Difference between revisions of "Category:Security Focus Area"

From OWASP
Jump to: navigation, search
 
Line 11: Line 11:
 
===The Problem===
 
===The Problem===
  
During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area.  
+
During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area. We need a roadmap for these articles.
  
 
Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.  
 
Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.  
Line 21: Line 21:
 
===Our Approach===
 
===Our Approach===
  
We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section, discussing the security elements involved and how they are related including various factors on its likelihood, impact and severity.  
+
We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section to discuss the security elements involved, how they are related, and the various factors on likelihood, impact and severity.  
Then related security activities on how to identify and address problems in this area are discussed followed by links to any additional information.  
+
Then we discuss the related security activities on how to identify and address problems in this area and provide links to any additional information.  
  
 
Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.  
 
Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.  
  
NOTE:  
+
'''NOTE:'''
 
* Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.  
 
* Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.  
 
* A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.  
 
* A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.  
Line 39: Line 39:
  
 
==How to add a Security Focus Area ==  
 
==How to add a Security Focus Area ==  
Create an Category:SecurityFocusAreaName and add {{Category:Security Focus Area}} into it. An Security Focus Area article should follow the following structure:
+
Create an Category:SecurityFocusAreaName and add <nowiki>[[Category:Security Focus Area]]</nowiki> into it. An Security Focus Area article should follow the structure in [[SFA]].
 
+
{{SFA Template}}.
+
 
+
===How to use a Security Focus Area===
+
When you what to learn about or contribute to a Security Focus Area, simply click the link of that area and check the existing articles.
+
  
 
==How you can help?==
 
==How you can help?==
Line 54: Line 49:
 
Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
 
Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
  
===The current list of focus areas===
+
==The current list of focus areas==
 
Q: Acronym or full name? (Weilin: I prefer full name.)
 
Q: Acronym or full name? (Weilin: I prefer full name.)
 
Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)
 
Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)

Revision as of 16:28, 3 August 2006

Security Focus Areas

Contents

What is a Security Focus Area?

A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.

Why this category?

To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.

The Problem

During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area. We need a roadmap for these articles.

Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.

The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.

To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.

Our Approach

We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section to discuss the security elements involved, how they are related, and the various factors on likelihood, impact and severity. Then we discuss the related security activities on how to identify and address problems in this area and provide links to any additional information.

Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.

NOTE:

  • Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
  • A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.

These are not our concerns here. We care more about presenting the complete view of the problem.

What belongs to here?

Here are the criteria to a Security Focus area:

  • It has to be a specific topic instead of a big/generic title
    • For example, “SQL injection” instead of “Injection Flaws”
  • It has to be well-known and commonly used in the security community
  • It may have overlap with other security focus areas but it should be recognized as a stand-alone issue

How to add a Security Focus Area

Create an Category:SecurityFocusAreaName and add [[Category:Security Focus Area]] into it. An Security Focus Area article should follow the structure in SFA.

How you can help?

  • When you generate an article, please think through what security focus area this article belongs to and tag the article with it.
  • When you read an article and think it belongs to a certain security focus area, please tag the article with it.
  • If you feel the need to create a new Security Focus Area, please consider the criteria listed in “what belongs to here” section.

Volunteer needed

Tag articles with security focus areas (Manage this as part of the Honeycomb project. )

The current list of focus areas

Q: Acronym or full name? (Weilin: I prefer full name.) Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)

Unvalidated Input (Or Input Validation? I prefer latter.) Broken Access Control (Or Access Control? I prefer latter) Phishing Authentication Session Management XSS (Cross Site Scripting, Acronym or full name?) Buffer Overflow SQL Injection Error Handling Insecure Storage Cryptography Application Denial of Service Insecure Configuration Management