This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Proactive Controls"
Line 5: | Line 5: | ||
== Authentication == | == Authentication == | ||
+ | - Password Storage | ||
+ | - Forgot Password Workflow | ||
+ | - Multi-Factor AuthN | ||
== Access Control == | == Access Control == | ||
+ | - Permission based access control | ||
+ | - Limits of RBAC | ||
== Validation == | == Validation == | ||
+ | - Whitelist Validation (struggles with internationalization) | ||
+ | - URL validation (as part of redirect features) | ||
+ | - HTML Validation (as part of untrusted content from features like TinyMCE) | ||
== Encoding == | == Encoding == | ||
− | + | - Output encoding for XSS | |
− | + | - Query Parameterization | |
− | + | - Other encodings for LDAP, XML construction and OS Command injection resistance | |
− | |||
− | |||
− | |||
== Data Protection == | == Data Protection == | ||
+ | - At rest and in transit | ||
+ | - Secure number generation | ||
+ | - Certificate pinning | ||
+ | - Proper use of AES (CBC/IV Management) | ||
== Secure Requirements == | == Secure Requirements == | ||
+ | - Core requirements for any project (technical) | ||
+ | - Business logic requirements (project specific) | ||
− | == Secure Architecture | + | == Secure Architecture and Design == |
− | + | - When to use request, session or database for data flow | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
__NOTOC__ | __NOTOC__ |
Revision as of 06:05, 19 May 2013
PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
Authentication
- Password Storage - Forgot Password Workflow - Multi-Factor AuthN
Access Control
- Permission based access control - Limits of RBAC
Validation
- Whitelist Validation (struggles with internationalization) - URL validation (as part of redirect features) - HTML Validation (as part of untrusted content from features like TinyMCE)
Encoding
- Output encoding for XSS - Query Parameterization - Other encodings for LDAP, XML construction and OS Command injection resistance
Data Protection
- At rest and in transit - Secure number generation - Certificate pinning - Proper use of AES (CBC/IV Management)
Secure Requirements
- Core requirements for any project (technical) - Business logic requirements (project specific)
Secure Architecture and Design
- When to use request, session or database for data flow