Difference between revisions of "Category:Security Focus Area"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
==What is a Security Focus Area (SFA)?==
 
==What is a Security Focus Area (SFA)?==
  
The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several principles, threats, attacks, vulnerabilities, and countermeasures.
+
The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.
  
 
To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects ([[Top 10]], [[Guide]], [[Testing Guide]], [[Code Review]], etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.  
 
To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects ([[Top 10]], [[Guide]], [[Testing Guide]], [[Code Review]], etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.  
Line 10: Line 10:
  
 
* A short, management-level introduction to the area
 
* A short, management-level introduction to the area
* A roadmap to the threat modeling elements for this area
+
* A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
** emphasizing on helping readers evaluate the likelihood and impact of a successful exploit in their application
+
 
* Links to guidelines for testing, code reviewing, and architecting this area
 
* Links to guidelines for testing, code reviewing, and architecting this area
 
* Other articles covering this topic
 
* Other articles covering this topic

Revision as of 22:29, 3 August 2006

What is a Security Focus Area (SFA)?

The Honeycomb Project has many individual articles detailing the basic building blocks of application security, including principles, threats, attacks, vulnerabilities, countermeasures. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.

To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.

What goes into a SFA?

Each SFA provides:

  • A short, management-level introduction to the area
  • A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
  • Links to guidelines for testing, code reviewing, and architecting this area
  • Other articles covering this topic

Therefore a SFA category acts as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.

What makes a good SFA?

Here are some criteria for a SFA:

  • It should be a specific topic instead of a big/generic title
    • For example, "SQL Injection" instead of "Injection Flaws"
  • It should be a well-known and commonly used topic area
  • It should overlap as little as possible with other SFA's

How to add a new SFA

Create an Category:SecurityFocusAreaName and add [[Category:Security Focus Area]] at the bottom. A SFA article should follow the structure in SFA. Note: we should create a template for the header of an SFA.

How you can help?

  • If you find articles related to an existing SFA, please link to them in the SFA article.
  • If you feel the need to create a new SFA, please consider the criteria listed in "what makes a good SFA" section.

The current list of SFAs

  • Phishing
  • Cross-Site Scripting
  • Buffer Overflow
  • SQL Injection