Difference between revisions of "OWASP Proactive Controls"

From OWASP
Jump to: navigation, search
Line 5: Line 5:
  
 
== Authentication ==
 
== Authentication ==
 +
- Password Storage
 +
- Forgot Password Workflow
 +
- Multi-Factor AuthN
  
 
== Access Control ==
 
== Access Control ==
 +
- Permission based access control
 +
- Limits of RBAC
  
 
== Validation ==
 
== Validation ==
 +
- Whitelist Validation (struggles with internationalization)
 +
- URL validation (as part of redirect features)
 +
- HTML Validation (as part of untrusted content from features like TinyMCE)
  
 
== Encoding ==
 
== Encoding ==
 
+
- Output encoding for XSS
Mostly output encoding to stop injection
+
- Query Parameterization
 
+
- Other encodings for LDAP, XML construction and OS Command injection resistance
== Query Parameterization ==
+
 
+
Special case due to how bad SQLi is
+
  
 
== Data Protection ==
 
== Data Protection ==
 +
- At rest and in transit
 +
- Secure number generation
 +
- Certificate pinning
 +
- Proper use of AES (CBC/IV Management)
  
 
== Secure Requirements ==
 
== Secure Requirements ==
 +
- Core requirements for any project (technical)
 +
- Business logic requirements (project specific)
  
== Secure Architecture ==
+
== Secure Architecture and Design ==
 
+
- When to use request, session or database for data flow
== Secure Design ==
+
 
+
Like forgot password workflow, and other workflows that fall outside of basic requirements and architecture
+
 
+
== Secure Configuration ==
+
 
+
At rest and in transit
+
  
 
__NOTOC__  
 
__NOTOC__  

Revision as of 01:05, 19 May 2013

[edit]

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Proactive Controls (home page)
Purpose: A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.
License: Creative Commons Attribution ShareAlike 3.0 License
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases

Authentication

- Password Storage - Forgot Password Workflow - Multi-Factor AuthN

Access Control

- Permission based access control - Limits of RBAC

Validation

- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)

Encoding

- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance

Data Protection

- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)

Secure Requirements

- Core requirements for any project (technical) - Business logic requirements (project specific)

Secure Architecture and Design

- When to use request, session or database for data flow