Difference between revisions of "Projects/OWASP Security Principles Project"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:Project About | project_name =OWASP Security Principles Project | project_home_page =OWASP Security Principles Project | project_description =The idea is to distill...")
 
(How can I participate in your project?)
(11 intermediate revisions by one user not shown)
Line 1: Line 1:
{{Template:Project About
+
=Main=
| project_name =OWASP Security Principles Project
+
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
| project_home_page =OWASP Security Principles Project
+
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
| project_description =The idea is to distill the fundamentals of security into a set of concise principles that must be present in any system through out the requirements, architecture, development, testing and implementation of a system.
+
 
| project_license =Creative Commons Attribution ShareAlike 3.0 License  (best for documentation projects)
+
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
| leader_name1 =Dennis Groves
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| leader_email1 =Dennis.Groves@owasp.org  
+
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp_security_principles_project
+
 
| project_road_map = https://www.owasp.org/index.php/Projects/OWASP_Security_Principles_Project/Roadmap
+
==The OWASP Security Principles==
}}
+
 
 +
Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.
 +
 
 +
For example, security design happens with perhaps a handful of principles:
 +
 
 +
* Least Privilege
 +
* Perimeter Security
 +
* Defence in Depth
 +
 
 +
However, we regularly see designs without '''separation of privilege'''!
 +
 
 +
Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!
 +
 
 +
The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.
 +
 
 +
==Description==
 +
 
 +
'''[http://owasp.github.io/Security-Principles Please contribute to this project.]
 +
'''
 +
 
 +
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.
 +
 
 +
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.
 +
 
 +
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.
 +
 
 +
==Licensing==
 +
 
 +
 
 +
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!
 +
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.
 +
 
 +
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 +
 
 +
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 +
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is OWASP Security Principles Project? ==
 +
 
 +
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.
 +
 
 +
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.
 +
 
 +
== Presentation ==
 +
 
 +
* [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013 AppSec USA 2013]
 +
 
 +
== Project Leader ==
 +
 
 +
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]
 +
 
 +
 
 +
== Related Projects ==
 +
 
 +
* [[OWASP_CISO_Survey]]
 +
 
 +
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== Quick Download ==
 +
 
 +
The home of the OWASP Security Principles is on [https://github.com/OWASP/Security-Principles GitHub.] You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.
 +
 
 +
However, if you like you may also download the master repository from the following links:
 +
* [https://github.com/OWASP/Security-Principles/zipball/master .zip file.]
 +
* [https://github.com/OWASP/Security-Principles/tarball/master .tgz file.]
 +
 
 +
== News and Events ==
 +
 
 +
* [20 Nov 2013] News 2
 +
* [30 Sep 2013] News 1
 +
 
 +
== In Print ==
 +
 
 +
This project can be purchased as a print on demand book from Lulu.com
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | colspan="2" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]] 
 +
  |-
 +
  |  colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |}
 +
 
 +
|}
 +
 
 +
=FAQs=
 +
 
 +
 
 +
==How can I participate in your project?==
 +
 
 +
[https://github.com/OWASP/Security-Principles/fork Fork] the project at github and send a pull request with your contributions!
 +
You should also [https://lists.owasp.org/mailman/listinfo/owasp_security_principles_project join the mailing list] if you are participating. ;-)
 +
 
 +
==If I am not a programmer can I participate in your project?==
 +
Yes, this is a documentation project. There is no need to be a programmer at all and you are welcome to participate in the project if you are a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. Once we converge on the core principles then I imagine we will look to modeling the principles and documenting how to use and apply them in security architecture and design.
 +
 
 +
= Acknowledgements =
 +
 
 +
==Contributors==
 +
 
 +
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project  [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here].
 +
 
 +
The first contributors to the project were:
 +
 
 +
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]
 +
* [https://github.com/sublimino Andrew Martin]
 +
* [https://github.com/Lambdanaut Josh Thomas]
 +
* [https://github.com/SamanthaGroves Samantha Groves]
 +
* '''YOUR NAME BELONGS HERE'''
 +
 
 +
= Road Map and Getting Involved =
 +
 
 +
As of October 2013, the priorities are:
 +
* Finish the referencing for each principle.
 +
* Update the Project Template.
 +
* Use the OWASP Press to develop a book.
 +
* Finish and publish the book on Lulu.
 +
 
 +
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* Helping find references to some of the principles.
 +
* Project administration support.
 +
* Wiki editing support.
 +
* Writing support for the book.
 +
 
 +
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 +
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP Project]] [[Category:OWASP_Document]]

Revision as of 20:20, 24 November 2013

[edit]

OWASP Project Header.jpg

The OWASP Security Principles

Inevitably applications are designed with security principles architects knew about, security folks included. However, as this project demonstrates there are far more than just a 'few' principles, most of which never make it into the design.

For example, security design happens with perhaps a handful of principles:

  • Least Privilege
  • Perimeter Security
  • Defence in Depth

However, we regularly see designs without separation of privilege!

Think about that, most web applications today have all their eggs in a single basket. The business logic, the identities, passwords, products, policy enforcement, security rules are all found in the same application database that makes up the typical website! It is little wonder then, that attacks on the database have been so completely devastating, since there is no separation of privilege!

The aim of this project, is to identify and describe a minimum functional set of principles that must be present in a secure design.

Description

Please contribute to this project.

Over the course of my career, I have come across and collected a number of security aphorisms. These aphorisms constitute the fundamental principles of information security.

None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.

Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.

Licensing

The OWASP Security Principles are free to use. In fact it is encouraged!!! Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.

The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is OWASP Security Principles Project?

The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the OWASP Press. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.

This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.

Presentation

Project Leader


Related Projects

Quick Download

The home of the OWASP Security Principles is on GitHub. You are encourged to fork, edit and push your changes back to the project through git or edit the project directly on github.

However, if you like you may also download the master repository from the following links:

News and Events

  • [20 Nov 2013] News 2
  • [30 Sep 2013] News 1

In Print

This project can be purchased as a print on demand book from Lulu.com

Classifications

Owasp-incubator-trans-85.png
Project Type Files DOC.jpg
Cc-button-y-sa-small.png

How can I participate in your project?

Fork the project at github and send a pull request with your contributions! You should also join the mailing list if you are participating. ;-)

If I am not a programmer can I participate in your project?

Yes, this is a documentation project. There is no need to be a programmer at all and you are welcome to participate in the project if you are a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. Once we converge on the core principles then I imagine we will look to modeling the principles and documenting how to use and apply them in security architecture and design.

Contributors

The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project contributors is found here.

The first contributors to the project were:

As of October 2013, the priorities are:

  • Finish the referencing for each principle.
  • Update the Project Template.
  • Use the OWASP Press to develop a book.
  • Finish and publish the book on Lulu.

Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Helping find references to some of the principles.
  • Project administration support.
  • Wiki editing support.
  • Writing support for the book.