Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
 
(11 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
=[[Guide Frontispiece|Frontispiece]]=
 
=[[Guide Frontispiece|Frontispiece]]=
 
+
#Dedication
## Dedication
+
#Copyright and license
 
+
#Editors  
## Copyright and license
+
#Authors and Reviewers
 
+
#Revision History
## Editors  
+
 
+
## Authors and Reviewers
+
 
+
## Revision History
+
 
+
 
=[[About The Open Web Application Security Project]]=
 
=[[About The Open Web Application Security Project]]=
 
+
#Structure and Licensing
##Structure and Licensing
+
#Participation and Membership
 
+
#Projects
##Participation and Membership
+
 
+
##Projects
+
 
+
 
=[[Guide Introduction | Introduction]]=
 
=[[Guide Introduction | Introduction]]=
 
+
#Developing Secure Applications
##Developing Secure Applications
+
#Improvements in this edition
 
+
#How to use this Guide
##Improvements in this edition
+
#Updates and errata
 
+
#With thanks
##How to use this Guide
+
 
+
##Updates and errata
+
 
+
##With thanks
+
 
+
 
=[[What are web applications?]]=
 
=[[What are web applications?]]=
 
+
#Technologies
##Technologies
+
#First generation – CGI
 
+
#Filters
##First generation – CGI
+
#Scripting
 
+
#Web application frameworks – J
##Filters
+
#Small to medium scale applications
 
+
#Large scale applications
##Scripting
+
#View
 
+
#Controller
##Web application frameworks – J
+
#Model
 
+
#Conclusion
##Small to medium scale applications
+
 
+
##Large scale applications
+
 
+
##View
+
 
+
##Controller
+
 
+
##Model
+
 
+
##Conclusion
+
 
+
 
=[[Policy Frameworks]]=
 
=[[Policy Frameworks]]=
 
+
#Organizational commitment to security
##Organizational commitment to security
+
#OWASP’s Place at the Framework table
 
+
#Development Methodology
##OWASP’s Place at the Framework table
+
#Coding Standards
 
+
#Source Code Control
##Development Methodology
+
#Summary
 
+
##Coding Standards
+
 
+
##Source Code Control
+
 
+
##Summary
+
 
+
 
=[[Secure Coding Principles]]=
 
=[[Secure Coding Principles]]=
 
+
#Asset Classification
##Asset Classification
+
#About attackers
 
+
#Core pillars of information security
##About attackers
+
#Security Architecture
 
+
#Security Principles
##Core pillars of information security
+
 
+
##Security Architecture
+
 
+
##Security Principles
+
 
+
 
=[[Threat Risk Modeling]]=
 
=[[Threat Risk Modeling]]=
 
+
#Threat Risk Modeling
##Threat Risk Modeling
+
#Performing threat risk modeling using the Microsoft Threat Modeling Process
 
+
#Alternative Threat Modeling Systems
##Performing threat risk modeling using the Microsoft Threat Modeling Process
+
#Trike
 
+
#AS/NZS
##Alternative Threat Modeling Systems
+
#CVSS
 
+
#OCTAVE
##Trike
+
#Conclusion
 
+
#Further Reading
##AS/NZS
+
 
+
##CVSS
+
 
+
##OCTAVE
+
 
+
##Conclusion
+
 
+
##Further Reading
+
 
+
 
=[[Handling E-Commerce Payments]]=
 
=[[Handling E-Commerce Payments]]=
 
+
#Objectives
##Objectives
+
#Compliance and Laws
 
+
#PCI Compliance
##Compliance and Laws
+
#Handling Credit Cards
 
+
#Further Reading
##PCI Compliance
+
 
+
##Handling Credit Cards
+
 
+
##Further Reading
+
 
+
 
=[[Phishing]]=
 
=[[Phishing]]=
 
+
#What is phishing?
##What is phishing?
+
#User Education
 
+
#Make it easy for your users to report scams
##User Education
+
#Communicating with customers via e-mail
 
+
#Never ask your customers for their secrets
##Make it easy for your users to report scams
+
#Fix all your XSS issues
 
+
#Do not use pop-ups
##Communicating with customers via e-mail
+
#Don’t be framed
 
+
#Move your application one link away from your front page
##Never ask your customers for their secrets
+
#Enforce local referrers for images and other resources
 
+
#Keep the address bar, use SSL, do not use IP addresses
##Fix all your XSS issues
+
#Don’t be the source of identity theft
 
+
#Implement safe-guards within your application
##Do not use pop-ups
+
#Monitor unusual account activity
 
+
#Get the phishing target servers offline pronto
##Don’t be framed
+
#Take control of the fraudulent domain name
 
+
#Work with law enforcement
##Move your application one link away from your front page
+
#When an attack happens
 
+
#Further Reading
##Enforce local referrers for images and other resources
+
 
+
##Keep the address bar, use SSL, do not use IP addresses
+
 
+
##Don’t be the source of identity theft
+
 
+
##Implement safe-guards within your application
+
 
+
##Monitor unusual account activity
+
 
+
##Get the phishing target servers offline pronto
+
 
+
##Take control of the fraudulent domain name
+
 
+
##Work with law enforcement
+
 
+
##When an attack happens
+
 
+
##Further Reading
+
 
+
 
=[[Web Services]]=
 
=[[Web Services]]=
 
+
#Securing Web Services
##Securing Web Services
+
#Communication security
 
+
#Passing credentials
##Communication security
+
#Ensuring message freshness
 
+
#Protecting message integrity
##Passing credentials
+
#Protecting message confidentiality
 
+
#Access control
##Ensuring message freshness
+
#Audit
 
+
#Web Services Security Hierarchy
##Protecting message integrity
+
#SOAP
 
+
#WS-Security Standard
##Protecting message confidentiality
+
#WS-Security Building Blocks
 
+
#Communication Protection Mechanisms
##Access control
+
#Access Control Mechanisms
 
+
#Forming Web Service Chains
##Audit
+
#Available Implementations
 
+
#Problems
##Web Services Security Hierarchy
+
#Further Reading
 
+
##SOAP
+
 
+
##WS-Security Standard
+
 
+
##WS-Security Building Blocks
+
 
+
##Communication Protection Mechanisms
+
 
+
##Access Control Mechanisms
+
 
+
##Forming Web Service Chains
+
 
+
##Available Implementations
+
 
+
##Problems
+
 
+
##Further Reading
+
 
+
 
=[[Ajax and Other "Rich" Interface Technologies]]=
 
=[[Ajax and Other "Rich" Interface Technologies]]=
 +
#Objective
 +
#Platforms Affected
 +
#Architecture
 +
#Access control: Authentication and Authorization
 +
#Silent transactional authorization
 +
#Untrusted or absent session data
 +
#State management
 +
#Tamper resistance
 +
#Privacy
 +
#Proxy Façade
 +
#SOAP Injection Attacks
 +
#XMLRPC Injection Attacks
 +
#DOM Injection Attacks
 +
#XML Injection Attacks
 +
#JSON (Javascript Object Notation) Injection Attacks
 +
#Encoding safety
 +
#Auditing
 +
#Error Handling
 +
#Accessibility
 +
#Further Reading
 +
=[[Guide to Authentication]]=
 +
#Objective
 +
#Environments Affected
 +
#Relevant COBIT Topics
 +
#Best Practices
 +
#Common web authentication techniques
 +
#Strong Authentication
 +
#Federated Authentication
 +
#Client side authentication controls
 +
#Positive Authentication
 +
#Multiple Key Lookups
 +
#Referer Checks
 +
#Browser remembers passwords
 +
#Default accounts
 +
#Choice of usernames
 +
#Change passwords
 +
#Short passwords
 +
#Weak password controls
 +
#Reversible password encryption
 +
#Automated password resets
 +
#Brute Force
 +
#Remember Me
 +
#Idle Timeouts
 +
#Logout
 +
#Account Expiry
 +
#Self registration
 +
#CAPTCHA
 +
#Further Reading
 +
#Authentication
  
##Objective
+
=[[Guide to Authorization]]=
 
+
#Objectives
##Platforms Affected
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Architecture
+
#Best Practices
 
+
#Best Practices in Action
##Access control: Authentication and Authorization
+
#Principle of least privilege
 
+
#Centralized authorization routines
##Silent transactional authorization
+
#Authorization matrix
 
+
#Controlling access to protected resources
##Untrusted or absent session data
+
#Protecting access to static resources
 
+
#Reauthorization for high value activities or after idle out
##State management
+
#Time based authorization
 
+
#Be cautious of custom authorization controls
##Tamper resistance
+
#Never implement client-side authorization tokens
 
+
#Further Reading
##Privacy
+
 
+
##Proxy Façade
+
 
+
##SOAP Injection Attacks
+
 
+
##XMLRPC Injection Attacks
+
 
+
##DOM Injection Attacks
+
 
+
##XML Injection Attacks
+
 
+
##JSON (Javascript Object Notation) Injection Attacks
+
 
+
##Encoding safety
+
 
+
##Auditing
+
 
+
##Error Handling
+
 
+
##Accessibility
+
 
+
##Further Reading
+
 
+
=[[Authentication]]=
+
 
+
##Objective
+
 
+
##Environments Affected
+
 
+
##Relevant COBIT Topics
+
 
+
##Best Practices
+
 
+
##Common web authentication techniques
+
 
+
##Strong Authentication
+
 
+
##Federated Authentication
+
 
+
##Client side authentication controls
+
 
+
##Positive Authentication
+
 
+
##Multiple Key Lookups
+
 
+
##Referer Checks
+
 
+
##Browser remembers passwords
+
 
+
##Default accounts
+
 
+
##Choice of usernames
+
 
+
##Change passwords
+
 
+
##Short passwords
+
 
+
##Weak password controls
+
 
+
##Reversible password encryption
+
 
+
##Automated password resets
+
 
+
##Brute Force
+
 
+
##Remember Me
+
 
+
##Idle Timeouts
+
 
+
##Logout
+
 
+
##Account Expiry
+
 
+
##Self registration
+
 
+
##CAPTCHA
+
 
+
##Further Reading
+
 
+
##Authentication
+
 
+
=[[Authorization]]=
+
 
+
##Objectives
+
 
+
##Environments Affected
+
 
+
##Relevant COBIT Topics
+
 
+
##Best Practices
+
 
+
##Best Practices in Action
+
 
+
##Principle of least privilege
+
 
+
##Centralized authorization routines
+
 
+
##Authorization matrix
+
 
+
##Controlling access to protected resources
+
 
+
##Protecting access to static resources
+
 
+
##Reauthorization for high value activities or after idle out
+
 
+
##Time based authorization
+
 
+
##Be cautious of custom authorization controls
+
 
+
##Never implement client-side authorization tokens
+
 
+
##Further Reading
+
  
 
=[[Session Management]]=
 
=[[Session Management]]=
 
+
#Objective
##Objective
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Environments Affected
+
#Description
 
+
#Best practices
##Relevant COBIT Topics
+
#Exposed Session Variables
 
+
#Page and Form Tokens
##Description
+
#Weak Session Cryptographic Algorithms
 
+
#Session Token Entropy
##Best practices
+
#Session Time-out
 
+
#Regeneration of Session Tokens
##Exposed Session Variables
+
#Session Forging/Brute-Forcing Detection and/or Lockout
 
+
#Session Token Capture and Session Hijacking
##Page and Form Tokens
+
#Session Tokens on Logout
 
+
#Session Validation Attacks
##Weak Session Cryptographic Algorithms
+
#PHP
 
+
#Sessions
##Session Token Entropy
+
#Further Reading
 
+
#Session Management
##Session Time-out
+
 
+
##Regeneration of Session Tokens
+
 
+
##Session Forging/Brute-Forcing Detection and/or Lockout
+
 
+
##Session Token Capture and Session Hijacking
+
 
+
##Session Tokens on Logout
+
 
+
##Session Validation Attacks
+
 
+
##PHP
+
 
+
##Sessions
+
 
+
##Further Reading
+
 
+
##Session Management
+
 
+
 
=[[Data Validation]]=
 
=[[Data Validation]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Platforms Affected
+
#Description
 
+
#Definitions
##Relevant COBIT Topics
+
#Where to include integrity checks
 
+
#Where to include validation
##Description
+
#Where to include business rule validation
 
+
#Data Validation Strategies
##Definitions
+
#Prevent parameter tampering
 
+
#Hidden fields
##Where to include integrity checks
+
#ASP.NET Viewstate
 
+
#URL encoding
##Where to include validation
+
#HTML encoding
 
+
#Encoded strings
##Where to include business rule validation
+
#Data Validation and Interpreter Injection
 
+
#Delimiter and special characters
##Data Validation Strategies
+
#Further Reading
 
+
##Prevent parameter tampering
+
 
+
##Hidden fields
+
 
+
##ASP.NET Viewstate
+
 
+
##URL encoding
+
 
+
##HTML encoding
+
 
+
##Encoded strings
+
 
+
##Data Validation and Interpreter Injection
+
 
+
##Delimiter and special characters
+
 
+
##Further Reading
+
 
+
 
=[[Interpreter Injection]]=
 
=[[Interpreter Injection]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Platforms Affected
+
#User Agent Injection
 
+
#HTTP Response Splitting
##Relevant COBIT Topics
+
#SQL Injection
 
+
#ORM Injection
##User Agent Injection
+
#LDAP Injection
 
+
#XML Injection
##HTTP Response Splitting
+
#Code Injection
 
+
#Further Reading
##SQL Injection
+
#SQL-injection
 
+
#Code Injection
##ORM Injection
+
#Command injection
 
+
=[[Canonicalization, locale and Unicode]]=
##LDAP Injection
+
#Objective
 
+
#Platforms Affected
##XML Injection
+
#Relevant COBIT Topics
 
+
#Description
##Code Injection
+
#Unicode
 
+
#http://www.ietf.org/rfc/rfc#
##Further Reading
+
#Input Formats
 
+
#Locale assertion
##SQL-injection
+
#Double (or n-) encoding
 
+
# HTTP Request Smuggling
##Code Injection
+
# Further Reading
 
+
##Command injection
+
 
+
=[[Canoncalization, locale and Unicode]]=
+
 
+
##Objective
+
 
+
##Platforms Affected
+
 
+
##Relevant COBIT Topics
+
 
+
##Description
+
 
+
##Unicode
+
 
+
##http://www.ietf.org/rfc/rfc##
+
 
+
##Input Formats
+
 
+
##Locale assertion
+
 
+
##Double (or n-) encoding
+
 
+
## HTTP Request Smuggling
+
 
+
## Further Reading
+
  
 
=[[Error Handling, Auditing and Logging]]=
 
=[[Error Handling, Auditing and Logging]]=
 
+
#Objective
##Objective
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Environments Affected
+
#Description
 
+
#Best practices
##Relevant COBIT Topics
+
#Error Handling
 
+
#Detailed error messages
##Description
+
#Logging
 
+
#Noise
##Best practices
+
#Cover Tracks
 
+
#False Alarms
##Error Handling
+
#Destruction
 
+
#Audit Trails
##Detailed error messages
+
#Further Reading
 
+
#Error Handling and Logging
##Logging
+
 
+
##Noise
+
 
+
##Cover Tracks
+
 
+
##False Alarms
+
 
+
##Destruction
+
 
+
##Audit Trails
+
 
+
##Further Reading
+
 
+
##Error Handling and Logging
+
 
+
 
=[[File System]]=
 
=[[File System]]=
 
+
#Objective
##Objective
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Environments Affected
+
#Description
 
+
#Best Practices
##Relevant COBIT Topics
+
#Defacement
 
+
#Path traversal
##Description
+
#Insecure permissions
 
+
#Insecure Indexing
##Best Practices
+
#Unmapped files
 
+
#Temporary files
##Defacement
+
#PHP
 
+
#Includes and Remote files
##Path traversal
+
#File upload
 
+
#Old, unreferenced files
##Insecure permissions
+
#Second Order Injection
 
+
#Further Reading
##Insecure Indexing
+
#File System
 
+
##Unmapped files
+
 
+
##Temporary files
+
 
+
##PHP
+
 
+
##Includes and Remote files
+
 
+
##File upload
+
 
+
##Old, unreferenced files
+
 
+
##Second Order Injection
+
 
+
##Further Reading
+
 
+
##File System
+
 
+
 
=[[Distributed Computing]]=
 
=[[Distributed Computing]]=
 
+
#Objective
##Objective
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Environments Affected
+
#Best Practices
 
+
#Race conditions
##Relevant COBIT Topics
+
#Distributed synchronization
 
+
#Further Reading
##Best Practices
+
 
+
##Race conditions
+
 
+
##Distributed synchronization
+
 
+
##Further Reading
+
 
+
 
=[[Buffer Overflows]]=
 
=[[Buffer Overflows]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Platforms Affected
+
#Description
 
+
#General Prevention Techniques
##Relevant COBIT Topics
+
#Stack Overflow
 
+
#Heap Overflow
##Description
+
#Format String
 
+
#Unicode Overflow
##General Prevention Techniques
+
#Integer Overflow
 
+
#Further reading
##Stack Overflow
+
 
+
##Heap Overflow
+
 
+
##Format String
+
 
+
##Unicode Overflow
+
 
+
##Integer Overflow
+
 
+
##Further reading
+
 
+
 
=[[Administrative Interface]]=
 
=[[Administrative Interface]]=
 
+
#Objective
##Objective
+
#Environments Affected
 
+
#Relevant COBIT Topics
##Environments Affected
+
#Best practices
 
+
#Administrators are not users
##Relevant COBIT Topics
+
#Authentication for high value systems
 
+
#Further Reading
##Best practices
+
=[[Guide to Cryptography]]=
 
+
#Objective
##Administrators are not users
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Authentication for high value systems
+
#Description
 
+
#Cryptographic Functions
##Further Reading
+
#Cryptographic Algorithms
 
+
#Algorithm Selection
=[[Cryptography]]=
+
#Key Storage
 
+
#Insecure transmission of secrets
##Objective
+
#Reversible Authentication Tokens
 
+
#Safe UUID generation
##Platforms Affected
+
#Summary
 
+
#Further Reading
##Relevant COBIT Topics
+
#Cryptography
 
+
##Description
+
 
+
##Cryptographic Functions
+
 
+
##Cryptographic Algorithms
+
 
+
##Algorithm Selection
+
 
+
##Key Storage
+
 
+
##Insecure transmission of secrets
+
 
+
##Reversible Authentication Tokens
+
 
+
##Safe UUID generation
+
 
+
##Summary
+
 
+
##Further Reading
+
 
+
##Cryptography
+
  
 
=[[Configuration]]=
 
=[[Configuration]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Platforms Affected
+
#Best Practices
 
+
#Default passwords
##Relevant COBIT Topics
+
#Secure connection strings
 
+
#Secure network transmission
##Best Practices
+
#Encrypted data
 
+
#PHP Configuration
##Default passwords
+
#Global variables
 
+
#register_globals
##Secure connection strings
+
#Database security
 
+
#Further Reading
##Secure network transmission
+
#ColdFusion Components (CFCs)
 
+
#Configuration
##Encrypted data
+
 
+
##PHP Configuration
+
 
+
##Global variables
+
 
+
##register_globals
+
 
+
##Database security
+
 
+
##Further Reading
+
 
+
##ColdFusion Components (CFCs)
+
 
+
##Configuration
+
 
+
 
=[[Software Quality Assurance]]=
 
=[[Software Quality Assurance]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Best practices
##Platforms Affected
+
#Process
 
+
#Metrics
##Best practices
+
#Testing Activities
 
+
##Process
+
 
+
##Metrics
+
 
+
##Testing Activities
+
 
+
 
=[[Deployment]]=
 
=[[Deployment]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Best Practices
##Platforms Affected
+
#Release Management
 
+
#Secure delivery of code
##Best Practices
+
#Code signing
 
+
#Permissions are set to least privilege
##Release Management
+
#Automated packaging
 
+
#Automated deployment
##Secure delivery of code
+
#Automated removal
 
+
#No backup or old files
##Code signing
+
#Unnecessary features are off by default
 
+
#Setup log files are clean
##Permissions are set to least privilege
+
#No default accounts
 
+
#Easter eggs
##Automated packaging
+
#Malicious software
 
+
#Further Reading
##Automated deployment
+
 
+
##Automated removal
+
 
+
##No backup or old files
+
 
+
##Unnecessary features are off by default
+
 
+
##Setup log files are clean
+
 
+
##No default accounts
+
 
+
##Easter eggs
+
 
+
##Malicious software
+
 
+
##Further Reading
+
 
+
 
=[[Maintenance]]=
 
=[[Maintenance]]=
 
+
#Objective
##Objective
+
#Platforms Affected
 
+
#Relevant COBIT Topics
##Platforms Affected
+
#Best Practices
 
+
#Security Incident Response
##Relevant COBIT Topics
+
#Fix Security Issues Correctly
 
+
#Update Notifications
##Best Practices
+
#Regularly check permissions
 
+
#Further Reading
##Security Incident Response
+
#Maintenance
 
+
##Fix Security Issues Correctly
+
 
+
##Update Notifications
+
 
+
##Regularly check permissions
+
 
+
##Further Reading
+
 
+
##Maintenance
+
 
+
 
=[[GNU Free Documentation License]]=
 
=[[GNU Free Documentation License]]=
 
+
#PREAMBLE
##PREAMBLE
+
#APPLICABILITY AND DEFINITIONS
 
+
#VERBATIM COPYING
##APPLICABILITY AND DEFINITIONS
+
#COPYING IN QUANTITY
 
+
#MODIFICATIONS
##VERBATIM COPYING
+
#COMBINING DOCUMENTS
 
+
#COLLECTIONS OF DOCUMENTS
##COPYING IN QUANTITY
+
#AGGREGATION WITH INDEPENDENT WORKS
 
+
#TRANSLATION
##MODIFICATIONS
+
#TERMINATION
 
+
#FUTURE REVISIONS OF THIS LICENSE
##COMBINING DOCUMENTS
+
=Reference=
 
+
[[Category:OWASP_Guide_Project]]
##COLLECTIONS OF DOCUMENTS
+
 
+
##AGGREGATION WITH INDEPENDENT WORKS
+
 
+
##TRANSLATION
+
 
+
##TERMINATION
+
 
+
##FUTURE REVISIONS OF THIS LICENSE
+

Latest revision as of 16:42, 26 January 2007

Contents

Frontispiece

  1. Dedication
  2. Copyright and license
  3. Editors
  4. Authors and Reviewers
  5. Revision History

About The Open Web Application Security Project

  1. Structure and Licensing
  2. Participation and Membership
  3. Projects

Introduction

  1. Developing Secure Applications
  2. Improvements in this edition
  3. How to use this Guide
  4. Updates and errata
  5. With thanks

What are web applications?

  1. Technologies
  2. First generation – CGI
  3. Filters
  4. Scripting
  5. Web application frameworks – J
  6. Small to medium scale applications
  7. Large scale applications
  8. View
  9. Controller
  10. Model
  11. Conclusion

Policy Frameworks

  1. Organizational commitment to security
  2. OWASP’s Place at the Framework table
  3. Development Methodology
  4. Coding Standards
  5. Source Code Control
  6. Summary

Secure Coding Principles

  1. Asset Classification
  2. About attackers
  3. Core pillars of information security
  4. Security Architecture
  5. Security Principles

Threat Risk Modeling

  1. Threat Risk Modeling
  2. Performing threat risk modeling using the Microsoft Threat Modeling Process
  3. Alternative Threat Modeling Systems
  4. Trike
  5. AS/NZS
  6. CVSS
  7. OCTAVE
  8. Conclusion
  9. Further Reading

Handling E-Commerce Payments

  1. Objectives
  2. Compliance and Laws
  3. PCI Compliance
  4. Handling Credit Cards
  5. Further Reading

Phishing

  1. What is phishing?
  2. User Education
  3. Make it easy for your users to report scams
  4. Communicating with customers via e-mail
  5. Never ask your customers for their secrets
  6. Fix all your XSS issues
  7. Do not use pop-ups
  8. Don’t be framed
  9. Move your application one link away from your front page
  10. Enforce local referrers for images and other resources
  11. Keep the address bar, use SSL, do not use IP addresses
  12. Don’t be the source of identity theft
  13. Implement safe-guards within your application
  14. Monitor unusual account activity
  15. Get the phishing target servers offline pronto
  16. Take control of the fraudulent domain name
  17. Work with law enforcement
  18. When an attack happens
  19. Further Reading

Web Services

  1. Securing Web Services
  2. Communication security
  3. Passing credentials
  4. Ensuring message freshness
  5. Protecting message integrity
  6. Protecting message confidentiality
  7. Access control
  8. Audit
  9. Web Services Security Hierarchy
  10. SOAP
  11. WS-Security Standard
  12. WS-Security Building Blocks
  13. Communication Protection Mechanisms
  14. Access Control Mechanisms
  15. Forming Web Service Chains
  16. Available Implementations
  17. Problems
  18. Further Reading

Ajax and Other "Rich" Interface Technologies

  1. Objective
  2. Platforms Affected
  3. Architecture
  4. Access control: Authentication and Authorization
  5. Silent transactional authorization
  6. Untrusted or absent session data
  7. State management
  8. Tamper resistance
  9. Privacy
  10. Proxy Façade
  11. SOAP Injection Attacks
  12. XMLRPC Injection Attacks
  13. DOM Injection Attacks
  14. XML Injection Attacks
  15. JSON (Javascript Object Notation) Injection Attacks
  16. Encoding safety
  17. Auditing
  18. Error Handling
  19. Accessibility
  20. Further Reading

Guide to Authentication

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Common web authentication techniques
  6. Strong Authentication
  7. Federated Authentication
  8. Client side authentication controls
  9. Positive Authentication
  10. Multiple Key Lookups
  11. Referer Checks
  12. Browser remembers passwords
  13. Default accounts
  14. Choice of usernames
  15. Change passwords
  16. Short passwords
  17. Weak password controls
  18. Reversible password encryption
  19. Automated password resets
  20. Brute Force
  21. Remember Me
  22. Idle Timeouts
  23. Logout
  24. Account Expiry
  25. Self registration
  26. CAPTCHA
  27. Further Reading
  28. Authentication

Guide to Authorization

  1. Objectives
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Best Practices in Action
  6. Principle of least privilege
  7. Centralized authorization routines
  8. Authorization matrix
  9. Controlling access to protected resources
  10. Protecting access to static resources
  11. Reauthorization for high value activities or after idle out
  12. Time based authorization
  13. Be cautious of custom authorization controls
  14. Never implement client-side authorization tokens
  15. Further Reading

Session Management

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Exposed Session Variables
  7. Page and Form Tokens
  8. Weak Session Cryptographic Algorithms
  9. Session Token Entropy
  10. Session Time-out
  11. Regeneration of Session Tokens
  12. Session Forging/Brute-Forcing Detection and/or Lockout
  13. Session Token Capture and Session Hijacking
  14. Session Tokens on Logout
  15. Session Validation Attacks
  16. PHP
  17. Sessions
  18. Further Reading
  19. Session Management

Data Validation

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Definitions
  6. Where to include integrity checks
  7. Where to include validation
  8. Where to include business rule validation
  9. Data Validation Strategies
  10. Prevent parameter tampering
  11. Hidden fields
  12. ASP.NET Viewstate
  13. URL encoding
  14. HTML encoding
  15. Encoded strings
  16. Data Validation and Interpreter Injection
  17. Delimiter and special characters
  18. Further Reading

Interpreter Injection

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. User Agent Injection
  5. HTTP Response Splitting
  6. SQL Injection
  7. ORM Injection
  8. LDAP Injection
  9. XML Injection
  10. Code Injection
  11. Further Reading
  12. SQL-injection
  13. Code Injection
  14. Command injection

Canonicalization, locale and Unicode

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Unicode
  6. http://www.ietf.org/rfc/rfc#
  7. Input Formats
  8. Locale assertion
  9. Double (or n-) encoding
  10. HTTP Request Smuggling
  11. Further Reading

Error Handling, Auditing and Logging

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best practices
  6. Error Handling
  7. Detailed error messages
  8. Logging
  9. Noise
  10. Cover Tracks
  11. False Alarms
  12. Destruction
  13. Audit Trails
  14. Further Reading
  15. Error Handling and Logging

File System

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Description
  5. Best Practices
  6. Defacement
  7. Path traversal
  8. Insecure permissions
  9. Insecure Indexing
  10. Unmapped files
  11. Temporary files
  12. PHP
  13. Includes and Remote files
  14. File upload
  15. Old, unreferenced files
  16. Second Order Injection
  17. Further Reading
  18. File System

Distributed Computing

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Race conditions
  6. Distributed synchronization
  7. Further Reading

Buffer Overflows

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. General Prevention Techniques
  6. Stack Overflow
  7. Heap Overflow
  8. Format String
  9. Unicode Overflow
  10. Integer Overflow
  11. Further reading

Administrative Interface

  1. Objective
  2. Environments Affected
  3. Relevant COBIT Topics
  4. Best practices
  5. Administrators are not users
  6. Authentication for high value systems
  7. Further Reading

Guide to Cryptography

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Description
  5. Cryptographic Functions
  6. Cryptographic Algorithms
  7. Algorithm Selection
  8. Key Storage
  9. Insecure transmission of secrets
  10. Reversible Authentication Tokens
  11. Safe UUID generation
  12. Summary
  13. Further Reading
  14. Cryptography

Configuration

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Default passwords
  6. Secure connection strings
  7. Secure network transmission
  8. Encrypted data
  9. PHP Configuration
  10. Global variables
  11. register_globals
  12. Database security
  13. Further Reading
  14. ColdFusion Components (CFCs)
  15. Configuration

Software Quality Assurance

  1. Objective
  2. Platforms Affected
  3. Best practices
  4. Process
  5. Metrics
  6. Testing Activities

Deployment

  1. Objective
  2. Platforms Affected
  3. Best Practices
  4. Release Management
  5. Secure delivery of code
  6. Code signing
  7. Permissions are set to least privilege
  8. Automated packaging
  9. Automated deployment
  10. Automated removal
  11. No backup or old files
  12. Unnecessary features are off by default
  13. Setup log files are clean
  14. No default accounts
  15. Easter eggs
  16. Malicious software
  17. Further Reading

Maintenance

  1. Objective
  2. Platforms Affected
  3. Relevant COBIT Topics
  4. Best Practices
  5. Security Incident Response
  6. Fix Security Issues Correctly
  7. Update Notifications
  8. Regularly check permissions
  9. Further Reading
  10. Maintenance

GNU Free Documentation License

  1. PREAMBLE
  2. APPLICABILITY AND DEFINITIONS
  3. VERBATIM COPYING
  4. COPYING IN QUANTITY
  5. MODIFICATIONS
  6. COMBINING DOCUMENTS
  7. COLLECTIONS OF DOCUMENTS
  8. AGGREGATION WITH INDEPENDENT WORKS
  9. TRANSLATION
  10. TERMINATION
  11. FUTURE REVISIONS OF THIS LICENSE

Reference