Difference between revisions of "OWASP Categories"

From OWASP
Jump to: navigation, search
 
m (Reverted edits by Frank Alexander (talk) to last revision by Jeff Williams)
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
==The OWASP Folksonomy Approach to Organizing Application Security==
 
==The OWASP Folksonomy Approach to Organizing Application Security==
  
There are many different ways of organizing all the different aspects of application security. [[Application security taxonomies|Attempts]] to force these topics into a strict taxonomy have failed because there are too many dimensions to the problem. At OWASP, we have adopted the [[folksonomy]] tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these category to help get different views into the complex, interconnected set of topics that is application security.
+
There are many different ways of organizing all the different aspects of application security. [[Application security taxonomies|Attempts]] to force these topics into a strict taxonomy have failed because there are too many dimensions to the problem. Organizing the information by a single factor -- the type of programming flaw, for example -- confuses and eliminates all the useful information from the other dimensions.
 +
 
 +
At OWASP, we have adopted the [http://en.wikipedia.org/wiki/Folksonomy folksonomy] tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these category to help get different views into the complex, interconnected set of topics that is application security.
  
 
Each article is tagged with as many of the following tags as reasonably apply:
 
Each article is tagged with as many of the following tags as reasonably apply:
Line 7: Line 9:
 
{| border="1" cellspacing="0" cellpadding="5" align="center"
 
{| border="1" cellspacing="0" cellpadding="5" align="center"
 
| Type of Article
 
| Type of Article
| [[:Category:Principle|Principle]], [[:Category:Threat|Threat]], [[:Category:Vulnerability|Vulnerability]], [[:Category:Countermeasure|Countermeasure]], [[:Category:Code Snippet|Code Snippet]], [[:Category:How To|How To]], [[:Category:Activity|Activity]]
+
| [[:Category:Principle|Principle]], [[:Category:Threat|Threat]], [[:Category:Attack|Attack]], [[:Category:Vulnerability|Vulnerability]], [[:Category:Countermeasure|Countermeasure]], [[:Category:Code Snippet|Code Snippet]], [[:Category:How To|How To]], [[:Category:Activity|Activity]]
 
|-  
 
|-  
 
| Level of Abstraction
 
| Level of Abstraction
 
| [[:Category:Implementation|Implementation]], [[:Category:Design|Design]], [[:Category:Architecture|Architecture]], [[:Category:Business|Business]]
 
| [[:Category:Implementation|Implementation]], [[:Category:Design|Design]], [[:Category:Architecture|Architecture]], [[:Category:Business|Business]]
 
|-  
 
|-  
| Related Countermeasures
+
| Countermeasures
| [[:Category:Authentication|Authentication]], [[:Category:Session Management|Session Management]], [[:Category:Access Control|Access Control]], [[:Category:Input Validation|Input Validation]], [[:Category:Error Handling|Error Handling]], [[:Category:Logging|Logging]], [[:Category:Encryption|Encryption]], [[:Category:Quotas|Quotas]]
+
| [[:Category:Authentication|Authentication]], [[:Category:Session Management|Session Management]], [[:Category:Access Control|Access Control]], [[:Category:Validation|Validation]], [[:Category:Encoding|Encoding]], [[:Category:Error Handling|Error Handling]], [[:Category:Logging|Logging]], [[:Category:Encryption|Encryption]], [[:Category:Quotas|Quotas]]
 
|-  
 
|-  
 
| Likelihood Factors
 
| Likelihood Factors
| [[:Category:Attractive|Attractive]], [[:Category:Tools Required|Tools Required]], [[:Category:Expertise Required|Expertise Required]]
+
| [[:Category:Attractiveness|Attractiveness]], [[:Category:Tools Required|Tools Required]], [[:Category:Expertise Required|Expertise Required]]
 
|-  
 
|-  
 
| Business Impact Factors
 
| Business Impact Factors
| [[:Category:Confidentiality|Confidentiality]], [[:Category:Integrity|Integrity]], [[:Category:Availability|Availability]]
+
| [[:Category:Confidentiality|Confidentiality]], [[:Category:Integrity|Integrity]], [[:Category:Availability|Availability]], [[:Category:Accountability|Accountability]], [[:Category:Non-Repudiation|Non-Repudiation]]
 
|-  
 
|-  
 
| Application Platforms
 
| Application Platforms
Line 28: Line 30:
 
|-  
 
|-  
 
| Application Security Activites
 
| Application Security Activites
| [[:Category:Threat Modeling|Threat Modeling]], [[:Category:Security Architecture|Security Architecture]], [[:Category:Security Requirements|Security Requirements]], [[:Category:Secure Coding|Secure Coding]], [[:Category:Penetration Testing|Penetration Testing]], [[:Category:Code Review|Code Review]], [[:Category:Secure Deployment|Secure Deployment]]
+
| [[:Category:Threat Modeling|Threat Modeling]], [[:Category:Security Architecture|Security Architecture]], [[:Category:Security Requirements|Security Requirements]], [[:Category:Secure Coding|Secure Coding]], [[:Category:Penetration Testing|Penetration Testing]], [[:Category:OWASP Code Review Project|Code Review]], [[:Category:Secure Deployment|Secure Deployment]]
 +
|-
 +
| Vulnerability Analysis Technique
 +
| [[:Category:Vulnerability Scanning|Vulnerability Scanning]], [[:Category:Penetration Testing|Penetration Testing]], [[:Category:Static Analysis|Static Analysis]], [[:Category:Code Review|Code Review]]
 
|-  
 
|-  
 
| Other Application Security Categories
 
| Other Application Security Categories
 
| [[:Category:Role|Role]], [[:Category:Tool|Tool]]
 
| [[:Category:Role|Role]], [[:Category:Tool|Tool]]
 
|}
 
|}

Latest revision as of 18:05, 7 February 2011

The OWASP Folksonomy Approach to Organizing Application Security

There are many different ways of organizing all the different aspects of application security. Attempts to force these topics into a strict taxonomy have failed because there are too many dimensions to the problem. Organizing the information by a single factor -- the type of programming flaw, for example -- confuses and eliminates all the useful information from the other dimensions.

At OWASP, we have adopted the folksonomy tagging approach to solving this problem. We simply tag our articles with a number of different categories. You can use these category to help get different views into the complex, interconnected set of topics that is application security.

Each article is tagged with as many of the following tags as reasonably apply:

Type of Article Principle, Threat, Attack, Vulnerability, Countermeasure, Code Snippet, How To, Activity
Level of Abstraction Implementation, Design, Architecture, Business
Countermeasures Authentication, Session Management, Access Control, Validation, Encoding, Error Handling, Logging, Encryption, Quotas
Likelihood Factors Attractiveness, Tools Required, Expertise Required
Business Impact Factors Confidentiality, Integrity, Availability, Accountability, Non-Repudiation
Application Platforms Java, .NET, PHP, C/C++
Software Lifecycle Activites Planning, Requirements, Architecture, Design, Implementation, Test, Deployment, Operation, Maintenance
Application Security Activites Threat Modeling, Security Architecture, Security Requirements, Secure Coding, Penetration Testing, Code Review, Secure Deployment
Vulnerability Analysis Technique Vulnerability Scanning, Penetration Testing, Static Analysis, Code Review
Other Application Security Categories Role, Tool