generated from OWASP/www-projectchapter-example
-
-
Notifications
You must be signed in to change notification settings - Fork 28
Proposed structure
Jon Gadsden edited this page Mar 20, 2023
·
13 revisions
This is the proposed structure of the new Developer Guide:
- Audience
- Background
- Abstract
- Introduction
- Chapter Headings/Outline -> Shruti
- SSDLC:
- Security requirements
- Threat modeling (hive off to threat modeling material on OWASP)
- Regulatory / statutory requirements
- Secure design
- Secure coding guidelines
- Authentication
- User
- Server
- Password policy
- Authorisation
- SAML
- Input data validation
- Output data encoding
- Connection with backend
- Canonicalisation
- Insecure direct object references
- Unvalidated redirects
- JSON
- JWT
- Avoid vulnerabilities by secure usage of DOM object / javascript functions
- Authentication
- Secrets handling
- Keys (generation, lifecycle management), secrets, API keys
- Hashes
- File hashes, password hashes, salting, verification of hashes for integrity and signature
- Session management
- Application spoofing, domain squatting, typo squatting
- Fail secure
- Logging
- Exception / error handling
- Content Security policy
- TLS certificate management
- Secure coding guidelines
- Image and container security
- Open source software security and licensing
- Secure environment
- System hardening
- File systems and downloads
- Security testing / validation
- Security test cases (perhaps link it out to any existing OWASP material)
- SAST
- DAST
- SCA (hive off to OWASP’s Dependency Tracker)