Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
 
(21 intermediate revisions by 2 users not shown)
Line 1: Line 1:
# [[Guide Frontispiece|Frontispiece]]  
+
=[[Guide Frontispiece|Frontispiece]]=
## Dedication
+
#Dedication
## Copyright and license
+
#Copyright and license
## Editors  
+
#Editors  
## Authors and Reviewers
+
#Authors and Reviewers
## Revision History
+
#Revision History
#[[About The Open Web Application Security Project]]
+
=[[About The Open Web Application Security Project]]=
##Structure and Licensing
+
#Structure and Licensing
##Participation and Membership
+
#Participation and Membership
##Projects
+
#Projects
#[[Introduction]]
+
=[[Guide Introduction | Introduction]]=
##Developing Secure Applications
+
#Developing Secure Applications
##Improvements in this edition
+
#Improvements in this edition
##How to use this Guide
+
#How to use this Guide
##Updates and errata
+
#Updates and errata
##With thanks
+
#With thanks
#[[What are web applications?]]
+
=[[What are web applications?]]=
##Technologies
+
#Technologies
##First generation – CGI
+
#First generation – CGI
##Filters
+
#Filters
##Scripting
+
#Scripting
##Web application frameworks – J
+
#Web application frameworks – J
##Small to medium scale applications
+
#Small to medium scale applications
##Large scale applications
+
#Large scale applications
##View
+
#View
##Controller
+
#Controller
##Model
+
#Model
##Conclusion
+
#Conclusion
#[[Policy Frameworks]]
+
=[[Policy Frameworks]]=
##Organizational commitment to security
+
#Organizational commitment to security
##OWASP’s Place at the Framework table
+
#OWASP’s Place at the Framework table
##Development Methodology
+
#Development Methodology
##Coding Standards
+
#Coding Standards
##Source Code Control
+
#Source Code Control
##Summary
+
#Summary
#[[Secure Coding Principles]]
+
=[[Secure Coding Principles]]=
##Asset Classification
+
#Asset Classification
##About attackers
+
#About attackers
##Core pillars of information security
+
#Core pillars of information security
##Security Architecture
+
#Security Architecture
##Security Principles
+
#Security Principles
#[[Threat Risk Modeling]]
+
=[[Threat Risk Modeling]]=
##Threat Risk Modeling
+
#Threat Risk Modeling
##Performing threat risk modeling using the Microsoft Threat Modeling Process
+
#Performing threat risk modeling using the Microsoft Threat Modeling Process
##Alternative Threat Modeling Systems
+
#Alternative Threat Modeling Systems
##Trike
+
#Trike
##AS/NZS
+
#AS/NZS
##CVSS
+
#CVSS
##OCTAVE
+
#OCTAVE
##Conclusion
+
#Conclusion
##Further Reading
+
#Further Reading
#[[Handling E-Commerce Payments]]
+
=[[Handling E-Commerce Payments]]=
##Objectives
+
#Objectives
##Compliance and Laws
+
#Compliance and Laws
##PCI Compliance
+
#PCI Compliance
##Handling Credit Cards
+
#Handling Credit Cards
##Further Reading
+
#Further Reading
#[[Phishing]]
+
=[[Phishing]]=
##What is phishing?
+
#What is phishing?
##User Education
+
#User Education
##Make it easy for your users to report scams
+
#Make it easy for your users to report scams
##Communicating with customers via e-mail
+
#Communicating with customers via e-mail
##Never ask your customers for their secrets
+
#Never ask your customers for their secrets
##Fix all your XSS issues
+
#Fix all your XSS issues
##Do not use pop-ups
+
#Do not use pop-ups
##Don’t be framed
+
#Don’t be framed
##Move your application one link away from your front page
+
#Move your application one link away from your front page
##Enforce local referrers for images and other resources
+
#Enforce local referrers for images and other resources
##Keep the address bar, use SSL, do not use IP addresses
+
#Keep the address bar, use SSL, do not use IP addresses
##Don’t be the source of identity theft
+
#Don’t be the source of identity theft
##Implement safe-guards within your application
+
#Implement safe-guards within your application
##Monitor unusual account activity
+
#Monitor unusual account activity
##Get the phishing target servers offline pronto
+
#Get the phishing target servers offline pronto
##Take control of the fraudulent domain name
+
#Take control of the fraudulent domain name
##Work with law enforcement
+
#Work with law enforcement
##When an attack happens
+
#When an attack happens
##Further Reading
+
#Further Reading
#[[Web Services]]
+
=[[Web Services]]=
##Securing Web Services
+
#Securing Web Services
##Communication security
+
#Communication security
##Passing credentials
+
#Passing credentials
##Ensuring message freshness
+
#Ensuring message freshness
##Protecting message integrity
+
#Protecting message integrity
##Protecting message confidentiality
+
#Protecting message confidentiality
##Access control
+
#Access control
##Audit
+
#Audit
##Web Services Security Hierarchy
+
#Web Services Security Hierarchy
##SOAP
+
#SOAP
##WS-Security Standard
+
#WS-Security Standard
##WS-Security Building Blocks
+
#WS-Security Building Blocks
##Communication Protection Mechanisms
+
#Communication Protection Mechanisms
##Access Control Mechanisms
+
#Access Control Mechanisms
##Forming Web Service Chains
+
#Forming Web Service Chains
##Available Implementations
+
#Available Implementations
##Problems
+
#Problems
##Further Reading
+
#Further Reading
#[[Ajax and Other "Rich" Interface Technologies]]
+
=[[Ajax and Other "Rich" Interface Technologies]]=
##Objective
+
#Objective
##Platforms Affected
+
#Platforms Affected
##Architecture
+
#Architecture
##Access control: Authentication and Authorization
+
#Access control: Authentication and Authorization
##Silent transactional authorization
+
#Silent transactional authorization
##Untrusted or absent session data
+
#Untrusted or absent session data
##State management
+
#State management
##Tamper resistance
+
#Tamper resistance
##Privacy
+
#Privacy
##Proxy Façade
+
#Proxy Façade
##SOAP Injection Attacks
+
#SOAP Injection Attacks
##XMLRPC Injection Attacks
+
#XMLRPC Injection Attacks
##DOM Injection Attacks
+
#DOM Injection Attacks
##XML Injection Attacks
+
#XML Injection Attacks
##JSON (Javascript Object Notation) Injection Attacks
+
#JSON (Javascript Object Notation) Injection Attacks
##Encoding safety
+
#Encoding safety
##Auditing
+
#Auditing
##Error Handling
+
#Error Handling
##Accessibility
+
#Accessibility
##Further Reading
+
#Further Reading
#[[Authentication]]
+
=[[Guide to Authentication]]=
##Objective
+
#Objective
##Environments Affected
+
#Environments Affected
##Relevant COBIT Topics
+
#Relevant COBIT Topics
##Best Practices
+
#Best Practices
##Common web authentication techniques
+
#Common web authentication techniques
##Strong Authentication
+
#Strong Authentication
##Federated Authentication
+
#Federated Authentication
##Client side authentication controls
+
#Client side authentication controls
##Positive Authentication
+
#Positive Authentication
##Multiple Key Lookups
+
#Multiple Key Lookups
##Referer Checks
+
#Referer Checks
##Browser remembers passwords
+
#Browser remembers passwords
##Default accounts
+
#Default accounts
##Choice of usernames
+
#Choice of usernames
##Change passwords
+
#Change passwords
##Short passwords
+
#Short passwords
##Weak password controls
+
#Weak password controls
##Reversible password encryption
+
#Reversible password encryption
##Automated password resets
+
#Automated password resets
##Brute Force
+
#Brute Force
##Remember Me
+
#Remember Me
##Idle Timeouts
+
#Idle Timeouts
##Logout
+
#Logout
##Account Expiry
+
#Account Expiry
##Self registration
+
#Self registration
##CAPTCHA
+
#CAPTCHA
##Further Reading
+
#Further Reading
##Authentication
+
#Authentication
#[[Authorization]]
+
 
##Objectives
+
=[[Guide to Authorization]]=
##Environments Affected
+
#Objectives
##Relevant COBIT Topics
+
#Environments Affected
##Best Practices
+
#Relevant COBIT Topics
##Best Practices in Action
+
#Best Practices
##Principle of least privilege
+
#Best Practices in Action
##Centralized authorization routines
+
#Principle of least privilege
##Authorization matrix
+
#Centralized authorization routines
##Controlling access to protected resources
+
#Authorization matrix
##Protecting access to static resources
+
#Controlling access to protected resources
##Reauthorization for high value activities or after idle out
+
#Protecting access to static resources
##Time based authorization
+
#Reauthorization for high value activities or after idle out
##Be cautious of custom authorization controls
+
#Time based authorization
##Never implement client-side authorization tokens
+
#Be cautious of custom authorization controls
##Further Reading
+
#Never implement client-side authorization tokens
#[[Session Management]]
+
#Further Reading
##Objective
+
 
##Environments Affected
+
=[[Session Management]]=
##Relevant COBIT Topics
+
#Objective
##Description
+
#Environments Affected
##Best practices
+
#Relevant COBIT Topics
##Exposed Session Variables
+
#Description
##Page and Form Tokens
+
#Best practices
##Weak Session Cryptographic Algorithms
+
#Exposed Session Variables
##Session Token Entropy
+
#Page and Form Tokens
##Session Time-out
+
#Weak Session Cryptographic Algorithms
##Regeneration of Session Tokens
+
#Session Token Entropy
##Session Forging/Brute-Forcing Detection and/or Lockout
+
#Session Time-out
##Session Token Capture and Session Hijacking
+
#Regeneration of Session Tokens
##Session Tokens on Logout
+
#Session Forging/Brute-Forcing Detection and/or Lockout
##Session Validation Attacks
+
#Session Token Capture and Session Hijacking
##PHP
+
#Session Tokens on Logout
##Sessions
+
#Session Validation Attacks
##Further Reading
+
#PHP
##Session Management
+
#Sessions
#[[Data Validation]]
+
#Further Reading
##Objective
+
#Session Management
##Platforms Affected
+
=[[Data Validation]]=
##Relevant COBIT Topics
+
#Objective
##Description
+
#Platforms Affected
##Definitions
+
#Relevant COBIT Topics
##Where to include integrity checks
+
#Description
##Where to include validation
+
#Definitions
##Where to include business rule validation
+
#Where to include integrity checks
##Data Validation Strategies
+
#Where to include validation
##Prevent parameter tampering
+
#Where to include business rule validation
##Hidden fields
+
#Data Validation Strategies
##ASP.NET Viewstate
+
#Prevent parameter tampering
##URL encoding
+
#Hidden fields
##HTML encoding
+
#ASP.NET Viewstate
##Encoded strings
+
#URL encoding
##Data Validation and Interpreter Injection
+
#HTML encoding
##Delimiter and special characters
+
#Encoded strings
##Further Reading
+
#Data Validation and Interpreter Injection
#[[Interpreter Injection]]
+
#Delimiter and special characters
##Objective
+
#Further Reading
##Platforms Affected
+
=[[Interpreter Injection]]=
##Relevant COBIT Topics
+
#Objective
##User Agent Injection
+
#Platforms Affected
##HTTP Response Splitting
+
#Relevant COBIT Topics
##SQL Injection
+
#User Agent Injection
##ORM Injection
+
#HTTP Response Splitting
##LDAP Injection
+
#SQL Injection
##XML Injection
+
#ORM Injection
##Code Injection
+
#LDAP Injection
##Further Reading
+
#XML Injection
##SQL-injection
+
#Code Injection
##Code Injection
+
#Further Reading
##Command injection
+
#SQL-injection
#[[Canoncalization, locale and Unicode]]
+
#Code Injection
##Objective
+
#Command injection
##Platforms Affected
+
=[[Canonicalization, locale and Unicode]]=
##Relevant COBIT Topics
+
#Objective
##Description
+
#Platforms Affected
##Unicode
+
#Relevant COBIT Topics
##http://www.ietf.org/rfc/rfc##
+
#Description
##Input Formats
+
#Unicode
##Locale assertion
+
#http://www.ietf.org/rfc/rfc#
##Double (or n-) encoding
+
#Input Formats
## HTTP Request Smuggling
+
#Locale assertion
## Further Reading
+
#Double (or n-) encoding
#[[Error Handling, Auditing and Logging]]
+
# HTTP Request Smuggling
##Objective
+
# Further Reading
##Environments Affected
+
 
##Relevant COBIT Topics
+
=[[Error Handling, Auditing and Logging]]=
##Description
+
#Objective
##Best practices
+
#Environments Affected
##Error Handling
+
#Relevant COBIT Topics
##Detailed error messages
+
#Description
##Logging
+
#Best practices
##Noise
+
#Error Handling
##Cover Tracks
+
#Detailed error messages
##False Alarms
+
#Logging
##Destruction
+
#Noise
##Audit Trails
+
#Cover Tracks
##Further Reading
+
#False Alarms
##Error Handling and Logging
+
#Destruction
#[[File System]]
+
#Audit Trails
##Objective
+
#Further Reading
##Environments Affected
+
#Error Handling and Logging
##Relevant COBIT Topics
+
=[[File System]]=
##Description
+
#Objective
##Best Practices
+
#Environments Affected
##Defacement
+
#Relevant COBIT Topics
##Path traversal
+
#Description
##Insecure permissions
+
#Best Practices
##Insecure Indexing
+
#Defacement
##Unmapped files
+
#Path traversal
##Temporary files
+
#Insecure permissions
##PHP
+
#Insecure Indexing
##Includes and Remote files
+
#Unmapped files
##File upload
+
#Temporary files
##Old, unreferenced files
+
#PHP
##Second Order Injection
+
#Includes and Remote files
##Further Reading
+
#File upload
##File System
+
#Old, unreferenced files
#[[Distributed Computing]]
+
#Second Order Injection
##Objective
+
#Further Reading
##Environments Affected
+
#File System
##Relevant COBIT Topics
+
=[[Distributed Computing]]=
##Best Practices
+
#Objective
##Race conditions
+
#Environments Affected
##Distributed synchronization
+
#Relevant COBIT Topics
##Further Reading
+
#Best Practices
#[[Buffer Overflows]]
+
#Race conditions
##Objective
+
#Distributed synchronization
##Platforms Affected
+
#Further Reading
##Relevant COBIT Topics
+
=[[Buffer Overflows]]=
##Description
+
#Objective
##General Prevention Techniques
+
#Platforms Affected
##Stack Overflow
+
#Relevant COBIT Topics
##Heap Overflow
+
#Description
##Format String
+
#General Prevention Techniques
##Unicode Overflow
+
#Stack Overflow
##Integer Overflow
+
#Heap Overflow
##Further reading
+
#Format String
#[[Administrative Interface]]
+
#Unicode Overflow
##Objective
+
#Integer Overflow
##Environments Affected
+
#Further reading
##Relevant COBIT Topics
+
=[[Administrative Interface]]=
##Best practices
+
#Objective
##Administrators are not users
+
#Environments Affected
##Authentication for high value systems
+
#Relevant COBIT Topics
##Further Reading
+
#Best practices
#[[Cryptography]]
+
#Administrators are not users
##Objective
+
#Authentication for high value systems
##Platforms Affected
+
#Further Reading
##Relevant COBIT Topics
+
=[[Guide to Cryptography]]=
##Description
+
#Objective
##Cryptographic Functions
+
#Platforms Affected
##Cryptographic Algorithms
+
#Relevant COBIT Topics
##Algorithm Selection
+
#Description
##Key Storage
+
#Cryptographic Functions
##Insecure transmission of secrets
+
#Cryptographic Algorithms
##Reversible Authentication Tokens
+
#Algorithm Selection
##Safe UUID generation
+
#Key Storage
##Summary
+
#Insecure transmission of secrets
##Further Reading
+
#Reversible Authentication Tokens
##Cryptography
+
#Safe UUID generation
#[[Configuration]]
+
#Summary
##Objective
+
#Further Reading
##Platforms Affected
+
#Cryptography
##Relevant COBIT Topics
+
 
##Best Practices
+
=[[Configuration]]=
##Default passwords
+
#Objective
##Secure connection strings
+
#Platforms Affected
##Secure network transmission
+
#Relevant COBIT Topics
##Encrypted data
+
#Best Practices
##PHP Configuration
+
#Default passwords
##Global variables
+
#Secure connection strings
##register_globals
+
#Secure network transmission
##Database security
+
#Encrypted data
##Further Reading
+
#PHP Configuration
##ColdFusion Components (CFCs)
+
#Global variables
##Configuration
+
#register_globals
#[[Software Quality Assurance]]
+
#Database security
##Objective
+
#Further Reading
##Platforms Affected
+
#ColdFusion Components (CFCs)
##Best practices
+
#Configuration
##Process
+
=[[Software Quality Assurance]]=
##Metrics
+
#Objective
##Testing Activities
+
#Platforms Affected
#[[Deployment]]
+
#Best practices
##Objective
+
#Process
##Platforms Affected
+
#Metrics
##Best Practices
+
#Testing Activities
##Release Management
+
=[[Deployment]]=
##Secure delivery of code
+
#Objective
##Code signing
+
#Platforms Affected
##Permissions are set to least privilege
+
#Best Practices
##Automated packaging
+
#Release Management
##Automated deployment
+
#Secure delivery of code
##Automated removal
+
#Code signing
##No backup or old files
+
#Permissions are set to least privilege
##Unnecessary features are off by default
+
#Automated packaging
##Setup log files are clean
+
#Automated deployment
##No default accounts
+
#Automated removal
##Easter eggs
+
#No backup or old files
##Malicious software
+
#Unnecessary features are off by default
##Further Reading
+
#Setup log files are clean
#[[Maintenance]]
+
#No default accounts
##Objective
+
#Easter eggs
##Platforms Affected
+
#Malicious software
##Relevant COBIT Topics
+
#Further Reading
##Best Practices
+
=[[Maintenance]]=
##Security Incident Response
+
#Objective
##Fix Security Issues Correctly
+
#Platforms Affected
##Update Notifications
+
#Relevant COBIT Topics
##Regularly check permissions
+
#Best Practices
##Further Reading
+
#Security Incident Response
##Maintenance
+
#Fix Security Issues Correctly
#[[GNU Free Documentation License]]
+
#Update Notifications
##PREAMBLE
+
#Regularly check permissions
##APPLICABILITY AND DEFINITIONS
+
#Further Reading
##VERBATIM COPYING
+
#Maintenance
##COPYING IN QUANTITY
+
=[[GNU Free Documentation License]]=
##MODIFICATIONS
+
#PREAMBLE
##COMBINING DOCUMENTS
+
#APPLICABILITY AND DEFINITIONS
##COLLECTIONS OF DOCUMENTS
+
#VERBATIM COPYING
##AGGREGATION WITH INDEPENDENT WORKS
+
#COPYING IN QUANTITY
##TRANSLATION
+
#MODIFICATIONS
##TERMINATION
+
#COMBINING DOCUMENTS
##FUTURE REVISIONS OF THIS LICENSE
+
#COLLECTIONS OF DOCUMENTS
 +
#AGGREGATION WITH INDEPENDENT WORKS
 +
#TRANSLATION
 +
#TERMINATION
 +
#FUTURE REVISIONS OF THIS LICENSE
 +
=Reference=
 +
[[Category:OWASP_Guide_Project]]

Latest revision as of 16:42, 26 January 2007

Contents

Frontispiece

  1. Dedication
  2. Copyright and license
  3. Editors
  4. Authors and Reviewers
  5. Revision History

About The Open Web Application Security Project

  1. Structure and Licensing
  2. Participation and Membership
  3. Projects

Introduction

  1. Developing Secure Applications
  2. Improvements in this edition
  3. How to use this Guide
  4. Updates and errata
  5. With thanks

What are web applications?

  1. Technologies
  2. First generation – CGI
  3. Filters
  4. Scripting
  5. Web application frameworks – J
  6. Small to medium scale applications
  7. Large scale applications
  8. View
  9. Controller
  10. Model
  11. Conclusion

Policy Frameworks

  1. Organizational commitment to security
  2. OWASP’s Place at the Framework table
  3. Development Methodology
  4. Coding Standards
  5. Source Code Control
  6. Summary

Secure Coding Principles

  1. Asset Classification
  2. About attackers
  3. Core pillars of information security
  4. Security Architecture
  5. Security Principles

Threat Risk Modeling

  1. Threat Risk Modeling
  2. Performing threat risk modeling using the Microsoft Threat Modeling Process
  3. Alternative Threat Modeling Systems
  4. Trike
  5. AS/NZS
  6. CVSS
  7. OCTAVE
  8. Conclusion
  9. Further Reading

Handling E-Commerce Payments

  1. Objectives
  2. Compliance and Laws
  3. PCI Compliance
  4. Handling Credit Cards
  5. Further Reading

Phishing

  1. What is phishing?
  2. User Education
  3. Make it easy for your users to report scams
  4. Communicating with customers via e-mail
  5. Never ask your customers for their secrets
  6. Fix all your XSS issues
  7. Do not use pop-ups
  8. Don’t be framed
  9. Move your application one link away from your front page
  10. Enforce local referrers for images and other resources
  11. Keep the address bar, use SSL, do not use IP addresses
  12. Don’t be the source of identity theft
  13. Implement safe-guards within your application
  14. Monitor unusual account activity
  15. Get the phishing target servers offline pronto
  16. Take control of the fraudulent domain name
  17. Work with law enforcement
  18. When an attack happens
  19. Further Reading

Web Services

  1. Securing Web Services
  2. Communication security
  3. Passing credentials
  4. Ensuring message freshness
  5. Protecting message integrity
  6. Protecting message confidentiality
  7. Access control
  8. Audit
  9. Web Services Security Hierarchy
  10. SOAP
  11. WS-Security Standard
  12. WS-Security Building Blocks
  13. Communication Protection Mechanisms
  14. Access Control Mechanisms
  15. Forming Web Service Chains
  16. Available Implementations
  17. Problems
  18. Further Reading

Ajax and Other "Rich" Interface Technologies

  1. Objective
  2. Platforms Affected
  3. Architecture
  4. Access control: Authentication and Authorization
  5. Silent transactional authorization
  6. Untrusted or absent session data
  7. State management
  8. Tamper resistance
  9. Privacy
  10. Proxy Façade
  11. SOAP Injection Attacks
  12. XMLRPC Injection Attacks
  13. DOM Injection Attacks
  14. XML Injection Attacks
  15. JSON (Javascript Object Notation) Injection Attacks
  16. Encoding safety
  17. Auditing
  18. Error Handling
  19. Accessibility
  20. Further Reading

Guide to Authentication

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Common web authentication techniques
  6. Strong Authentication
  7. Federated Authentication
  8. Client side authentication controls
  9. Positive Authentication
  10. Multiple Key Lookups
  11. Referer Checks
  12. Browser remembers passwords
  13. Default accounts
  14. Choice of usernames
  15. Change passwords
  16. Short passwords
  17. Weak password controls
  18. Reversible password encryption
  19. Automated password resets
  20. Brute Force
  21. Remember Me
  22. Idle Timeouts
  23. Logout
  24. Account Expiry
  25. Self registration
  26. CAPTCHA
  27. Further Reading
  28. Authentication

Guide to Authorization

  1. Objectives
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Best Practices in Action
  6. Principle of least privilege
  7. Centralized authorization routines
  8. Authorization matrix
  9. Controlling access to protected resources
  10. Protecting access to static resources
  11. Reauthorization for high value activities or after idle out
  12. Time based authorization
  13. Be cautious of custom authorization controls
  14. Never implement client-side authorization tokens
  15. Further Reading

Session Management

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Exposed Session Variables
  7. Page and Form Tokens
  8. Weak Session Cryptographic Algorithms
  9. Session Token Entropy
  10. Session Time-out
  11. Regeneration of Session Tokens
  12. Session Forging/Brute-Forcing Detection and/or Lockout
  13. Session Token Capture and Session Hijacking
  14. Session Tokens on Logout
  15. Session Validation Attacks
  16. PHP
  17. Sessions
  18. Further Reading
  19. Session Management

Data Validation

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Definitions
  6. Where to include integrity checks
  7. Where to include validation
  8. Where to include business rule validation
  9. Data Validation Strategies
  10. Prevent parameter tampering
  11. Hidden fields
  12. ASP.NET Viewstate
  13. URL encoding
  14. HTML encoding
  15. Encoded strings
  16. Data Validation and Interpreter Injection
  17. Delimiter and special characters
  18. Further Reading

Interpreter Injection

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. User Agent Injection
  5. HTTP Response Splitting
  6. SQL Injection
  7. ORM Injection
  8. LDAP Injection
  9. XML Injection
  10. Code Injection
  11. Further Reading
  12. SQL-injection
  13. Code Injection
  14. Command injection

Canonicalization, locale and Unicode

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Unicode
  6. http://www.ietf.org/rfc/rfc#
  7. Input Formats
  8. Locale assertion
  9. Double (or n-) encoding
  10. HTTP Request Smuggling
  11. Further Reading

Error Handling, Auditing and Logging

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Error Handling
  7. Detailed error messages
  8. Logging
  9. Noise
  10. Cover Tracks
  11. False Alarms
  12. Destruction
  13. Audit Trails
  14. Further Reading
  15. Error Handling and Logging

File System

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best Practices
  6. Defacement
  7. Path traversal
  8. Insecure permissions
  9. Insecure Indexing
  10. Unmapped files
  11. Temporary files
  12. PHP
  13. Includes and Remote files
  14. File upload
  15. Old, unreferenced files
  16. Second Order Injection
  17. Further Reading
  18. File System

Distributed Computing

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Race conditions
  6. Distributed synchronization
  7. Further Reading

Buffer Overflows

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. General Prevention Techniques
  6. Stack Overflow
  7. Heap Overflow
  8. Format String
  9. Unicode Overflow
  10. Integer Overflow
  11. Further reading

Administrative Interface

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best practices
  5. Administrators are not users
  6. Authentication for high value systems
  7. Further Reading

Guide to Cryptography

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Cryptographic Functions
  6. Cryptographic Algorithms
  7. Algorithm Selection
  8. Key Storage
  9. Insecure transmission of secrets
  10. Reversible Authentication Tokens
  11. Safe UUID generation
  12. Summary
  13. Further Reading
  14. Cryptography

Configuration

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Default passwords
  6. Secure connection strings
  7. Secure network transmission
  8. Encrypted data
  9. PHP Configuration
  10. Global variables
  11. register_globals
  12. Database security
  13. Further Reading
  14. ColdFusion Components (CFCs)
  15. Configuration

Software Quality Assurance

  1. Objective
  2. Platforms Affected
  3. Best practices
  4. Process
  5. Metrics
  6. Testing Activities

Deployment

  1. Objective
  2. Platforms Affected
  3. Best Practices
  4. Release Management
  5. Secure delivery of code
  6. Code signing
  7. Permissions are set to least privilege
  8. Automated packaging
  9. Automated deployment
  10. Automated removal
  11. No backup or old files
  12. Unnecessary features are off by default
  13. Setup log files are clean
  14. No default accounts
  15. Easter eggs
  16. Malicious software
  17. Further Reading

Maintenance

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Security Incident Response
  6. Fix Security Issues Correctly
  7. Update Notifications
  8. Regularly check permissions
  9. Further Reading
  10. Maintenance

GNU Free Documentation License

  1. PREAMBLE
  2. APPLICABILITY AND DEFINITIONS
  3. VERBATIM COPYING
  4. COPYING IN QUANTITY
  5. MODIFICATIONS
  6. COMBINING DOCUMENTS
  7. COLLECTIONS OF DOCUMENTS
  8. AGGREGATION WITH INDEPENDENT WORKS
  9. TRANSLATION
  10. TERMINATION
  11. FUTURE REVISIONS OF THIS LICENSE

Reference