This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Framework Security Project

From OWASP
Jump to: navigation, search


Ideasowasp.png

Project Goal

The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks, and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers, and framework developers and leaders. The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate with security controls have been accepted, and links to code and documentation at each framework. For more information, please contact the Project leader, Michael Coates.

How To Help

Important - Please join the mailing list!

  • Framework Developers - We need your help to build the security controls that will get accepted upstream into the framework. You have the best knowledge on development practices, code style, and knowledge of the framework to get new code accepted.
  • Security Professionals - We need you to help research and catalog available security controls in various frameworks. Our goal is to produce and clear matrix of available and missing security controls by framework.
  • Framework Leaders - Do you lead a key portion of a framework? Let's work together to understand the best way to get new security controls added.
  • A little of both? Please help in either area!

Roadmap

  1. Research - Capture popular frameworks and status of security controls. See Frameworks & Security Controls Tab. Please add in security controls and frameworks!
  2. Outreach & Development - We need to work with framework owners and experienced developers to get specific security controls added to the framework

TODO: What these standards are all about

Mature Standards

TODO

Standards in Development

Evaluations vs Mature Standards

TODO

Evaluations vs Draft Standards

TODO: various HOWTOs on helping out with standards, evaluations, and outreach


TODO: integrate this into more specific standards and then remove the tab

Note: This page is a template part of the OWASP Framework Security Project. Edit this page here

Framework Security Control Present / Not Present Enabled By Default Link to more info Under Development? Contact Point
Automatic escaping in templates
Prepared statements (including ORM)
Django x-frame-options Present No link n/a n/a
Django SECURE Cookie Flag Present No link n/a n/a
Django HTTPOnly Cookie Flag ? ? [# link] ? ?
Rails Automatic CSRF protection Present Yes link n/a n/a
Offsite redirect detection/prevention
javascript: URIs in links
Error suppression in production environments
Mask sensitive data in logs
Encryption abstractions
Strict transport security
Content security policy
PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Framework Security Project (home page)
Purpose: The OWASP Framework Security Project focuses on understanding missing security controls within popular frameworks and coordinating with developers and the framework leaders to effectively integrate the missing security controls. This project requires the collaboration between security experts, security minded developers and framework developers and leaders.

The primary deliverable of this project is source code that is accepted into frameworks. The OWASP Framework Security Project will maintain documentation to indicate which security controls have been accepted and links to code and documentation at each framework.

License: Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)
who is working on this project?
Project Leader(s):
  • Michael Coates @
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact Michael Coates @ to contribute to this project
  • Contact Michael Coates @ to review or sponsor this project
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases