Category:Security Focus Area - Revision history

Wichers: /* The current list of SFAs */

2006-11-15T19:22:26Z

‎The current list of SFAs

Wichers: /* The current list of SFAs */

2006-11-15T19:08:00Z

‎The current list of SFAs

OWASP at 03:29, 4 August 2006

2006-08-04T03:29:52Z

OWASP at 03:26, 4 August 2006

2006-08-04T03:26:42Z

Weilin Zhong: /* The current list of focus areas */

2006-08-03T21:30:32Z

‎The current list of focus areas

Weilin Zhong at 21:28, 3 August 2006

2006-08-03T21:28:45Z

Weilin Zhong at 21:06, 3 August 2006

2006-08-03T21:06:48Z

New page

Security Focus Areas

==What is a Security Focus Area?==

A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.

==Why this category?==

To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.

===The Problem===

During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area.

Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.

The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.

To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.

===Our Approach===

We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section, discussing the security elements involved and how they are related including various factors on its likelihood, impact and severity.
Then related security activities on how to identify and address problems in this area are discussed followed by links to any additional information.

Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.

NOTE:
* Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
* A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.
These are not our concerns here. We care more about presenting the complete view of the problem.

== What belongs to here? ==
Here are the criteria to a Security Focus area:
* It has to be a specific topic instead of a big/generic title
** For example, “SQL injection” instead of “Injection Flaws”
* It has to be well-known and commonly used in the security community
* It may have overlap with other security focus areas but it should be recognized as a stand-alone issue

==How to add a Security Focus Area ==
Create an Category:SecurityFocusAreaName and add {{Category:Security Focus Area}} into it. An Security Focus Area article should follow the following structure:

{{SFA Template}}.

===How to use a Security Focus Area===
When you what to learn about or contribute to a Security Focus Area, simply click the link of that area and check the existing articles.

==How you can help?==
* When you generate an article, please think through what security focus area this article belongs to and tag the article with it.
* When you read an article and think it belongs to a certain security focus area, please tag the article with it.
* If you feel the need to create a new Security Focus Area, please consider the criteria listed in “what belongs to here” section.

==Volunteer needed==
Tag articles with security focus areas (Manage this as part of the Honeycomb project. )

===The current list of focus areas===
Q: Acronym or full name? (Weilin: I prefer full name.)
Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)

Unvalidated Input (Or Input Validation? I prefer latter.)
Broken Access Control (Or Access Control? I prefer latter)
Phishing
Authentication
Session Management
XSS (Cross Site Scripting, Acronym or full name?)
Buffer Overflow
SQL Injection
Error Handling
Insecure Storage
Cryptography
Application Denial of Service
Insecure Configuration Management

@@ Line 34: / Line 34: @@
 ==The current list of SFAs ==
-*Phishing
+*[[Phishing]]
-*Cross-Site Scripting
+*[[Cross-Site Scripting]]
-*Buffer Overflow
+*[[Buffer Overflow]]
 *[[SQL Injection]]
 __NOTOC__

@@ Line 37: / Line 37: @@
 *Cross-Site Scripting
 *Buffer Overflow
-*SQL Injection
+*[[SQL Injection]]
 __NOTOC__

@@ Line 1: / Line 1: @@
 ==What is a Security Focus Area (SFA)?==
-The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several principles, threats, attacks, vulnerabilities, and countermeasures.
+The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several of each type of building block. For example, SQL Injection might involve several different threats and attacks, a few related vulnerabilities, and several countermeasures.
 To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects ([[Top 10]], [[Guide]], [[Testing Guide]], [[Code Review]], etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
@@ Line 10: / Line 10: @@
 * A short, management-level introduction to the area
-* A roadmap to the threat modeling elements for this area
+* A roadmap to the threat modeling elements for this area with emphasis on helping readers evaluate the likelihood and impact of a successful exploit in their application
 * Links to guidelines for testing, code reviewing, and architecting this area
 * Other articles covering this topic

@@ Line 1: / Line 1: @@
-Security Focus Areas
+==What is a Security Focus Area (SFA)?==
-==What is a Security Focus Area?==
+The [[:Category:OWASP Honeycomb Project|Honeycomb Project]] has many individual articles detailing the basic building blocks of application security, including [[:Category:Principle|principles]], [[:Category:Threat|threats]], [[:Category:Attack|attacks]], [[:Category:Vulnerability|vulnerabilities]], [[:Category:Countermeasure|countermeasures]]. Generally, a single application security issue will involve several principles, threats, attacks, vulnerabilities, and countermeasures.
-A security focus area is a security topic that is commonly known, concerned or studied in the application security arena. They can be the buzzwords in the security community or the top security problems that everyone wants to learn about.
+To help navigate these articles, we have created these "Security Focus Areas" (SFAs) as a guide that pulls together and creates a roadmap for a single application security issue. The articles in other OWASP projects ([[Top 10]], [[Guide]], [[Testing Guide]], [[Code Review]], etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a SFA (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
-==Why this category?==
+==What goes into a SFA?==
-To completely understand a security focus area, you need to learn the basic elements involved in this security area, which we believe are the PTAVC( Principle,Threat, Attack, Vulnerability, and Countermeasure), and how these elements are related in a threat modeling context. You will also want to know the hands-on guidelines on various security approaches to identify, analyze, and address problems and all other related discussions on this area.
+Each SFA provides:
-===The Problem===
+* A short, management-level introduction to the area
-During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area. We need a roadmap for these articles.
+Therefore a SFA category acts as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.
-Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.
+==What makes a good SFA?==
-The articles in other OWASP projects (Top 10, Guide, Testing Guide, Code Review, etc.) tend to be more comprehensive guidelines to various security areas. These articles are either trying to raise the awareness of a security focus area (such as these articles in Top 10), or describe the systematic security approaches on how to identify, analyze, remediate or prevent these problems.
+Here are some criteria for a SFA:
-To link all these articles in a meaningful way, we need a horizontal thread to connecting all these articles together and compile them with expert opinions to present a complete and organized view of the problem.
+==How to add a new SFA ==
-===Our Approach===
+Create an Category:SecurityFocusAreaName and add <nowiki>[[Category:Security Focus Area]]</nowiki> at the bottom. A SFA article should follow the structure in [[SFA]]. '''Note:''' we should create a template for the header of an SFA.
 ==How you can help?==
-==Volunteer needed==
+* If you find articles related to an existing SFA, please link to them in the SFA article.
-Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
+* If you feel the need to create a new SFA, please consider the criteria listed in "what makes a good SFA" section.
-==The current list of focus areas==
+==The current list of SFAs ==
 *Phishing
-*Authentication
+*Cross-Site Scripting
 *Buffer Overflow
 *SQL Injection
-*Error Handling
-*Insecure Storage
+__NOTOC__

@@ Line 50: / Line 50: @@
 ==The current list of focus areas==
-Q: Acronym or full name? (Weilin: I prefer full name.)
+*Input Validation
-Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)
+*Access Control
+*Phishing
-Unvalidated Input (Or Input Validation? I prefer latter.)
+*Authentication
-Broken Access Control (Or Access Control? I prefer latter)
+*Session Management
-Phishing
+*XSS (Cross Site Scripting, Acronym or full name?)
-Authentication
+*Buffer Overflow
-Session Management
+*SQL Injection
-XSS (Cross Site Scripting, Acronym or full name?)
+*Error Handling
-Buffer Overflow
+*Insecure Storage
-SQL Injection
+*Cryptography
-Error Handling
+*Application Denial of Service
-Insecure Storage
+*Insecure Configuration Management

@@ Line 11: / Line 11: @@
 ===The Problem===
-During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area.
+During OWASP’s effort to build the most comprehensive and integrated guides to application security, articles are being generated and evolved constantly under various internal projects. As a result, you will find multiple articles exist under the same security focus area. We need a roadmap for these articles.
 Articles in the Honeycomb project describe the fundamental application security elements and are categorized into five buckets (Principle, Threat, Attack, Vulnerability and Countermeasure). They are the basic building blocks for higher-level security activities, such as threat modeling, security design and analysis. For a security focus area, they will provide the basic concepts and fundamental knowledge to understand the problems in this area.
@@ Line 21: / Line 21: @@
 ===Our Approach===
-We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section, discussing the security elements involved and how they are related including various factors on its likelihood, impact and severity.
+We create a category for each of these security focus areas and tag the related articles in various projects and sources with this category. On the article for this Security Focus Area, we will give an overview of the problem followed by a detailed threat modeling section to discuss the security elements involved, how they are related, and the various factors on likelihood, impact and severity.
-Then related security activities on how to identify and address problems in this area are discussed followed by links to any additional information.
+Then we discuss the related security activities on how to identify and address problems in this area and provide links to any additional information.
 Therefore a Security Focus Area category is acting as a roadmap to guide you through articles in this area. It helps you to obtain a high-level overview of the problem quickly and enables you to dive down into the details easily when needed.
-NOTE:
+'''NOTE:'''
 * Based on how it is communicated in the community, the name of a security focus area might have a bias on some of its basic elements. For example, SQL Injection is named after the attack while Input Validation is named after the countermeasure.
 * A security focus area can have close relationship or even overlap to other security focus areas. For example, Input Validation is the countermeasure for both SQL injection and Buffer Overflow.
@@ Line 39: / Line 39: @@
 ==How to add a Security Focus Area ==
-Create an Category:SecurityFocusAreaName and add {{Category:Security Focus Area}} into it. An Security Focus Area article should follow the following structure:
+Create an Category:SecurityFocusAreaName and add <nowiki>[[Category:Security Focus Area]]</nowiki> into it. An Security Focus Area article should follow the structure in [[SFA]].
 ==How you can help?==
@@ Line 54: / Line 49: @@
 Tag articles with security focus areas (Manage this as part of the Honeycomb project. )
-===The current list of focus areas===
+==The current list of focus areas==
 Q: Acronym or full name? (Weilin: I prefer full name.)
 Q: Name after vulnerability or countermeasure? (Weilin: I prefer naming after countermeasure when possible.)