This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Category:OWASP Top Ten Controls Project"
From OWASP
(→OWASP Top Ten Proactive Controls) |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
This project, similar to the OWASP Top Ten Risks document, is meant to directly bring awareness to controls that developers need to use in secure web application development. | This project, similar to the OWASP Top Ten Risks document, is meant to directly bring awareness to controls that developers need to use in secure web application development. | ||
| − | == | + | == OWASP Top Ten Proactive Controls == |
These controls may include: | These controls may include: | ||
| + | |||
# Query Parameterization per https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet | # Query Parameterization per https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet | ||
| − | # Hashed, Salted and Stretched Password Storage per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet | + | # Data Protection |
| + | ## Hashed, Salted and Stretched Password Storage per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet | ||
| + | ## Cryptographic Storage of sensitive user data like PII information https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet | ||
| + | ## Use of TLS in transit | ||
# Output Encoding per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet | # Output Encoding per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet | ||
# Forgot Password Workflow per https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet | # Forgot Password Workflow per https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet | ||
| Line 15: | Line 19: | ||
# Secure JSON Parsing | # Secure JSON Parsing | ||
# Input Validation per https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet | # Input Validation per https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet | ||
| − | |||
# Access Control Design | # Access Control Design | ||
# Virtual Patching | # Virtual Patching | ||
| + | # Secure Requirements and Design | ||
Others to consider | Others to consider | ||
| + | # Accountability | ||
| + | ## Logging | ||
| + | ##Error handling and structured exceptions | ||
| + | ##Security incident event management | ||
# Re-authentication (authenticating individual transactions) | # Re-authentication (authenticating individual transactions) | ||
# CSRF Tokens | # CSRF Tokens | ||
# Framebusting | # Framebusting | ||
| + | # Defense to prevent http://en.wikipedia.org/wiki/Remote_file_inclusion | ||
| + | # Configuration Issues | ||
== Glossary of Terms == | == Glossary of Terms == | ||
TODO | TODO | ||
Latest revision as of 02:49, 17 January 2013
Introduction
This is a placeholder page for the upcoming OWASP Top Ten Controls 2013 document.
This project, similar to the OWASP Top Ten Risks document, is meant to directly bring awareness to controls that developers need to use in secure web application development.
OWASP Top Ten Proactive Controls
These controls may include:
- Query Parameterization per https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
- Data Protection
- Hashed, Salted and Stretched Password Storage per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
- Cryptographic Storage of sensitive user data like PII information https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
- Use of TLS in transit
- Output Encoding per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- Forgot Password Workflow per https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
- Content Security Policy
- Secure JSON Parsing
- Input Validation per https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
- Access Control Design
- Virtual Patching
- Secure Requirements and Design
Others to consider
- Accountability
- Logging
- Error handling and structured exceptions
- Security incident event management
- Re-authentication (authenticating individual transactions)
- CSRF Tokens
- Framebusting
- Defense to prevent http://en.wikipedia.org/wiki/Remote_file_inclusion
- Configuration Issues
Glossary of Terms
TODO
This category currently contains no pages or media.
