Difference between revisions of "Guide Table of Contents"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
#[[Guide Frontispiece|Frontispiece]]
+
=[[Guide Frontispiece|Frontispiece]]  
## Dedication
+
== Dedication
## Copyright and license
+
== Copyright and license
## Editors  
+
== Editors  
## Authors and Reviewers
+
== Authors and Reviewers
## Revision History
+
== Revision History
#[[About The Open Web Application Security Project]]
+
=[[About The Open Web Application Security Project]]
##Structure and Licensing
+
==Structure and Licensing
##Participation and Membership
+
==Participation and Membership
##Projects
+
==Projects
#[[Guide Introduction | Introduction]]
+
=[[Guide Introduction | Introduction]]
##Developing Secure Applications
+
==Developing Secure Applications
##Improvements in this edition
+
==Improvements in this edition
##How to use this Guide
+
==How to use this Guide
##Updates and errata
+
==Updates and errata
##With thanks
+
==With thanks
#[[What are web applications?]]
+
=[[What are web applications?]]
##Technologies
+
==Technologies
##First generation – CGI
+
==First generation – CGI
##Filters
+
==Filters
##Scripting
+
==Scripting
##Web application frameworks – J
+
==Web application frameworks – J
##Small to medium scale applications
+
==Small to medium scale applications
##Large scale applications
+
==Large scale applications
##View
+
==View
##Controller
+
==Controller
##Model
+
==Model
##Conclusion
+
==Conclusion
#[[Policy Frameworks]]
+
=[[Policy Frameworks]]
##Organizational commitment to security
+
==Organizational commitment to security
##OWASP’s Place at the Framework table
+
==OWASP’s Place at the Framework table
##Development Methodology
+
==Development Methodology
##Coding Standards
+
==Coding Standards
##Source Code Control
+
==Source Code Control
##Summary
+
==Summary
#[[Secure Coding Principles]]
+
=[[Secure Coding Principles]]
##Asset Classification
+
==Asset Classification
##About attackers
+
==About attackers
##Core pillars of information security
+
==Core pillars of information security
##Security Architecture
+
==Security Architecture
##Security Principles
+
==Security Principles
#[[Threat Risk Modeling]]
+
=[[Threat Risk Modeling]]
##Threat Risk Modeling
+
==Threat Risk Modeling
##Performing threat risk modeling using the Microsoft Threat Modeling Process
+
==Performing threat risk modeling using the Microsoft Threat Modeling Process
##Alternative Threat Modeling Systems
+
==Alternative Threat Modeling Systems
##Trike
+
==Trike
##AS/NZS
+
==AS/NZS
##CVSS
+
==CVSS
##OCTAVE
+
==OCTAVE
##Conclusion
+
==Conclusion
##Further Reading
+
==Further Reading
#[[Handling E-Commerce Payments]]
+
=[[Handling E-Commerce Payments]]
##Objectives
+
==Objectives
##Compliance and Laws
+
==Compliance and Laws
##PCI Compliance
+
==PCI Compliance
##Handling Credit Cards
+
==Handling Credit Cards
##Further Reading
+
==Further Reading
#[[Phishing]]
+
=[[Phishing]]
##What is phishing?
+
==What is phishing?
##User Education
+
==User Education
##Make it easy for your users to report scams
+
==Make it easy for your users to report scams
##Communicating with customers via e-mail
+
==Communicating with customers via e-mail
##Never ask your customers for their secrets
+
==Never ask your customers for their secrets
##Fix all your XSS issues
+
==Fix all your XSS issues
##Do not use pop-ups
+
==Do not use pop-ups
##Don’t be framed
+
==Don’t be framed
##Move your application one link away from your front page
+
==Move your application one link away from your front page
##Enforce local referrers for images and other resources
+
==Enforce local referrers for images and other resources
##Keep the address bar, use SSL, do not use IP addresses
+
==Keep the address bar, use SSL, do not use IP addresses
##Don’t be the source of identity theft
+
==Don’t be the source of identity theft
##Implement safe-guards within your application
+
==Implement safe-guards within your application
##Monitor unusual account activity
+
==Monitor unusual account activity
##Get the phishing target servers offline pronto
+
==Get the phishing target servers offline pronto
##Take control of the fraudulent domain name
+
==Take control of the fraudulent domain name
##Work with law enforcement
+
==Work with law enforcement
##When an attack happens
+
==When an attack happens
##Further Reading
+
==Further Reading
#[[Web Services]]
+
=[[Web Services]]
##Securing Web Services
+
==Securing Web Services
##Communication security
+
==Communication security
##Passing credentials
+
==Passing credentials
##Ensuring message freshness
+
==Ensuring message freshness
##Protecting message integrity
+
==Protecting message integrity
##Protecting message confidentiality
+
==Protecting message confidentiality
##Access control
+
==Access control
##Audit
+
==Audit
##Web Services Security Hierarchy
+
==Web Services Security Hierarchy
##SOAP
+
==SOAP
##WS-Security Standard
+
==WS-Security Standard
##WS-Security Building Blocks
+
==WS-Security Building Blocks
##Communication Protection Mechanisms
+
==Communication Protection Mechanisms
##Access Control Mechanisms
+
==Access Control Mechanisms
##Forming Web Service Chains
+
==Forming Web Service Chains
##Available Implementations
+
==Available Implementations
##Problems
+
==Problems
##Further Reading
+
==Further Reading
#[[Ajax and Other "Rich" Interface Technologies]]
+
=[[Ajax and Other "Rich" Interface Technologies]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Architecture
+
==Architecture
##Access control: Authentication and Authorization
+
==Access control: Authentication and Authorization
##Silent transactional authorization
+
==Silent transactional authorization
##Untrusted or absent session data
+
==Untrusted or absent session data
##State management
+
==State management
##Tamper resistance
+
==Tamper resistance
##Privacy
+
==Privacy
##Proxy Façade
+
==Proxy Façade
##SOAP Injection Attacks
+
==SOAP Injection Attacks
##XMLRPC Injection Attacks
+
==XMLRPC Injection Attacks
##DOM Injection Attacks
+
==DOM Injection Attacks
##XML Injection Attacks
+
==XML Injection Attacks
##JSON (Javascript Object Notation) Injection Attacks
+
==JSON (Javascript Object Notation) Injection Attacks
##Encoding safety
+
==Encoding safety
##Auditing
+
==Auditing
##Error Handling
+
==Error Handling
##Accessibility
+
==Accessibility
##Further Reading
+
==Further Reading
#[[Authentication]]
+
=[[Authentication]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best Practices
+
==Best Practices
##Common web authentication techniques
+
==Common web authentication techniques
##Strong Authentication
+
==Strong Authentication
##Federated Authentication
+
==Federated Authentication
##Client side authentication controls
+
==Client side authentication controls
##Positive Authentication
+
==Positive Authentication
##Multiple Key Lookups
+
==Multiple Key Lookups
##Referer Checks
+
==Referer Checks
##Browser remembers passwords
+
==Browser remembers passwords
##Default accounts
+
==Default accounts
##Choice of usernames
+
==Choice of usernames
##Change passwords
+
==Change passwords
##Short passwords
+
==Short passwords
##Weak password controls
+
==Weak password controls
##Reversible password encryption
+
==Reversible password encryption
##Automated password resets
+
==Automated password resets
##Brute Force
+
==Brute Force
##Remember Me
+
==Remember Me
##Idle Timeouts
+
==Idle Timeouts
##Logout
+
==Logout
##Account Expiry
+
==Account Expiry
##Self registration
+
==Self registration
##CAPTCHA
+
==CAPTCHA
##Further Reading
+
==Further Reading
##Authentication
+
==Authentication
#[[Authorization]]
+
=[[Authorization]]
##Objectives
+
==Objectives
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best Practices
+
==Best Practices
##Best Practices in Action
+
==Best Practices in Action
##Principle of least privilege
+
==Principle of least privilege
##Centralized authorization routines
+
==Centralized authorization routines
##Authorization matrix
+
==Authorization matrix
##Controlling access to protected resources
+
==Controlling access to protected resources
##Protecting access to static resources
+
==Protecting access to static resources
##Reauthorization for high value activities or after idle out
+
==Reauthorization for high value activities or after idle out
##Time based authorization
+
==Time based authorization
##Be cautious of custom authorization controls
+
==Be cautious of custom authorization controls
##Never implement client-side authorization tokens
+
==Never implement client-side authorization tokens
##Further Reading
+
==Further Reading
#[[Session Management]]
+
=[[Session Management]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Best practices
+
==Best practices
##Exposed Session Variables
+
==Exposed Session Variables
##Page and Form Tokens
+
==Page and Form Tokens
##Weak Session Cryptographic Algorithms
+
==Weak Session Cryptographic Algorithms
##Session Token Entropy
+
==Session Token Entropy
##Session Time-out
+
==Session Time-out
##Regeneration of Session Tokens
+
==Regeneration of Session Tokens
##Session Forging/Brute-Forcing Detection and/or Lockout
+
==Session Forging/Brute-Forcing Detection and/or Lockout
##Session Token Capture and Session Hijacking
+
==Session Token Capture and Session Hijacking
##Session Tokens on Logout
+
==Session Tokens on Logout
##Session Validation Attacks
+
==Session Validation Attacks
##PHP
+
==PHP
##Sessions
+
==Sessions
##Further Reading
+
==Further Reading
##Session Management
+
==Session Management
#[[Data Validation]]
+
=[[Data Validation]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Definitions
+
==Definitions
##Where to include integrity checks
+
==Where to include integrity checks
##Where to include validation
+
==Where to include validation
##Where to include business rule validation
+
==Where to include business rule validation
##Data Validation Strategies
+
==Data Validation Strategies
##Prevent parameter tampering
+
==Prevent parameter tampering
##Hidden fields
+
==Hidden fields
##ASP.NET Viewstate
+
==ASP.NET Viewstate
##URL encoding
+
==URL encoding
##HTML encoding
+
==HTML encoding
##Encoded strings
+
==Encoded strings
##Data Validation and Interpreter Injection
+
==Data Validation and Interpreter Injection
##Delimiter and special characters
+
==Delimiter and special characters
##Further Reading
+
==Further Reading
#[[Interpreter Injection]]
+
=[[Interpreter Injection]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##User Agent Injection
+
==User Agent Injection
##HTTP Response Splitting
+
==HTTP Response Splitting
##SQL Injection
+
==SQL Injection
##ORM Injection
+
==ORM Injection
##LDAP Injection
+
==LDAP Injection
##XML Injection
+
==XML Injection
##Code Injection
+
==Code Injection
##Further Reading
+
==Further Reading
##SQL-injection
+
==SQL-injection
##Code Injection
+
==Code Injection
##Command injection
+
==Command injection
#[[Canoncalization, locale and Unicode]]
+
=[[Canoncalization, locale and Unicode]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Unicode
+
==Unicode
##http://www.ietf.org/rfc/rfc##
+
==http://www.ietf.org/rfc/rfc==
##Input Formats
+
==Input Formats
##Locale assertion
+
==Locale assertion
##Double (or n-) encoding
+
==Double (or n-) encoding
## HTTP Request Smuggling
+
== HTTP Request Smuggling
## Further Reading
+
== Further Reading
#[[Error Handling, Auditing and Logging]]
+
=[[Error Handling, Auditing and Logging]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Best practices
+
==Best practices
##Error Handling
+
==Error Handling
##Detailed error messages
+
==Detailed error messages
##Logging
+
==Logging
##Noise
+
==Noise
##Cover Tracks
+
==Cover Tracks
##False Alarms
+
==False Alarms
##Destruction
+
==Destruction
##Audit Trails
+
==Audit Trails
##Further Reading
+
==Further Reading
##Error Handling and Logging
+
==Error Handling and Logging
#[[File System]]
+
=[[File System]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Best Practices
+
==Best Practices
##Defacement
+
==Defacement
##Path traversal
+
==Path traversal
##Insecure permissions
+
==Insecure permissions
##Insecure Indexing
+
==Insecure Indexing
##Unmapped files
+
==Unmapped files
##Temporary files
+
==Temporary files
##PHP
+
==PHP
##Includes and Remote files
+
==Includes and Remote files
##File upload
+
==File upload
##Old, unreferenced files
+
==Old, unreferenced files
##Second Order Injection
+
==Second Order Injection
##Further Reading
+
==Further Reading
##File System
+
==File System
#[[Distributed Computing]]
+
=[[Distributed Computing]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best Practices
+
==Best Practices
##Race conditions
+
==Race conditions
##Distributed synchronization
+
==Distributed synchronization
##Further Reading
+
==Further Reading
#[[Buffer Overflows]]
+
=[[Buffer Overflows]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##General Prevention Techniques
+
==General Prevention Techniques
##Stack Overflow
+
==Stack Overflow
##Heap Overflow
+
==Heap Overflow
##Format String
+
==Format String
##Unicode Overflow
+
==Unicode Overflow
##Integer Overflow
+
==Integer Overflow
##Further reading
+
==Further reading
#[[Administrative Interface]]
+
=[[Administrative Interface]]
##Objective
+
==Objective
##Environments Affected
+
==Environments Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best practices
+
==Best practices
##Administrators are not users
+
==Administrators are not users
##Authentication for high value systems
+
==Authentication for high value systems
##Further Reading
+
==Further Reading
#[[Cryptography]]
+
=[[Cryptography]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Description
+
==Description
##Cryptographic Functions
+
==Cryptographic Functions
##Cryptographic Algorithms
+
==Cryptographic Algorithms
##Algorithm Selection
+
==Algorithm Selection
##Key Storage
+
==Key Storage
##Insecure transmission of secrets
+
==Insecure transmission of secrets
##Reversible Authentication Tokens
+
==Reversible Authentication Tokens
##Safe UUID generation
+
==Safe UUID generation
##Summary
+
==Summary
##Further Reading
+
==Further Reading
##Cryptography
+
==Cryptography
#[[Configuration]]
+
=[[Configuration]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best Practices
+
==Best Practices
##Default passwords
+
==Default passwords
##Secure connection strings
+
==Secure connection strings
##Secure network transmission
+
==Secure network transmission
##Encrypted data
+
==Encrypted data
##PHP Configuration
+
==PHP Configuration
##Global variables
+
==Global variables
##register_globals
+
==register_globals
##Database security
+
==Database security
##Further Reading
+
==Further Reading
##ColdFusion Components (CFCs)
+
==ColdFusion Components (CFCs)
##Configuration
+
==Configuration
#[[Software Quality Assurance]]
+
=[[Software Quality Assurance]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Best practices
+
==Best practices
##Process
+
==Process
##Metrics
+
==Metrics
##Testing Activities
+
==Testing Activities
#[[Deployment]]
+
=[[Deployment]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Best Practices
+
==Best Practices
##Release Management
+
==Release Management
##Secure delivery of code
+
==Secure delivery of code
##Code signing
+
==Code signing
##Permissions are set to least privilege
+
==Permissions are set to least privilege
##Automated packaging
+
==Automated packaging
##Automated deployment
+
==Automated deployment
##Automated removal
+
==Automated removal
##No backup or old files
+
==No backup or old files
##Unnecessary features are off by default
+
==Unnecessary features are off by default
##Setup log files are clean
+
==Setup log files are clean
##No default accounts
+
==No default accounts
##Easter eggs
+
==Easter eggs
##Malicious software
+
==Malicious software
##Further Reading
+
==Further Reading
#[[Maintenance]]
+
=[[Maintenance]]
##Objective
+
==Objective
##Platforms Affected
+
==Platforms Affected
##Relevant COBIT Topics
+
==Relevant COBIT Topics
##Best Practices
+
==Best Practices
##Security Incident Response
+
==Security Incident Response
##Fix Security Issues Correctly
+
==Fix Security Issues Correctly
##Update Notifications
+
==Update Notifications
##Regularly check permissions
+
==Regularly check permissions
##Further Reading
+
==Further Reading
##Maintenance
+
==Maintenance
#[[GNU Free Documentation License]]
+
=[[GNU Free Documentation License]]
##PREAMBLE
+
==PREAMBLE
##APPLICABILITY AND DEFINITIONS
+
==APPLICABILITY AND DEFINITIONS
##VERBATIM COPYING
+
==VERBATIM COPYING
##COPYING IN QUANTITY
+
==COPYING IN QUANTITY
##MODIFICATIONS
+
==MODIFICATIONS
##COMBINING DOCUMENTS
+
==COMBINING DOCUMENTS
##COLLECTIONS OF DOCUMENTS
+
==COLLECTIONS OF DOCUMENTS
##AGGREGATION WITH INDEPENDENT WORKS
+
==AGGREGATION WITH INDEPENDENT WORKS
##TRANSLATION
+
==TRANSLATION
##TERMINATION
+
==TERMINATION
##FUTURE REVISIONS OF THIS LICENSE
+
==FUTURE REVISIONS OF THIS LICENSE

Revision as of 07:38, 22 May 2006

=Frontispiece == Dedication == Copyright and license == Editors == Authors and Reviewers == Revision History =About The Open Web Application Security Project ==Structure and Licensing ==Participation and Membership ==Projects = Introduction ==Developing Secure Applications ==Improvements in this edition ==How to use this Guide ==Updates and errata ==With thanks =What are web applications? ==Technologies ==First generation – CGI ==Filters ==Scripting ==Web application frameworks – J ==Small to medium scale applications ==Large scale applications ==View ==Controller ==Model ==Conclusion =Policy Frameworks ==Organizational commitment to security ==OWASP’s Place at the Framework table ==Development Methodology ==Coding Standards ==Source Code Control ==Summary =Secure Coding Principles ==Asset Classification ==About attackers ==Core pillars of information security ==Security Architecture ==Security Principles =Threat Risk Modeling ==Threat Risk Modeling ==Performing threat risk modeling using the Microsoft Threat Modeling Process ==Alternative Threat Modeling Systems ==Trike ==AS/NZS ==CVSS ==OCTAVE ==Conclusion ==Further Reading =Handling E-Commerce Payments ==Objectives ==Compliance and Laws ==PCI Compliance ==Handling Credit Cards ==Further Reading =Phishing ==What is phishing? ==User Education ==Make it easy for your users to report scams ==Communicating with customers via e-mail ==Never ask your customers for their secrets ==Fix all your XSS issues ==Do not use pop-ups ==Don’t be framed ==Move your application one link away from your front page ==Enforce local referrers for images and other resources ==Keep the address bar, use SSL, do not use IP addresses ==Don’t be the source of identity theft ==Implement safe-guards within your application ==Monitor unusual account activity ==Get the phishing target servers offline pronto ==Take control of the fraudulent domain name ==Work with law enforcement ==When an attack happens ==Further Reading =Web Services ==Securing Web Services ==Communication security ==Passing credentials ==Ensuring message freshness ==Protecting message integrity ==Protecting message confidentiality ==Access control ==Audit ==Web Services Security Hierarchy ==SOAP ==WS-Security Standard ==WS-Security Building Blocks ==Communication Protection Mechanisms ==Access Control Mechanisms ==Forming Web Service Chains ==Available Implementations ==Problems ==Further Reading =Ajax and Other "Rich" Interface Technologies ==Objective ==Platforms Affected ==Architecture ==Access control: Authentication and Authorization ==Silent transactional authorization ==Untrusted or absent session data ==State management ==Tamper resistance ==Privacy ==Proxy Façade ==SOAP Injection Attacks ==XMLRPC Injection Attacks ==DOM Injection Attacks ==XML Injection Attacks ==JSON (Javascript Object Notation) Injection Attacks ==Encoding safety ==Auditing ==Error Handling ==Accessibility ==Further Reading =Authentication ==Objective ==Environments Affected ==Relevant COBIT Topics ==Best Practices ==Common web authentication techniques ==Strong Authentication ==Federated Authentication ==Client side authentication controls ==Positive Authentication ==Multiple Key Lookups ==Referer Checks ==Browser remembers passwords ==Default accounts ==Choice of usernames ==Change passwords ==Short passwords ==Weak password controls ==Reversible password encryption ==Automated password resets ==Brute Force ==Remember Me ==Idle Timeouts ==Logout ==Account Expiry ==Self registration ==CAPTCHA ==Further Reading ==Authentication =Authorization ==Objectives ==Environments Affected ==Relevant COBIT Topics ==Best Practices ==Best Practices in Action ==Principle of least privilege ==Centralized authorization routines ==Authorization matrix ==Controlling access to protected resources ==Protecting access to static resources ==Reauthorization for high value activities or after idle out ==Time based authorization ==Be cautious of custom authorization controls ==Never implement client-side authorization tokens ==Further Reading =Session Management ==Objective ==Environments Affected ==Relevant COBIT Topics ==Description ==Best practices ==Exposed Session Variables ==Page and Form Tokens ==Weak Session Cryptographic Algorithms ==Session Token Entropy ==Session Time-out ==Regeneration of Session Tokens ==Session Forging/Brute-Forcing Detection and/or Lockout ==Session Token Capture and Session Hijacking ==Session Tokens on Logout ==Session Validation Attacks ==PHP ==Sessions ==Further Reading ==Session Management =Data Validation ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Description ==Definitions ==Where to include integrity checks ==Where to include validation ==Where to include business rule validation ==Data Validation Strategies ==Prevent parameter tampering ==Hidden fields ==ASP.NET Viewstate ==URL encoding ==HTML encoding ==Encoded strings ==Data Validation and Interpreter Injection ==Delimiter and special characters ==Further Reading =Interpreter Injection ==Objective ==Platforms Affected ==Relevant COBIT Topics ==User Agent Injection ==HTTP Response Splitting ==SQL Injection ==ORM Injection ==LDAP Injection ==XML Injection ==Code Injection ==Further Reading ==SQL-injection ==Code Injection ==Command injection =Canoncalization, locale and Unicode ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Description ==Unicode

http://www.ietf.org/rfc/rfc

==Input Formats ==Locale assertion ==Double (or n-) encoding == HTTP Request Smuggling == Further Reading =Error Handling, Auditing and Logging ==Objective ==Environments Affected ==Relevant COBIT Topics ==Description ==Best practices ==Error Handling ==Detailed error messages ==Logging ==Noise ==Cover Tracks ==False Alarms ==Destruction ==Audit Trails ==Further Reading ==Error Handling and Logging =File System ==Objective ==Environments Affected ==Relevant COBIT Topics ==Description ==Best Practices ==Defacement ==Path traversal ==Insecure permissions ==Insecure Indexing ==Unmapped files ==Temporary files ==PHP ==Includes and Remote files ==File upload ==Old, unreferenced files ==Second Order Injection ==Further Reading ==File System =Distributed Computing ==Objective ==Environments Affected ==Relevant COBIT Topics ==Best Practices ==Race conditions ==Distributed synchronization ==Further Reading =Buffer Overflows ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Description ==General Prevention Techniques ==Stack Overflow ==Heap Overflow ==Format String ==Unicode Overflow ==Integer Overflow ==Further reading =Administrative Interface ==Objective ==Environments Affected ==Relevant COBIT Topics ==Best practices ==Administrators are not users ==Authentication for high value systems ==Further Reading =Cryptography ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Description ==Cryptographic Functions ==Cryptographic Algorithms ==Algorithm Selection ==Key Storage ==Insecure transmission of secrets ==Reversible Authentication Tokens ==Safe UUID generation ==Summary ==Further Reading ==Cryptography =Configuration ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Best Practices ==Default passwords ==Secure connection strings ==Secure network transmission ==Encrypted data ==PHP Configuration ==Global variables ==register_globals ==Database security ==Further Reading ==ColdFusion Components (CFCs) ==Configuration =Software Quality Assurance ==Objective ==Platforms Affected ==Best practices ==Process ==Metrics ==Testing Activities =Deployment ==Objective ==Platforms Affected ==Best Practices ==Release Management ==Secure delivery of code ==Code signing ==Permissions are set to least privilege ==Automated packaging ==Automated deployment ==Automated removal ==No backup or old files ==Unnecessary features are off by default ==Setup log files are clean ==No default accounts ==Easter eggs ==Malicious software ==Further Reading =Maintenance ==Objective ==Platforms Affected ==Relevant COBIT Topics ==Best Practices ==Security Incident Response ==Fix Security Issues Correctly ==Update Notifications ==Regularly check permissions ==Further Reading ==Maintenance =GNU Free Documentation License ==PREAMBLE ==APPLICABILITY AND DEFINITIONS ==VERBATIM COPYING ==COPYING IN QUANTITY ==MODIFICATIONS ==COMBINING DOCUMENTS ==COLLECTIONS OF DOCUMENTS ==AGGREGATION WITH INDEPENDENT WORKS ==TRANSLATION ==TERMINATION ==FUTURE REVISIONS OF THIS LICENSE