Category:Security Focus Area
Security Focus Areas
What is a Security Focus Area?
A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.
Why this category?
To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.
During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area.
Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.
The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.
We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section, discussing the security elements involved and how they are related including various factors on its likelihood, impact and severity. Then related security activities on how to identify and address problems in this area are discussed followed by links to any additional information.
Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.
- Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
- A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.
These are not our concerns here. We care more about presenting the complete view of the problem.
What belongs to here?
Here are the criteria to a Security Focus area:
- It has to be a specific topic instead of a big/generic title
- For example, “SQL injection” instead of “Injection Flaws”
- It has to be well-known and commonly used in the security community
- It may have overlap with other security focus areas but it should be recognized as a stand-alone issue
How to add a Security Focus Area
Create an Category:SecurityFocusAreaName and add ==What is a Security Focus Area (SFA)?==
The Honeycomb Project has many individual articles detailing the basic building blocks of application security, including principles, threats, attacks, vulnerabilities, countermeasures. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.
To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
What goes into a SFA?
Each SFA provides:
- A short, management-level introduction to the area
- A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
- Links to guidelines for testing, code reviewing, and architecting this area
- Other articles covering this topic
Therefore a SFA category acts as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.
What makes a good SFA?
Here are some criteria for a SFA:
- It should be a specific topic instead of a big/generic title
- For example, "SQL Injection" instead of "Injection Flaws"
- It should be a well-known and commonly used topic area
- It should overlap as little as possible with other SFA's
How to add a new SFA
Create an Category:SecurityFocusAreaName and add [[Category:Security Focus Area]] at the bottom. A SFA article should follow the structure in SFA. Note: we should create a template for the header of an SFA.
How you can help?
- If you find articles related to an existing SFA, please link to them in the SFA article.
- If you feel the need to create a new SFA, please consider the criteria listed in "what makes a good SFA" section.
The current list of SFAs
into it. An Security Focus Area article should follow the following structure:
How to use a Security Focus Area
When you what to learn about or contribute to a Security Focus Area, simply click the link of that area and check the existing articles.
How you can help?
- When you generate an article, please think through what security focus area this article belongs to and tag the article with it.
- When you read an article and think it belongs to a certain security focus area, please tag the article with it.
- If you feel the need to create a new Security Focus Area, please consider the criteria listed in “what belongs to here” section.
Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
The current list of focus areas
Q: Acronym or full name? (Weilin: I prefer full name.) Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)
Unvalidated Input (Or Input Validation? I prefer latter.) Broken Access Control (Or Access Control? I prefer latter) Phishing Authentication Session Management XSS (Cross Site Scripting, Acronym or full name?) Buffer Overflow SQL Injection Error Handling Insecure Storage Cryptography Application Denial of Service Insecure Configuration Management
Pages in category "Security Focus Area"
The following 9 pages are in this category, out of 9 total.