Difference between revisions of "OWASP Proactive Controls"

From OWASP
Jump to: navigation, search
(Created page with "=Main= Project Leader’s content goes here =Project About= {{:Projects/OWASP_Proactive_Controls}} Category:OWASP Project")
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
=Main=
+
= Project About =
Project Leader’s content goes here
+
 
+
=Project About=
+
 
{{:Projects/OWASP_Proactive_Controls}}  
 
{{:Projects/OWASP_Proactive_Controls}}  
 +
 +
= Top Ten Proactive Controls =
 +
 +
== Authentication ==
 +
- Password Storage
 +
- Forgot Password Workflow
 +
- Multi-Factor AuthN
 +
 +
== Access Control ==
 +
- Permission based access control
 +
- Limits of RBAC
 +
 +
== Validation ==
 +
- Whitelist Validation (struggles with internationalization)
 +
- URL validation (as part of redirect features)
 +
- HTML Validation (as part of untrusted content from features like TinyMCE)
 +
 +
== Encoding ==
 +
- Output encoding for XSS
 +
- Query Parameterization
 +
- Other encodings for LDAP, XML construction and OS Command injection resistance
 +
 +
== Data Protection ==
 +
- At rest and in transit
 +
- Secure number generation
 +
- Certificate pinning
 +
- Proper use of AES (CBC/IV Management)
 +
 +
== Secure Requirements ==
 +
- Core requirements for any project (technical)
 +
- Business logic requirements (project specific)
 +
 +
== Secure Architecture and Design ==
 +
- When to use request, session or database for data flow
 +
 +
__NOTOC__
 +
<headertabs />
  
 
[[Category:OWASP Project]]
 
[[Category:OWASP Project]]

Revision as of 01:05, 19 May 2013

[edit]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Proactive Controls (home page)
Purpose: A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.
License: Creative Commons Attribution ShareAlike 3.0 License
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Authentication

- Password Storage - Forgot Password Workflow - Multi-Factor AuthN

Access Control

- Permission based access control - Limits of RBAC

Validation

- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)

Encoding

- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection

- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)

Secure Requirements

- Core requirements for any project (technical) - Business logic requirements (project specific)

Secure Architecture and Design

- When to use request, session or database for data flow