OWASP Proactive Controls

Revision as of 00:05, 19 May 2013 by Jmanico (talk | contribs)

Jump to: navigation, search
What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Proactive Controls (home page)
Purpose: A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.
License: Creative Commons Attribution ShareAlike 3.0 License
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases


- Password Storage - Forgot Password Workflow - Multi-Factor AuthN

Access Control

- Permission based access control - Limits of RBAC


- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)


- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection

- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)

Secure Requirements

- Core requirements for any project (technical) - Business logic requirements (project specific)

Secure Architecture and Design

- When to use request, session or database for data flow