Difference between revisions of "Category:Security Focus Area"

From OWASP
Jump to: navigation, search
(The current list of focus areas)
Line 50: Line 50:
  
 
==The current list of focus areas==
 
==The current list of focus areas==
Q: Acronym or full name? (Weilin: I prefer full name.)
+
*Input Validation  
Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)
+
*Access Control  
 
+
*Phishing
Unvalidated Input (Or Input Validation? I prefer latter.)
+
*Authentication
Broken Access Control (Or Access Control? I prefer latter)
+
*Session Management
Phishing
+
*XSS (Cross Site Scripting, Acronym or full name?)
Authentication
+
*Buffer Overflow
Session Management
+
*SQL Injection
XSS (Cross Site Scripting, Acronym or full name?)
+
*Error Handling
Buffer Overflow
+
*Insecure Storage
SQL Injection
+
*Cryptography
Error Handling
+
*Application Denial of Service
Insecure Storage
+
*Insecure Configuration Management
Cryptography
+
Application Denial of Service
+
Insecure Configuration Management
+

Revision as of 16:30, 3 August 2006

Security Focus Areas

Contents

What is a Security Focus Area?

A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.

Why this category?

To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.

The Problem

During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area. We need a roadmap for these articles.

Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.

The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.

To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.

Our Approach

We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section to discuss the security elements involved, how they are related, and the various factors on likelihood, impact and severity. Then we discuss the related security activities on how to identify and address problems in this area and provide links to any additional information.

Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.

NOTE:

  • Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
  • A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.

These are not our concerns here. We care more about presenting the complete view of the problem.

What belongs to here?

Here are the criteria to a Security Focus area:

  • It has to be a specific topic instead of a big/generic title
    • For example, “SQL injection” instead of “Injection Flaws”
  • It has to be well-known and commonly used in the security community
  • It may have overlap with other security focus areas but it should be recognized as a stand-alone issue

How to add a Security Focus Area

Create an Category:SecurityFocusAreaName and add [[Category:Security Focus Area]] into it. An Security Focus Area article should follow the structure in SFA.

How you can help?

  • When you generate an article, please think through what security focus area this article belongs to and tag the article with it.
  • When you read an article and think it belongs to a certain security focus area, please tag the article with it.
  • If you feel the need to create a new Security Focus Area, please consider the criteria listed in “what belongs to here” section.

Volunteer needed

Tag articles with security focus areas (Manage this as part of the Honeycomb project. )

The current list of focus areas

  • Input Validation
  • Access Control
  • Phishing
  • Authentication
  • Session Management
  • XSS (Cross Site Scripting, Acronym or full name?)
  • Buffer Overflow
  • SQL Injection
  • Error Handling
  • Insecure Storage
  • Cryptography
  • Application Denial of Service
  • Insecure Configuration Management