OWASP Proactive Controls

From OWASP
Revision as of 01:05, 19 May 2013 by Jmanico (Talk | contribs)

Jump to: navigation, search
[edit]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Proactive Controls (home page)
Purpose: A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.
License: Creative Commons Attribution ShareAlike 3.0 License
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Authentication

- Password Storage - Forgot Password Workflow - Multi-Factor AuthN

Access Control

- Permission based access control - Limits of RBAC

Validation

- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)

Encoding

- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection

- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)

Secure Requirements

- Core requirements for any project (technical) - Business logic requirements (project specific)

Secure Architecture and Design

- When to use request, session or database for data flow