OWASP Framework Security Project
The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers, and framework developers and leaders. The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework. For more information, please contact the Project leader, Michael Coates.
How To Help
Important - Please join the mailing list!
- Framework Developers - We need your help to build the security controls that will get accepted upstream into the framework. You have the best knowledge on development practices, code style, and knowledge of the framework to get new code accepted.
- Security Professionals - We need you to help research and catalog available security controls in various frameworks. Our goal is to produce and clear matrix of available and missing security controls by framework.
- Framework Leaders - Do you lead a key portion of a framework? Let's work together to understand the best way to get new security controls added.
- A little of both? Please help in either area!
- Research - Capture popular frameworks and status of security controls. See Frameworks & Security Controls Tab. Please add in security controls and frameworks!
- Outreach & Development - We need to work with framework owners and experienced developers to get specific security controls added to the framework
TODO: What these standards are all about
Standards in Development
Evaluations vs Mature Standards
Evaluations vs Draft Standards
TODO: various HOWTOs on helping out with standards, evaluations, and outreach
TODO: integrate this into more specific standards and then remove the tab
|Framework||Security Control||Present / Not Present||Enabled By Default||Link to more info||Under Development?||Contact Point|
|Automatic escaping in templates|
|Prepared statements (including ORM)|
|Django||SECURE Cookie Flag||Present||No||link||n/a||n/a|
|Django||HTTPOnly Cookie Flag||?||?||[# link]||?||?|
|Rails||Automatic CSRF protection||Present||Yes||link||n/a||n/a|
|Offsite redirect detection/prevention|
|Error suppression in production environments|
|Mask sensitive data in logs|
|Strict transport security|
|Content security policy|
| PROJECT INFO
What does this OWASP project offer you?
| RELEASE(S) INFO|
What releases are available for this project?