possible with other SFA's
  
To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.
+
==How to add a new SFA ==
  
===Our Approach===
+
Create an Category:SecurityFocusAreaName and add <nowiki>[[Category:Security Focus Area]]</nowiki> at the bottom. A SFA article should follow the structure in [[SFA]]. '''Note:''' we should create a template for the header of an SFA.
 
+
We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section, discussing the security elements involved and how they are related including various factors on its likelihood, impact and severity.
+
Then related security activities on how to identify and address problems in this area are discussed followed by links to any additional information.
+
 
+
Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.
+
 
+
NOTE:
+
* Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
+
* A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.
+
These are not our concerns here. We care more about presenting the complete view of the problem.
+
 
+
== What belongs to here? ==
+
Here are the criteria to a Security Focus area:
+
* It has to be a specific topic instead of a big/generic title
+
** For example, “SQL injection” instead of “Injection Flaws”
+
* It has to be well-known and commonly used in the security community
+
* It may have overlap with other security focus areas but it should be recognized as a stand-alone issue
+
 
+
==How to add a Security Focus Area ==
+
Create an Category:SecurityFocusAreaName and add {{Category:Security Focus Area}} into it. An Security Focus Area article should follow the following structure:
+
 
+
{{SFA Template}}.
+
 
+
===How to use a Security Focus Area===
+
When you what to learn about or contribute to a Security Focus Area, simply click the link of that area and check the existing articles.
+
  
 
==How you can help?==
 
==How you can help?==
* When you generate an article, please think through what security focus area this article belongs to and tag the article with it.
 
* When you read an article and think it belongs to a certain security focus area, please tag the article with it.
 
* If you feel the need to create a new Security Focus Area, please consider the criteria listed in “what belongs to here” section.
 
  
==Volunteer needed==
+
* If you find articles related to an existing SFA, please link to them in the SFA article.
Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
+
* If you feel the need to create a new SFA, please consider the criteria listed in "what makes a good SFA" section.
  
===The current list of focus areas===
+
==The current list of SFAs ==
Q: Acronym or full name? (Weilin: I prefer full name.)
+
*[[Phishing]]
Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)
+
*[[Cross-Site Scripting]]
 +
*[[Buffer Overflow]]
 +
*[[SQL Injection]]
  
Unvalidated Input (Or Input Validation? I prefer latter.)
+
__NOTOC__
Broken Access Control (Or Access Control? I prefer latter)
+
Phishing
+
Authentication
+
Session Management
+
XSS (Cross Site Scripting, Acronym or full name?)
+
Buffer Overflow
+
SQL Injection
+
Error Handling
+
Insecure Storage
+
Cryptography
+
Application Denial of Service
+
Insecure Configuration Management
+

Latest revision as of 14:22, 15 November 2006

What is a Security Focus Area (SFA)?

The Honeycomb Project has many individual articles detailing the basic building blocks of application security, including principles, threats, attacks, vulnerabilities, countermeasures. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.

To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.

What goes into a SFA?

Each SFA provides:

  • A short, management-level introduction to the area
  • A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
  • Links to guidelines for testing, code reviewing, and architecting this area
  • Other articles covering this topic

Therefore a SFA category acts as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.

What makes a good SFA?

Here are some criteria for a SFA:

  • It should be a specific topic instead of a big/generic title
    • For example, "SQL Injection" instead of "Injection Flaws"
  • It should be a well-known and commonly used topic area
  • It should overlap as little as possible with other SFA's

How to add a new SFA

Create an Category:SecurityFocusAreaName and add [[Category:Security Focus Area]] at the bottom. A SFA article should follow the structure in SFA. Note: we should create a template for the header of an SFA.

How you can help?

  • If you find articles related to an existing SFA, please link to them in the SFA article.
  • If you feel the need to create a new SFA, please consider the criteria listed in "what makes a good SFA" section.

The current list of SFAs