├── .github ├── ISSUE_TEMPLATE │ ├── content.md │ └── request.md ├── dependabot.yml ├── funding.yaml ├── pull_request_template.md └── workflows │ ├── ci.yaml │ ├── housekeeping.yaml │ ├── pr.yaml │ └── release.yaml ├── .gitignore ├── .lycheeignore ├── .markdownlint.yaml ├── .spellcheck-en.yaml ├── .spellcheck-es.yaml ├── .spellcheck-pt-br.yaml ├── .wordlist-en.txt ├── .wordlist-es.txt ├── .wordlist-pt-br.txt ├── CNAME ├── README.md ├── code_of_conduct.md ├── contributing.md ├── docs ├── CNAME ├── assets │ └── images │ │ ├── dg_alt.png │ │ ├── dg_logo.png │ │ ├── dg_logo_bbd.png │ │ ├── dg_logo_di.png │ │ ├── dg_logo_solid.png │ │ ├── dg_wip.png │ │ ├── favicon.png │ │ ├── logos │ │ ├── amass.png │ │ ├── asvs.png │ │ ├── blt.png │ │ ├── cheatsheets.png │ │ ├── coraza.png │ │ ├── cornucopia.png │ │ ├── crs.png │ │ ├── cyclonedx.png │ │ ├── defectdojo.png │ │ ├── depcheck.png │ │ ├── esapi.png │ │ ├── juiceshop.png │ │ ├── lcnc.png │ │ ├── mas.png │ │ ├── nettacker.png │ │ ├── opencre.png │ │ ├── oshp.png │ │ ├── owtf.png │ │ ├── pytm.png │ │ ├── samm.png │ │ ├── samurai_wtf.png │ │ ├── samuraiwtf.png │ │ ├── secchampsguide.png │ │ ├── secure_headers.png │ │ ├── securecodebox.png │ │ ├── skf.png │ │ ├── snakes_ladders.png │ │ ├── threat_dragon.png │ │ ├── tmmanifesto.png │ │ ├── top10.png │ │ ├── top10_api.png │ │ ├── top10_proactive.png │ │ ├── webgoat.png │ │ ├── webwolf.png │ │ ├── wrongsecrets.png │ │ └── zap.png │ │ ├── owasp-wayfinder.png │ │ └── sdlc_diag.png ├── en │ ├── 02-foundations │ │ ├── 01-security-fundamentals.md │ │ ├── 02-secure-development.md │ │ ├── 03-security-principles.md │ │ ├── 04-crypto-principles.md │ │ ├── 05-top-ten.md │ │ └── index.md │ ├── 03-requirements │ │ ├── 01-requirements.md │ │ ├── 02-risk.md │ │ ├── 03-opencre.md │ │ ├── 04-security-rat.md │ │ ├── 05-asvs.md │ │ ├── 06-mas.md │ │ ├── 07-skf.md │ │ └── index.md │ ├── 04-design │ │ ├── 01-threat-modeling │ │ │ ├── 01-threat-modeling.md │ │ │ ├── 02-pytm.md │ │ │ ├── 03-threat-dragon.md │ │ │ ├── 04-cornucopia.md │ │ │ ├── 05-linddun-go.md │ │ │ ├── 06-toolkit.md │ │ │ └── index.md │ │ ├── 02-web-app-checklist │ │ │ ├── 01-define-security-requirements.md │ │ │ ├── 02-frameworks-libraries.md │ │ │ ├── 03-secure-database-access.md │ │ │ ├── 04-encode-escape-data.md │ │ │ ├── 05-validate-inputs.md │ │ │ ├── 06-digital-identity.md │ │ │ ├── 07-access-controls.md │ │ │ ├── 08-protect-data.md │ │ │ ├── 09-logging-monitoring.md │ │ │ ├── 10-handle-errors-exceptions.md │ │ │ └── index.md │ │ ├── 03-mas-checklist.md │ │ └── index.md │ ├── 05-implementation │ │ ├── 01-documentation │ │ │ ├── 01-proactive-controls.md │ │ │ ├── 02-go-scp.md │ │ │ ├── 03-cheatsheets.md │ │ │ └── index.md │ │ ├── 02-dependencies │ │ │ ├── 01-dependency-check.md │ │ │ ├── 02-dependency-track.md │ │ │ ├── 03-cyclonedx.md │ │ │ └── index.md │ │ ├── 03-secure-libraries │ │ │ ├── 01-esapi.md │ │ │ ├── 02-csrf-guard.md │ │ │ ├── 03-secure-headers.md │ │ │ └── index.md │ │ ├── 04-maswe.md │ │ └── index.md │ ├── 06-verification │ │ ├── 01-guides │ │ │ ├── 01-wstg.md │ │ │ ├── 02-mastg.md │ │ │ ├── 03-asvs.md │ │ │ └── index.md │ │ ├── 02-tools │ │ │ ├── 01-dast.md │ │ │ ├── 02-amass.md │ │ │ ├── 03-owtf.md │ │ │ ├── 04-nettacker.md │ │ │ ├── 05-secure-headers.md │ │ │ └── index.md │ │ ├── 03-frameworks │ │ │ ├── 01-secure-codebox.md │ │ │ └── index.md │ │ ├── 04-vulnerability-management │ │ │ ├── 01-defectdojo.md │ │ │ └── index.md │ │ └── index.md │ ├── 07-training-education │ │ ├── 01-vulnerable-apps │ │ │ ├── 01-juice-shop.md │ │ │ ├── 02-webgoat.md │ │ │ ├── 03-pygoat.md │ │ │ ├── 04-security-shepherd.md │ │ │ └── index.md │ │ ├── 02-secure-coding-dojo.md │ │ ├── 03-skf.md │ │ ├── 04-samurai-wtf.md │ │ ├── 05-top-ten.md │ │ ├── 06-mobile-top-ten.md │ │ ├── 07-api-top-ten.md │ │ ├── 08-wrongsecrets.md │ │ ├── 09-snakes-ladders.md │ │ └── index.md │ ├── 08-culture-process │ │ ├── 01-security-culture.md │ │ ├── 02-security-champions │ │ │ ├── 01-security-champions-program.md │ │ │ ├── 02-security-champions-guide.md │ │ │ ├── 03-security-champions-playbook.md │ │ │ └── index.md │ │ ├── 03-samm.md │ │ ├── 04-asvs.md │ │ ├── 05-mas.md │ │ └── index.md │ ├── 09-operations │ │ ├── 01-devsecops.md │ │ ├── 02-coraza.md │ │ ├── 03-modsecurity.md │ │ ├── 04-crs.md │ │ └── index.md │ ├── 10-metrics │ │ └── index.md │ ├── 11-security-gap-analysis │ │ ├── 01-guides │ │ │ ├── 01-samm.md │ │ │ ├── 02-asvs.md │ │ │ ├── 03-mas.md │ │ │ └── index.md │ │ ├── 02-blt.md │ │ └── index.md │ └── 12-appendices │ │ ├── 01-implementation-dos-donts │ │ ├── 01-container-security.md │ │ ├── 02-secure-coding.md │ │ ├── 03-cryptographic-practices.md │ │ ├── 04-application-spoofing.md │ │ ├── 05-content-security-policy.md │ │ ├── 06-exception-error-handling.md │ │ ├── 07-file-management.md │ │ ├── 08-memory-management.md │ │ └── index.md │ │ └── 02-verification-dos-donts │ │ ├── 01-secure-environment.md │ │ ├── 02-system-hardening.md │ │ ├── 03-open-source-software.md │ │ └── index.md ├── es │ ├── 02-foundations │ │ ├── 01-security-fundamentals.md │ │ ├── 02-secure-development.md │ │ ├── 03-security-principles.md │ │ ├── 04-crypto-principles.md │ │ ├── 05-top-ten.md │ │ └── index.md │ ├── 03-requirements │ │ ├── 01-requirements.md │ │ ├── 02-risk.md │ │ ├── 03-opencre.md │ │ ├── 04-security-rat.md │ │ ├── 05-asvs.md │ │ ├── 06-mas.md │ │ ├── 07-skf.md │ │ └── index.md │ ├── 04-design │ │ ├── 01-threat-modeling │ │ │ ├── 01-threat-modeling.md │ │ │ ├── 02-pytm.md │ │ │ ├── 03-threat-dragon.md │ │ │ ├── 04-cornucopia.md │ │ │ ├── 05-linddun-go.md │ │ │ ├── 06-toolkit.md │ │ │ └── index.md │ │ ├── 02-web-app-checklist │ │ │ ├── 01-define-security-requirements.md │ │ │ ├── 02-frameworks-libraries.md │ │ │ ├── 03-secure-database-access.md │ │ │ ├── 04-encode-escape-data.md │ │ │ ├── 05-validate-inputs.md │ │ │ ├── 06-digital-identity.md │ │ │ ├── 07-access-controls.md │ │ │ ├── 08-protect-data.md │ │ │ ├── 09-logging-monitoring.md │ │ │ ├── 10-handle-errors-exceptions.md │ │ │ └── index.md │ │ ├── 03-mas-checklist.md │ │ └── index.md │ ├── 05-implementation │ │ ├── 01-documentation │ │ │ ├── 01-proactive-controls.md │ │ │ ├── 02-go-scp.md │ │ │ ├── 03-cheatsheets.md │ │ │ └── index.md │ │ ├── 02-dependencies │ │ │ ├── 01-dependency-check.md │ │ │ ├── 02-dependency-track.md │ │ │ ├── 03-cyclonedx.md │ │ │ └── index.md │ │ ├── 03-secure-libraries │ │ │ ├── 01-esapi.md │ │ │ ├── 02-csrf-guard.md │ │ │ ├── 03-secure-headers.md │ │ │ └── index.md │ │ ├── 04-maswe.md │ │ └── index.md │ ├── 06-verification │ │ ├── 01-guides │ │ │ ├── 01-wstg.md │ │ │ ├── 02-mastg.md │ │ │ ├── 03-asvs.md │ │ │ └── index.md │ │ ├── 02-tools │ │ │ ├── 01-dast.md │ │ │ ├── 02-amass.md │ │ │ ├── 03-owtf.md │ │ │ ├── 04-nettacker.md │ │ │ ├── 05-secure-headers.md │ │ │ └── index.md │ │ ├── 03-frameworks │ │ │ ├── 01-secure-codebox.md │ │ │ └── index.md │ │ ├── 04-vulnerability-management │ │ │ ├── 01-defectdojo.md │ │ │ └── index.md │ │ └── index.md │ └── index.md ├── index.md └── pt-br │ ├── 02-foundations │ ├── 01-security-fundamentals.md │ ├── 05-top-ten.md │ └── index.md │ └── index.md ├── license.txt ├── mkdocs-pdf-en.yaml ├── mkdocs-pdf-es.yaml ├── mkdocs-pdf-pt-br.yaml ├── mkdocs.yaml ├── release-process.md └── security.md /.github/ISSUE_TEMPLATE/content.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Create content 3 | about: Suggest content for the Developer Guide 4 | title: 'Provide content' 5 | labels: 'content' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe what content should be added** : 11 | 12 | 13 | **Context** : 14 | Section: (eg '02-foundations/03-security-principles') 15 | 16 | 17 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Change request 3 | about: Suggest a change for the Developer Guide 4 | title: '' 5 | labels: 'enhancement' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe what change you would like** : 11 | 12 | 13 | **Context** : 14 | Section: (eg '02-foundations/03-security-principles') 15 | 16 | 17 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: ".github/workflows" 5 | schedule: 6 | interval: "monthly" 7 | groups: 8 | version-update: 9 | applies-to: version-updates 10 | patterns: 11 | - "*" 12 | update-types: 13 | - "minor" 14 | - "patch" 15 | security-update: 16 | applies-to: security-updates 17 | patterns: 18 | - "*" 19 | update-types: 20 | - "patch" 21 | - "minor" 22 | -------------------------------------------------------------------------------- /.github/funding.yaml: -------------------------------------------------------------------------------- 1 | custom: https://owasp.org/donate/?reponame=www-project-developer-guide&title=OWASP+Developer+Guide 2 | github: OWASP 3 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | **Summary** : 2 | 6 | If this closes an existing issue then add "closes #xxxx", where xxxx is the issue number 7 | 8 | **Description for the changelog** : 9 | 13 | 14 | **Declaration**: 15 | 16 | - [ ] content meets the [license](../license.txt) for this project 17 | - [ ] AI has not been used, or has been declared, in this pull request 18 | 19 | **Other info** : 20 | 21 | 22 | Thanks for submitting a pull request! 23 | 24 | Please make sure you follow our [Code of Conduct](../code_of_conduct.md) 25 | and our [contributing guidelines](../contributing.md) 26 | 27 | Automated tests are run to check links, markdown and spelling 28 | 29 | The pull request must pass these tests before it can be merged 30 | -------------------------------------------------------------------------------- /.github/workflows/housekeeping.yaml: -------------------------------------------------------------------------------- 1 | name: Housekeeping 2 | # checks are on all directories 3 | 4 | on: 5 | # Run daily at 6:15 6 | schedule: 7 | - cron: '15 6 * * *' 8 | workflow_dispatch: 9 | 10 | # for security reasons the github actions are pinned to specific release versions 11 | jobs: 12 | chores: 13 | name: Tidy workflows 14 | runs-on: ubuntu-24.04 15 | permissions: 16 | actions: write 17 | 18 | steps: 19 | - name: Delete stale workflow runs 20 | uses: Mattraks/delete-workflow-runs@v2.0.6 21 | with: 22 | token: ${{ github.token }} 23 | repository: ${{ github.repository }} 24 | retain_days: 28 25 | keep_minimum_runs: 10 26 | 27 | - name: Delete unused workflows 28 | uses: otto-de/purge-deprecated-workflow-runs@v3.0.3 29 | with: 30 | token: ${{ github.token }} 31 | 32 | link_checker: 33 | name: Link checker 34 | runs-on: ubuntu-24.04 35 | steps: 36 | - name: Checkout markdown 37 | uses: actions/checkout@v4.2.2 38 | 39 | - name: Link Checker 40 | uses: lycheeverse/lychee-action@v2.4.1 41 | with: 42 | # skip the jekyll files under '_includes' directory, check all other directories 43 | args: >- 44 | --no-progress 45 | --max-retries 1 46 | --retry-wait-time 10 47 | --max-concurrency 2 48 | '**/*.md' 49 | '*.md' 50 | fail: true 51 | env: 52 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 53 | 54 | stale: 55 | name: Tidy pull requests 56 | runs-on: ubuntu-24.04 57 | permissions: 58 | pull-requests: write 59 | issues: write 60 | 61 | steps: 62 | - name: Tidy stale PRs and issues 63 | uses: actions/stale@v9 64 | with: 65 | days-before-issue-stale: 183 66 | days-before-issue-close: -1 67 | stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.' 68 | stale-issue-label: stale 69 | remove-issue-stale-when-updated: true 70 | days-before-pr-stale: 42 71 | days-before-pr-close: 7 72 | stale-pr-message: 'This PR is stale because it has been open 42 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.' 73 | close-pr-message: 'This PR was closed because it has been stalled for 8 weeks with no activity.' 74 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release docs 2 | # checks are only on the draft directory because the release directory will be overwritten 3 | 4 | on: 5 | push: 6 | # tagged x.x.x releases as well as release candidates 7 | tags: 8 | - ?.?.?* 9 | workflow_dispatch: 10 | 11 | # for security reasons the github actions are pinned to specific release versions 12 | jobs: 13 | export_pdf: 14 | name: Export PDF 15 | runs-on: ubuntu-24.04 16 | steps: 17 | - name: Checkout markdown 18 | uses: actions/checkout@v4.2.2 19 | 20 | - name: Install python 21 | uses: actions/setup-python@v5.6.0 22 | with: 23 | python-version: 3.x 24 | 25 | - name: Install python packages 26 | run: | 27 | python -m pip install --upgrade pip setuptools wheel 28 | pip install mkdocs 29 | pip install mkdocs-material 30 | pip install mkdocs-open-in-new-tab 31 | pip install mkdocs-with-pdf 32 | 33 | - name: Build 34 | run: mkdocs build 35 | 36 | - name: Upload PDF 37 | uses: actions/upload-artifact@v4.6.2 38 | with: 39 | name: 'pdf-export' 40 | path: 'site/OWASP_Developer_Guide.pdf' 41 | 42 | draft_release: 43 | name: Create draft release 44 | runs-on: ubuntu-24.04 45 | needs: [export_pdf] 46 | steps: 47 | - name: Check out 48 | uses: actions/checkout@v4.2.2 49 | 50 | - name: Fetch prepared SBOM artifacts 51 | uses: actions/download-artifact@v4.3.0 52 | with: 53 | name: 'pdf-export' 54 | path: 'site/OWASP_Developer_Guide.pdf' 55 | 56 | - name: Prepare release notes 57 | run: | 58 | releaseVersion=${{ github.ref_name }} 59 | sed -e s/x.x.x/${releaseVersion:1}/g .release-note-template.md > ./release-notes.txt 60 | 61 | - name: Create release notes 62 | uses: softprops/action-gh-release@v2.2.2 63 | with: 64 | draft: true 65 | name: "${releaseVersion:1}" 66 | append_body: true 67 | body_path: ./release-notes.txt 68 | generate_release_notes: true 69 | files: | 70 | site/OWASP_Developer_Guide.pdf 71 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # uses allow-list, so ignore everything 2 | * 3 | 4 | # project files 5 | !.lintcheck.yaml 6 | !.lycheeignore 7 | !.markdownlint.yaml 8 | !.spellcheck*.yaml 9 | !.wordlist*.txt 10 | !mkdocs*.yaml 11 | !CNAME 12 | !*.md 13 | !license.txt 14 | 15 | # allow github, workflows and templates 16 | !.github/ 17 | !.github/*.yaml 18 | !.github/issue_template/ 19 | !.github/issue_template/*.md 20 | !.github/workflows/ 21 | !.github/workflows/*.yaml 22 | !.gitignore 23 | 24 | # docs site 25 | !docs/ 26 | !docs/index.md 27 | !docs/assets/ 28 | !docs/assets/images/ 29 | !docs/assets/images/*.png 30 | !docs/assets/images/logos/ 31 | !docs/assets/images/logos/*.png 32 | !docs/en/ 33 | !docs/en/index.md 34 | !docs/en/**/ 35 | !docs/en/**/*.md 36 | !docs/es/ 37 | !docs/es/index.md 38 | !docs/es/**/ 39 | !docs/es/**/*.md 40 | !docs/pt-br/ 41 | !docs/pt-br/index.md 42 | !docs/pt-br/**/ 43 | !docs/pt-br/**/*.md 44 | !docs/CNAME 45 | 46 | # ignore symbolic links 47 | docs/license.txt 48 | docs/code_of_conduct.md 49 | docs/contributing.md 50 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | # ignore these false positives from the link checker housekeeper 2 | 3 | # some sites that are examples only, no intention of being real 4 | myfriend.site.com/ 5 | 6 | # Lockheed Martin has trouble with SSL certificates, temporarily ignore 7 | www.lockheedmartin.com 8 | 9 | # github gets upset if too many requests are made to create new issues 10 | github.com/OWASP/DevGuide/issues/new 11 | github.com/OWASP/DevGuide/pulls 12 | 13 | # at times github gets upset full stop 14 | github.com 15 | 16 | # ignore LINDDUN site because it occasionally times out 17 | www.linddun.org/ 18 | 19 | # automated access to esapi is forbidden 20 | mvnrepository.com/artifact/org.owasp.esapi/esapi 21 | 22 | # do not harass dockerhub 23 | hub.docker.com/r/bkimminich/juice-shop 24 | hub.docker.com/r/pygoat/pygoat 25 | hub.docker.com/r/owasp/threat-dragon/tags 26 | hub.docker.com/r/securityrat/securityrat 27 | hub.docker.com/r/webgoat/webgoat 28 | 29 | # Google drive tends to need permissions that the link checker does not have 30 | drive.google.com/ 31 | 32 | # SAMM training site blocks automated access 33 | owaspsamm.thinkific.com/courses/samm 34 | -------------------------------------------------------------------------------- /.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | no-trailing-punctuation: false 3 | no-inline-html: false 4 | first-line-heading: false 5 | link-fragments: false 6 | 7 | # MD013 - Line length 8 | MD013: 9 | code_block_line_length: 125 10 | code_blocks: true 11 | heading_line_length: 80 12 | headings: true 13 | line_length: 125 14 | stern: true 15 | strict: false 16 | tables: true 17 | 18 | -------------------------------------------------------------------------------- /.spellcheck-en.yaml: -------------------------------------------------------------------------------- 1 | matrix: 2 | - name: Markdown 3 | aspell: 4 | lang: en 5 | d: en_US 6 | dictionary: 7 | wordlists: 8 | - .wordlist-en.txt 9 | output: wordlist.dic 10 | encoding: utf-8 11 | pipeline: 12 | - pyspelling.filters.markdown: 13 | - pyspelling.filters.html: 14 | comments: false 15 | ignores: 16 | - code 17 | - pre 18 | sources: 19 | - 'docs/en/**/*.md' 20 | - 'docs/*.md' 21 | - '*.md' 22 | default_encoding: utf-8 23 | -------------------------------------------------------------------------------- /.spellcheck-es.yaml: -------------------------------------------------------------------------------- 1 | matrix: 2 | - name: Markdown 3 | aspell: 4 | lang: es 5 | dictionary: 6 | wordlists: 7 | - .wordlist-es.txt 8 | output: wordlist.dic 9 | encoding: utf-8 10 | pipeline: 11 | - pyspelling.filters.markdown: 12 | - pyspelling.filters.html: 13 | comments: false 14 | ignores: 15 | - code 16 | - pre 17 | sources: 18 | - 'docs/es/**/*.md' 19 | - 'docs/es/*.md' 20 | default_encoding: utf-8 21 | -------------------------------------------------------------------------------- /.spellcheck-pt-br.yaml: -------------------------------------------------------------------------------- 1 | matrix: 2 | - name: Markdown 3 | aspell: 4 | lang: pt_BR 5 | dictionary: 6 | wordlists: 7 | - .wordlist-pt-br.txt 8 | output: wordlist.dic 9 | encoding: utf-8 10 | pipeline: 11 | - pyspelling.filters.markdown: 12 | - pyspelling.filters.html: 13 | comments: false 14 | ignores: 15 | - code 16 | - pre 17 | sources: 18 | - 'docs/pt-br/**/*.md' 19 | - 'docs/pt-br/*.md' 20 | default_encoding: utf-8 21 | -------------------------------------------------------------------------------- /.wordlist-pt-br.txt: -------------------------------------------------------------------------------- 1 | AAA 2 | align 3 | and 4 | API 5 | Application 6 | Applications 7 | Assurance 8 | Body 9 | bugs 10 | Cascading 11 | Cheat 12 | Clickjacking 13 | Clobbering 14 | Consortium 15 | Content 16 | Controls 17 | Credential 18 | Cross-site 19 | CSS 20 | CWE 21 | Cyber 22 | Database 23 | Deserialization 24 | DevOps 25 | DoS 26 | Exploit 27 | exploits 28 | firewall 29 | frameworks 30 | GitHub 31 | Headers 32 | HTML 33 | image-right-small 34 | Injection 35 | issue 36 | JSON 37 | JWTs 38 | Knowledge 39 | Language 40 | Large 41 | LDAP 42 | leaks 43 | Living 44 | LLM 45 | Low-Code 46 | Model 47 | NIST 48 | No-Code 49 | Of 50 | Open 51 | OpenCRE 52 | our 53 | OWASP 54 | path 55 | Policy 56 | Privacy 57 | Proactive 58 | Project 59 | queries 60 | right 61 | Risks 62 | SAMM 63 | Schools 64 | scripts 65 | Securing 66 | Security 67 | Serverless 68 | Sheet 69 | Sheets 70 | SQL 71 | SSRF 72 | Standard 73 | Strict 74 | Stuffing 75 | Style 76 | Ten 77 | The 78 | Token 79 | Transport 80 | traversal 81 | upload 82 | Upload 83 | URLs 84 | VPN 85 | Wayfinder 86 | WHATWG 87 | width 88 | Worldwide 89 | XSS 90 | XXE 91 | -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | devguide.owasp.org -------------------------------------------------------------------------------- /docs/CNAME: -------------------------------------------------------------------------------- 1 | devguide.owasp.org -------------------------------------------------------------------------------- /docs/assets/images/dg_alt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_alt.png -------------------------------------------------------------------------------- /docs/assets/images/dg_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_logo.png -------------------------------------------------------------------------------- /docs/assets/images/dg_logo_bbd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_logo_bbd.png -------------------------------------------------------------------------------- /docs/assets/images/dg_logo_di.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_logo_di.png -------------------------------------------------------------------------------- /docs/assets/images/dg_logo_solid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_logo_solid.png -------------------------------------------------------------------------------- /docs/assets/images/dg_wip.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/dg_wip.png -------------------------------------------------------------------------------- /docs/assets/images/favicon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/favicon.png -------------------------------------------------------------------------------- /docs/assets/images/logos/amass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/amass.png -------------------------------------------------------------------------------- /docs/assets/images/logos/asvs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/asvs.png -------------------------------------------------------------------------------- /docs/assets/images/logos/blt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/blt.png -------------------------------------------------------------------------------- /docs/assets/images/logos/cheatsheets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/cheatsheets.png -------------------------------------------------------------------------------- /docs/assets/images/logos/coraza.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/coraza.png -------------------------------------------------------------------------------- /docs/assets/images/logos/cornucopia.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/cornucopia.png -------------------------------------------------------------------------------- /docs/assets/images/logos/crs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/crs.png -------------------------------------------------------------------------------- /docs/assets/images/logos/cyclonedx.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/cyclonedx.png -------------------------------------------------------------------------------- /docs/assets/images/logos/defectdojo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/defectdojo.png -------------------------------------------------------------------------------- /docs/assets/images/logos/depcheck.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/depcheck.png -------------------------------------------------------------------------------- /docs/assets/images/logos/esapi.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/esapi.png -------------------------------------------------------------------------------- /docs/assets/images/logos/juiceshop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/juiceshop.png -------------------------------------------------------------------------------- /docs/assets/images/logos/lcnc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/lcnc.png -------------------------------------------------------------------------------- /docs/assets/images/logos/mas.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/mas.png -------------------------------------------------------------------------------- /docs/assets/images/logos/nettacker.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/nettacker.png -------------------------------------------------------------------------------- /docs/assets/images/logos/opencre.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/opencre.png -------------------------------------------------------------------------------- /docs/assets/images/logos/oshp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/oshp.png -------------------------------------------------------------------------------- /docs/assets/images/logos/owtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/owtf.png -------------------------------------------------------------------------------- /docs/assets/images/logos/pytm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/pytm.png -------------------------------------------------------------------------------- /docs/assets/images/logos/samm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/samm.png -------------------------------------------------------------------------------- /docs/assets/images/logos/samurai_wtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/samurai_wtf.png -------------------------------------------------------------------------------- /docs/assets/images/logos/samuraiwtf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/samuraiwtf.png -------------------------------------------------------------------------------- /docs/assets/images/logos/secchampsguide.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/secchampsguide.png -------------------------------------------------------------------------------- /docs/assets/images/logos/secure_headers.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/secure_headers.png -------------------------------------------------------------------------------- /docs/assets/images/logos/securecodebox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/securecodebox.png -------------------------------------------------------------------------------- /docs/assets/images/logos/skf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/skf.png -------------------------------------------------------------------------------- /docs/assets/images/logos/snakes_ladders.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/snakes_ladders.png -------------------------------------------------------------------------------- /docs/assets/images/logos/threat_dragon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/threat_dragon.png -------------------------------------------------------------------------------- /docs/assets/images/logos/tmmanifesto.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/tmmanifesto.png -------------------------------------------------------------------------------- /docs/assets/images/logos/top10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/top10.png -------------------------------------------------------------------------------- /docs/assets/images/logos/top10_api.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/top10_api.png -------------------------------------------------------------------------------- /docs/assets/images/logos/top10_proactive.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/top10_proactive.png -------------------------------------------------------------------------------- /docs/assets/images/logos/webgoat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/webgoat.png -------------------------------------------------------------------------------- /docs/assets/images/logos/webwolf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/webwolf.png -------------------------------------------------------------------------------- /docs/assets/images/logos/wrongsecrets.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/wrongsecrets.png -------------------------------------------------------------------------------- /docs/assets/images/logos/zap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/logos/zap.png -------------------------------------------------------------------------------- /docs/assets/images/owasp-wayfinder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/owasp-wayfinder.png -------------------------------------------------------------------------------- /docs/assets/images/sdlc_diag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/DevGuide/ec2b6499e59cd591896785bf981bd738102a43b9/docs/assets/images/sdlc_diag.png -------------------------------------------------------------------------------- /docs/en/02-foundations/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | There are various foundational concepts and terminology that are commonly used in software security. 4 | Although many of these concepts are complex to implement and are based on heavy-duty theory, 5 | the principles are often fairly straight forward and are accessible for every software engineer. 6 | 7 | A reasonable grasp of these foundational concepts allows development teams to understand and implement 8 | software security for the application or system under development. 9 | This Developer Guide can only give a brief overview of these concepts, 10 | for in-depth knowledge refer to the many texts on security such as the [The Cyber Security Body Of Knowledge][cbok]. 11 | 12 | If changes are being introduced to the security culture of an organization 13 | then make sure there is management buy-in and clear goals to achieve. 14 | Without these then attempts to improve the security posture will probably fail - see the 15 | [Security Culture][culturegoal] project for the importance of getting management, 16 | security and development teams working together. 17 | 18 | ---- 19 | 20 | The OWASP Developer Guide is a community effort; if you see something that needs changing 21 | then [submit an issue][issue0400] or [edit on GitHub][edit0400]. 22 | 23 | [cbok]: https://www.cybok.org/ 24 | [culturegoal]: https://owasp.org/www-project-security-culture/stable/3-Goal_Setting_and_Security_Team_Collaboration/ 25 | [edit0400]: https://github.com/OWASP/DevGuide/blob/main/docs/en/02-foundations/index.md 26 | [issue0400]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2002-foundations/index 27 | -------------------------------------------------------------------------------- /docs/en/03-requirements/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Security requirements are statements of 4 | security functionality that ensure the different security properties of a software application are being satisfied. 5 | Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. 6 | Security requirements define new features or additions to existing features to solve a specific security problem 7 | or eliminate potential vulnerabilities. 8 | 9 | Security requirements also provide a foundation of vetted security functionality for an application. 10 | Instead of creating a custom approach to security for every application, 11 | standard security requirements allow developers to reuse the definition of security controls and best practices; 12 | those same vetted security requirements provide solutions for security issues that have occurred in the past. 13 | 14 | The importance of understanding key security requirements is described in the [Security Requirements][sammdsr] 15 | practice that is part of the [Design][sammd] business function section within the OWASP [SAMM model][samm]. 16 | Ideally structured software security requirements are available within with a security a requirements framework, 17 | and these are utilized by both developer teams and product teams. 18 | In addition suppliers to the organization must meet security requirements; 19 | build security into supplier agreements in order to ensure compliance with organizational security requirements. 20 | 21 | In summary, security requirements exist to prevent the repeat of past security failures. 22 | 23 | ---- 24 | 25 | The OWASP Developer Guide is a community effort; if there is something that needs changing 26 | then [submit an issue][issue0500] or [edit on GitHub][edit0500]. 27 | 28 | [edit0500]: https://github.com/OWASP/DevGuide/blob/main/docs/en/03-requirements/index.md 29 | [issue0500]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2003-requirements/index 30 | [samm]: https://owaspsamm.org/about/ 31 | [sammd]: https://owaspsamm.org/model/design/ 32 | [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ 33 | -------------------------------------------------------------------------------- /docs/en/04-design/01-threat-modeling/05-linddun-go.md: -------------------------------------------------------------------------------- 1 | LINNDUN GO is a card game used to help derive privacy requirements during the software development life cycle. 2 | The LINNDUN GO card set can be [downloaded][linddun-go-cards] as a PDF and then printed out. 3 | 4 | #### What is LINDDUN GO? 5 | 6 | [LINDDUN GO][linddun-go] helps identify potential privacy threats based on the key LINDDUN threats to privacy: 7 | 8 | * Linking 9 | * Identifying 10 | * Non-repudiation 11 | * Detecting 12 | * Data Disclosure 13 | * Unawareness 14 | * Non-compliance 15 | 16 | LINNDUN GO is similar to OWASP [Cornucopia][cornucopia] in that it takes the form of a set of cards that 17 | can be used to gamify the process of identifying application privacy / security requirements. 18 | The deck of 33 cards are arranged in suits that match each category of threats to privacy, 19 | and there is a [set of rules][linddun-go-rules] to structure the game sessions. 20 | Each LINDDUN GO card illustrates a single common privacy threat and suggested remediations. 21 | 22 | #### Why use it? 23 | 24 | [LINDDUN][linddun] is an approach to threat modeling from a privacy perspective. 25 | It is a methodology that is useful to structure and guide the identification of threats to privacy, 26 | and also helps with suggestions for the mitigation of any threats. 27 | 28 | [LINDDUN GO][linddun-go] gamifies this approach to privacy with a set of cards and rules 29 | to guide the identification process for threats to the privacy provided by the application. 30 | This is a change to other established processes and provides a different and useful perspective to the system. 31 | 32 | #### How to use LINDDUN GO 33 | 34 | The idea for a LINDDUN GO is that it is played in person by a diverse team with as varied a set of viewpoints as possible. 35 | The advice from the LINDDUN GO 'getting started' instructions is that this team contains some or all of: 36 | 37 | * domain experts 38 | * system architects 39 | * developers 40 | * the Data Protection Officer (DPO) 41 | * legal experts 42 | * the Chief Information Security Officer (CISO) 43 | * privacy champions 44 | 45 | The application should have already been described by an architecture diagram or data flow diagram 46 | so that the players have something to refer to during the game. 47 | [Download][linddun-go-cards] and printout the deck of cards. 48 | 49 | Follow the [set of rules][linddun-go-rules] to structure the game session, record the outcome and act on it. 50 | The outcome of the game is to identify possible privacy threats and propose remediations; 51 | as well as having a good time of course. 52 | 53 | ---- 54 | 55 | The OWASP Developer Guide is a community effort; if there is something that needs changing 56 | then [submit an issue][issue060105] or [edit on GitHub][edit060105]. 57 | 58 | [cornucopia]: https://owasp.org/www-project-cornucopia/ 59 | [edit060105]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/05-linddun-go.md 60 | [issue060105]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/05-linddun-go 61 | [linddun]: https://linddun.org/ 62 | [linddun-go]: https://linddun.org/go/ 63 | [linddun-go-cards]: https://downloads.linddun.org/linddun-go/default/latest/go.pdf 64 | [linddun-go-rules]: https://linddun.org/go-getting-started/ 65 | -------------------------------------------------------------------------------- /docs/en/04-design/01-threat-modeling/06-toolkit.md: -------------------------------------------------------------------------------- 1 | There is no one technique or tool that fits every threat modeling process. 2 | The process can be tactical or architectural, subjective or automated, attack tree or data flow diagram, 3 | all are perfectly valid for different organizations, teams and situations. 4 | 5 | The OWASP [Threat Modeling toolkit][toolkit] presentation at OWASP AppSec California 2018 gives a good 6 | overview of the range of concepts and techniques that can be regarded as threat modeling. 7 | 8 | #### Advice on Threat Modeling 9 | 10 | In addition to the Threat Modeling toolkit there are OWASP community pages on [Threat Modeling][TM] 11 | and the OWASP [Threat Modeling Project][tmproject], 12 | both of which provide context and overviews of threat modeling - in particular Shostack's [Four Question Framework][4QFW]. 13 | 14 | #### Threat Modeling step by step 15 | 16 | The [Threat Modeling Process][TMP] suggests steps that should be taken when threat modeling: 17 | 18 | 1. Decompose the Application 19 | 2. Determine and Rank Threats 20 | 3. Determine Countermeasures and Mitigation 21 | 22 | and goes into detail on each concept : 23 | 24 | * External Dependencies 25 | * Entry Points 26 | * Exit Points 27 | * Assets 28 | * Trust Levels 29 | * Threat Categorization 30 | * Threat Analysis 31 | * Ranking of Threats 32 | * Remediation for threats / vulnerabilities 33 | 34 | The OWASP [Threat Modeling Playbook][tmpb] (OTMP) is an OWASP Incubator project that describes how to 35 | create and nurture a good threat modeling culture within the organization itself. 36 | 37 | #### Cheat Sheets for Threat Modeling 38 | 39 | The OWASP series of Cheat Sheets is a primary source of advice and techniques on all things security, 40 | with the OWASP [Threat Modeling Cheat Sheet][cstm] and OWASP [Attack Surface Analysis Cheat Sheet][asacs] 41 | providing practical suggestions along with explanations of both the terminology and the concepts involved. 42 | 43 | ---- 44 | 45 | The OWASP Developer Guide is a community effort; if there is something that needs changing 46 | then [submit an issue][issue060106] or [edit on GitHub][edit060106]. 47 | 48 | [4QFW]: https://github.com/adamshostack/4QuestionFrame 49 | [asacs]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet 50 | [cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet 51 | [issue060106]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/06-toolkit 52 | [edit060106]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/06-toolkit.md 53 | [toolkit]: https://www.youtube.com/watch?v=KGy_KCRUGd4 54 | [tmpb]: https://owasp.org/www-project-threat-modeling-playbook/ 55 | [tmproject]: https://owasp.org/www-project-threat-model/ 56 | [TM]: https://owasp.org/www-community/Threat_Modeling 57 | [TMP]: https://owasp.org/www-community/Threat_Modeling_Process 58 | -------------------------------------------------------------------------------- /docs/en/04-design/01-threat-modeling/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Referring to the [Threat Modeling Cheat Sheet][cstm], 4 | threat modeling is a structured approach to identifying and prioritizing potential threats to a system. 5 | The threat modeling process includes determining the value that potential mitigations would have 6 | in reducing or neutralizing these threats. 7 | 8 | Assessing potential threats during the design phase of your project can save significant resources 9 | if during a later phase of the project refactoring is required to include risk mitigations. 10 | The outcomes from the threat modeling activities generally include: 11 | 12 | * Documenting how data flows through a system to identify where the system might be attacked 13 | * Identifying as many potential threats to the system as possible 14 | * Suggesting security controls that may be put in place to reduce the likelihood or impact of a potential threat 15 | 16 | ---- 17 | 18 | The OWASP Developer Guide is a community effort; if there is something that needs changing 19 | then [submit an issue][issue0601] or [edit on GitHub][edit0601]. 20 | 21 | [cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet 22 | [edit0601]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/index.md 23 | [issue0601]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/01-threat-modeling/index 24 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/03-secure-database-access.md: -------------------------------------------------------------------------------- 1 | Ensure that access to all data stores is secure, including both relational databases and NoSQL databases. 2 | 3 | Refer to proactive control [C3: Validate all Input & Handle Exceptions][control3] and its [cheatsheets][csproactive-c3] 4 | for more context from the OWASP Top 10 Proactive Controls project, 5 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 6 | 7 | #### 1. Secure queries 8 | 9 | 1. Use Query Parameterization to prevent untrusted input being interpreted as part of a SQL command 10 | 2. Use strongly typed parameterized queries 11 | 3. Utilize input validation and output encoding and be sure to address meta characters 12 | 4. Do not run the database command if input validation fails 13 | 5. Ensure that variables are strongly typed 14 | 6. Connection strings should not be hard coded within the application 15 | 7. Connection strings should be stored in a separate configuration file on a trusted system and they should be encrypted 16 | 17 | #### 2. Secure configuration 18 | 19 | 1. The application should use the lowest possible level of privilege when accessing the database 20 | 2. Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database 21 | 3. Close the database connection as soon as possible 22 | 4. Turn off all unnecessary database functionality 23 | 5. Remove unnecessary default vendor content, for example sample schemas 24 | 6. Disable any default accounts that are not required to support business requirements 25 | 26 | #### 3. Secure authentication 27 | 28 | 1. Remove or change all default database administrative passwords 29 | 2. The application should connect to the database with different credentials for every trust distinction 30 | (for example user, read-only user, guest, administrators) 31 | 3. Use secure credentials for database access 32 | 33 | #### References 34 | 35 | * OWASP [Cheat Sheet: Query Parameterization][csquery] 36 | * OWASP [Cheat Sheet: Database Security][csdb] 37 | * OWASP [Top 10 Proactive Controls][proactive10] 38 | 39 | ---- 40 | 41 | The OWASP Developer Guide is a community effort; if there is something that needs changing 42 | then [submit an issue][issue060203] or [edit on GitHub][edit060203]. 43 | 44 | [csproactive-c3]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c3-secure-database-access 45 | [control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/ 46 | [csdb]: https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet 47 | [csquery]: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet 48 | [edit060203]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/03-secure-database-access.md 49 | [issue060203]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/03-secure-database-access 50 | [proactive10]: https://top10proactive.owasp.org/ 51 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/04-encode-escape-data.md: -------------------------------------------------------------------------------- 1 | Encoding and escaping of output data are defensive techniques meant to stop injection attacks 2 | on a target system or application which is receiving the output data. 3 | 4 | The target system may be another software component or it may be reflected back to the initial system, 5 | such as operating system commands, 6 | so encoding and escaping output data helps to provide defense in depth for the system as a whole. 7 | 8 | Refer to proactive control [C3: Validate all Input & Handle Exceptions][control3] and its [cheatsheets][csproactive-c4] 9 | for more context from the OWASP Top 10 Proactive Controls project, 10 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 11 | 12 | #### 1. Character encoding and canonicalization 13 | 14 | 1. Apply output encoding just before the content is passed to the target system 15 | 2. Conduct all output encoding on a trusted system 16 | 3. Utilize a standard, tested routine for each type of outbound encoding 17 | 4. Specify character sets, such as UTF-8, for all outputs 18 | 5. Apply canonicalization to convert unicode data into a standard form 19 | 6. Ensure the output encoding is safe for all target systems 20 | 7. In particular sanitize all output used for operating system commands 21 | 22 | #### 2. Contextual output encoding 23 | 24 | Contextual output encoding of data is based on how it will be utilized by the target. 25 | The specific methods vary depending on the way the output data is used, such as HTML entity encoding. 26 | 27 | 1. Contextually encode all data returned to the client from untrusted sources 28 | 2. Contextually encode all output of untrusted data to queries for SQL, XML, and LDAP 29 | 30 | #### References 31 | 32 | * OWASP [Cheat Sheet: Injection Prevention][ipcs] 33 | * OWASP [Java Encoder Project][encoder] 34 | * OWASP [Top 10 Proactive Controls][proactive10] 35 | 36 | ---- 37 | 38 | The OWASP Developer Guide is a community effort; if there is something that needs changing 39 | then [submit an issue][issue060204] or [edit on GitHub][edit060204]. 40 | 41 | [csproactive-c4]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c4-encode-and-escape-data 42 | [control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/ 43 | [edit060204]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/04-encode-escape-data.md 44 | [encoder]: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project 45 | [ipcs]: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet 46 | [issue060204]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/04-encode-escape-data 47 | [proactive10]: https://top10proactive.owasp.org/ 48 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/07-access-controls.md: -------------------------------------------------------------------------------- 1 | Access Control or [Authorization][csauthz] is the process of granting or denying specific requests 2 | from a user, program, or process. 3 | 4 | Refer to proactive control [C1: Implement Access Controls][control1] and its [cheatsheets][csproactive-c7] 5 | for more context from the OWASP Top 10 Proactive Controls project, 6 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 7 | 8 | #### 1. Authorization 9 | 10 | 1. Design access control / authorization thoroughly up-front 11 | 2. Force all requests to go through access control checks unless public 12 | 3. Deny by default; if a request is not specifically allowed then it is denied 13 | 4. Apply least privilege, providing the least access as is necessary 14 | 5. Log all authorization events 15 | 16 | #### 2. Access control 17 | 18 | 1. Enforce authorization controls on every request 19 | 2. Use only trusted system objects for making access authorization decisions 20 | 3. Use a single site-wide component to check access authorization 21 | 4. Access controls should fail securely 22 | 5. Deny all access if the application cannot access its security configuration information 23 | 6. Segregate privileged logic from other application code 24 | 7. Limit the number of transactions a single user or device can perform in a given period of time, 25 | low enough to deter automated attacks but above the actual business requirement 26 | 8. If long authenticated sessions are allowed, periodically re-validate a user's authorization 27 | 9. Implement account auditing and enforce the disabling of unused accounts 28 | 10. The application must support termination of sessions when authorization ceases 29 | 30 | #### References 31 | 32 | * OWASP [Cheat Sheet: Authorization][csauthz] 33 | * OWASP [Top 10 Proactive Controls][proactive10] 34 | 35 | ---- 36 | 37 | The OWASP Developer Guide is a community effort; if there is something that needs changing 38 | then [submit an issue][issue060207] or [edit on GitHub][edit060207]. 39 | 40 | [csproactive-c7]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c7-enforce-access-controls 41 | [control1]: https://top10proactive.owasp.org/the-top-10/c1-accesscontrol/ 42 | [csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet 43 | [edit060207]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/07-access-controls.md 44 | [issue060207]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/07-access-controls 45 | [proactive10]: https://top10proactive.owasp.org/ 46 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/08-protect-data.md: -------------------------------------------------------------------------------- 1 | Sensitive data such as passwords, credit card numbers, health records, personal information and business secrets 2 | require extra protection, particularly if that data falls under privacy laws (EU General Data Protection Regulation GDPR), 3 | financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations. 4 | 5 | Refer to proactive control [C2: Use Cryptography the proper way][control2] and its [cheatsheets][csproactive-c8] 6 | for more context from the OWASP Top 10 Proactive Controls project, 7 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 8 | 9 | #### 1. Data protection 10 | 11 | 1. Classify data according to the level of sensitivity 12 | 2. Implement appropriate access controls for sensitive data 13 | 3. Encrypt data in transit 14 | 4. Ensure secure communication channels are properly configured 15 | 5. Avoid storing sensitive data when at all possible 16 | 6. Ensure sensitive data at rest is cryptographically protected to avoid unauthorized disclosure and modification 17 | 7. Purge sensitive data when that data is no longer required 18 | 8. Store application-level secrets in a secrets vault 19 | 9. Check that secrets are not stored in code, config files or environment variables 20 | 10. Implement least privilege, restricting access to functionality, data and system information 21 | 11. Protect all cached or temporary copies of sensitive data from unauthorized access 22 | 12. Purge those temporary copies of sensitive data as soon as they are no longer required 23 | 24 | #### 2. Memory management 25 | 26 | 1. Explicitly initialize all variables and data stores 27 | 2. Check that any buffers are as large as specified 28 | 3. Check buffer boundaries if calling the function in a loop and protect against overflow 29 | 4. Specifically close resources, don't rely on garbage collection 30 | 5. Use non-executable stacks when available 31 | 6. Properly free allocated memory upon the completion of functions and at all exit points 32 | 7. Overwrite any sensitive information stored in allocated memory at all exit points from the function 33 | 8. Protect shared variables and resources from inappropriate concurrent access 34 | 35 | #### References 36 | 37 | * OWASP [Cheat Sheet: Cryptographic Storage][cscs] 38 | * OWASP [Cheat Sheet: Secrets Management][cssm] 39 | * OWASP [Top 10 Proactive Controls][proactive10] 40 | 41 | ---- 42 | 43 | The OWASP Developer Guide is a community effort; if there is something that needs changing 44 | then [submit an issue][issue060208] or [edit on GitHub][edit060208]. 45 | 46 | [csproactive-c8]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c8-protect-data-everywhere 47 | [control2]: https://top10proactive.owasp.org/the-top-10/c2-crypto/ 48 | [cscs]: https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet 49 | [cssm]: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet 50 | [edit060208]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/08-protect-data.md 51 | [issue060208]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/08-protect-data 52 | [proactive10]: https://top10proactive.owasp.org/ 53 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md: -------------------------------------------------------------------------------- 1 | Logging is recording security information during the runtime operation of an application. 2 | Monitoring is the live review of application and security logs using various forms of automation. 3 | 4 | Refer to proactive control [C9: Implement Security Logging and Monitoring][control9] 5 | and its [cheatsheets][csproactive-c9] for more context from the OWASP Top 10 Proactive Controls project, 6 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 7 | 8 | #### 1. Security logging 9 | 10 | 1. Log submitted data that is outside of an expected numeric range. 11 | 2. Log submitted data that involves changes to data that should not be modifiable 12 | 3. Log requests that violate server-side access control rules 13 | 4. Encode and validate any dangerous characters before logging to prevent log injection attacks 14 | 5. Do not log sensitive information 15 | 6. Logging controls should support both success and failure of specified security events 16 | 7. Do not store sensitive information in logs, including unnecessary system details, session identifiers or passwords 17 | 8. Use a cryptographic hash function to validate log entry integrity 18 | 19 | #### 2. Security logging design 20 | 21 | 1. Protect log integrity 22 | 2. Ensure log entries that include untrusted data will not execute as code in the intended log viewing interface or software 23 | 3. Restrict access to logs to only authorized individuals 24 | 4. Utilize a central routine for all logging operations 25 | 5. Forward logs from distributed systems to a central, secure logging service 26 | 6. Follow a common logging format and approach within the system and across systems of an organization 27 | 7. Synchronize across nodes to ensure that timestamps are consistent 28 | 8. All logging controls should be implemented on a trusted system 29 | 9. Ensure that a mechanism exists to conduct log analysis 30 | 31 | #### References 32 | 33 | * OWASP [Cheat Sheet: Logging][cslogging] 34 | * OWASP [Cheat Sheet: Application Logging Vocabulary][csvocabulary] 35 | * OWASP [Top 10 Proactive Controls][proactive10] 36 | 37 | ---- 38 | 39 | The OWASP Developer Guide is a community effort; if there is something that needs changing 40 | then [submit an issue][issue060209] or [edit on GitHub][edit060209]. 41 | 42 | [csproactive-c9]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c9-implement-security-logging-and-monitoring 43 | [control9]: https://top10proactive.owasp.org/the-top-10/c9-security-logging-and-monitoring/ 44 | [cslogging]: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet 45 | [csvocabulary]: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Vocabulary_Cheat_Sheet 46 | [edit060209]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/09-logging-monitoring.md 47 | [issue060209]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/09-logging-monitoring 48 | [proactive10]: https://top10proactive.owasp.org/ 49 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/10-handle-errors-exceptions.md: -------------------------------------------------------------------------------- 1 | Handling [exceptions and errors][cserror] correctly is critical to making your code reliable and secure. 2 | Error and exception handling occurs in all areas of an application including critical business logic 3 | as well as security features and framework code. 4 | 5 | Refer to proactive control [C3: Validate all Input & Handle Exceptions][control3] 6 | and its [cheatsheets][csproactive-c10] for more context from the OWASP Top 10 Proactive Controls project, 7 | and use the list below as suggestions for a checklist that has been tailored for the individual project. 8 | 9 | #### 1. Errors and exceptions 10 | 11 | 1. Manage exceptions in a centralized manner to avoid duplicated try/catch blocks in the code 12 | 2. Ensure that all unexpected behavior is correctly handled inside the application 13 | 3. Ensure that error messages displayed to users do not leak critical data, 14 | but are still verbose enough to enable the proper user response 15 | 4. Ensure that exceptions logs give enough information for support, QA, forensics or incident response teams 16 | 5. Carefully test and verify error handling code 17 | 6. Do not disclose sensitive information in error responses, for example 18 | system details, session identifiers or account information 19 | 7. Use error handlers that do not display debugging or stack trace information 20 | 8. Implement generic error messages and use custom error pages 21 | 9. The application should handle application errors and not rely on the server configuration 22 | 10. Properly free allocated memory when error conditions occur 23 | 11. Error handling logic associated with security controls should deny access by default 24 | 25 | #### References 26 | 27 | * OWASP [Code Review Guide: Error Handling][review] 28 | * OWASP [Improper Error Handling][handle] 29 | * OWASP [Top 10 Proactive Controls][proactive10] 30 | 31 | ---- 32 | 33 | The OWASP Developer Guide is a community effort; if there is something that needs changing 34 | then [submit an issue][issue060210] or [edit on GitHub][edit060210]. 35 | 36 | [cserror]: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet 37 | [csproactive-c10]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c10-handle-all-errors-and-exceptions 38 | [control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/ 39 | [edit060210]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/10-handle-errors-exceptions.md 40 | [handle]: https://owasp.org/www-community/Improper_Error_Handling 41 | [issue060210]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/10-handle-errors-exceptions 42 | [proactive10]: https://top10proactive.owasp.org/ 43 | [review]: https://owasp.org/www-project-code-review-guide/ 44 | -------------------------------------------------------------------------------- /docs/en/04-design/02-web-app-checklist/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Checklists are a valuable resource for development teams. 4 | They provide structure for establishing good practices and processes 5 | and are also useful during code reviews and design activities. 6 | 7 | The checklists that follow are general lists that are categorized to follow the controls listed in the 8 | [OWASP Top 10 Proactive Controls][proactive10] project. 9 | These checklists provide suggestions that certainly should be tailored to 10 | an individual project's requirements and environment; they are not meant to be followed in their entirety. 11 | 12 | Probably the best starting point for a checklist is given by the [Application Security Verification Standard (ASVS)][asvs]. 13 | The ASVS can be used to provide a framework for an initial checklist, according to the security verification level, 14 | and this initial ASVS checklist can then be expanded using the following checklist sections. 15 | 16 | ---- 17 | 18 | The OWASP Developer Guide is a community effort; if there is something that needs changing 19 | then [submit an issue][issue0602] or [edit on GitHub][edit0602]. 20 | 21 | [asvs]: https://owasp.org/www-project-application-security-verification-standard/ 22 | [edit0602]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/02-web-app-checklist/index.md 23 | [issue0602]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/02-web-app-checklist/index 24 | [proactive10]: https://owasp.org/www-project-proactive-controls/ 25 | -------------------------------------------------------------------------------- /docs/en/04-design/03-mas-checklist.md: -------------------------------------------------------------------------------- 1 | ![MAS checklist logo](../../assets/images/logos/mas.png "OWASP MAS checklist"){ align=right width=180 } 2 | 3 | The OWASP [Mobile Application Security][masproject] (MAS) flagship project provides 4 | industry standards for mobile application security. 5 | 6 | The OWASP MAS project provides the [Mobile Application Security Verification Standard][masvs] (MASVS) 7 | for mobile applications and a comprehensive [Mobile Application Security Testing Guide][mastg] (MASTG). 8 | 9 | The [Mobile Application Security Checklist][masc] contains links to the MASTG test cases for each MASVS control. 10 | 11 | #### What is MAS Checklist? 12 | 13 | The MAS Checklist provides a checklist that keeps track of the MASTG test cases for a given MASVS control. 14 | This MAS Checklist is split out into categories that match the MASVS categories: 15 | 16 | * [MASVS-STORAGE](https://mas.owasp.org/checklists/MASVS-STORAGE/) sensitive data storage 17 | * [MASVS-CRYPTO](https://mas.owasp.org/checklists/MASVS-CRYPTO/) cryptography best practices 18 | * [MASVS-AUTH](https://mas.owasp.org/checklists/MASVS-AUTH/) authentication and authorization mechanisms 19 | * [MASVS-NETWORK](https://mas.owasp.org/checklists/MASVS-NETWORK/) network communications 20 | * [MASVS-PLATFORM](https://mas.owasp.org/checklists/MASVS-PLATFORM/) interactions with the mobile platform 21 | * [MASVS-CODE](https://mas.owasp.org/checklists/MASVS-CODE/) platform and data entry points along with third-party software 22 | * [MASVS-RESILIENCE](https://mas.owasp.org/checklists/MASVS-RESILIENCE/) integrity and running on a trusted platform 23 | * [MASVS-PRIVACY](https://mas.owasp.org/checklists/MASVS-PRIVACY/) privacy of users, data and resources 24 | 25 | In addition to the web links there is a [downloadable spreadsheet][masxls]. 26 | 27 | #### Why use it? 28 | 29 | The OWASP MASVS is the industry standard for [mobile application security][csmas]. 30 | If the MASTG is being applied to a mobile application then the MAS Checklist is a handy reference 31 | that can also be used for compliance purposes. 32 | 33 | #### How to use it 34 | 35 | The [online version][masc] is useful to list the MASVS controls and which MASTG tests apply. 36 | Follow the links to access the individual controls and tests. 37 | 38 | The [spreadsheet download][masxls] allows the status of each test to be recorded, 39 | with a separate sheet for each MASVS category. 40 | This record of test results can be used as evidence for compliance purposes. 41 | 42 | #### References 43 | 44 | * Mobile Application Security ([MAS][masproject]) project 45 | * MAS [Checklist][masc] 46 | * MAS Verification Standard ([MASVS][masvs]) 47 | * MAS Testing Guide ([MASTG][mastg]) 48 | * OWASP [Mobile Application Security][csmas] cheat sheet 49 | 50 | ---- 51 | 52 | The OWASP Developer Guide is a community effort; if there is something that needs changing 53 | then [submit an issue][issue0603] or [edit on GitHub][edit0603]. 54 | 55 | [csmas]: https://cheatsheetseries.owasp.org/cheatsheets/Mobile_Application_Security_Cheat_Sheet 56 | [edit0603]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/03-mas-checklist.md 57 | [issue0603]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/03-mas-checklist 58 | [masproject]: https://owasp.org/www-project-mobile-app-security/ 59 | [masxls]: https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MAS_Checklist.xlsx 60 | [masc]: https://mas.owasp.org/checklists/ 61 | [mastg]: https://mas.owasp.org/MASTG/ 62 | [masvs]: https://mas.owasp.org/MASVS/ 63 | -------------------------------------------------------------------------------- /docs/en/04-design/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Referring to the [Secure Product Design Cheat Sheet][spdcs], the purpose of secure architecture and design is to ensure 4 | that all products meet or exceed the security requirements laid down by the organization, 5 | focusing on the security linked to components and technologies used during the development of the application. 6 | 7 | Secure Architecture Design looks at the selection and composition of components that form the foundation of the solution. 8 | Technology Management looks at the security of supporting technologies used during development, deployment and operations, 9 | such as development stacks and tooling, deployment tooling, and operating systems and tooling. 10 | 11 | A secure design will help establish secure defaults, minimize the attack surface area 12 | and fail securely to well-defined and understood defaults. 13 | It will also consider and follow various principles, such as: 14 | 15 | * Least Privilege and Separation of Duties 16 | * Defense-in-Depth 17 | * Zero Trust 18 | * Security in the Open 19 | 20 | A Secure Development Lifecycle (SDLC) helps to ensure that all security decisions made about the product being developed 21 | are explicit choices and result in the correct level of security for the product design. 22 | Various secure development lifecycles can be used and they generally include threat modeling in the design process. 23 | 24 | Checklists and Cheat Sheets are an important tool during the design process; 25 | they provide an easy reference of knowledge and help avoid repeating design errors and mistakes. 26 | 27 | Software application [Design][sammd] is one of the major business functions described in 28 | the [Software Assurance Maturity Model (SAMM)][samm], and includes security practices: 29 | 30 | * [Threat Assessment][sammdta] 31 | * [Security Requirements][sammdsr] 32 | * [Security Architecture][sammdsa] 33 | 34 | ---- 35 | 36 | The OWASP Developer Guide is a community effort; if there is something that needs changing 37 | then [submit an issue][issue0600] or [edit on GitHub][edit0600]. 38 | 39 | [edit0600]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/index.md 40 | [issue0600]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/index 41 | [samm]: https://owaspsamm.org/about/ 42 | [sammd]: https://owaspsamm.org/model/design/ 43 | [sammdsa]: https://owaspsamm.org/model/design/secure-architecture/ 44 | [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ 45 | [sammdta]: https://owaspsamm.org/model/design/threat-assessment/ 46 | [spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet 47 | -------------------------------------------------------------------------------- /docs/en/05-implementation/01-documentation/02-go-scp.md: -------------------------------------------------------------------------------- 1 | The OWASP Go Secure Coding Practices (Go-SCP) is a set of software secure coding practices for the Go programming language. 2 | 3 | The Go-SCP [documentation project][go-scp-project] is an OWASP Incubator Project 4 | that has enough long term support to achieve Lab status soon. 5 | The published document can be [downloaded in various formats][go-scp-download] from the github repo. 6 | 7 | #### What is Go-SCP? 8 | 9 | Go-SCP provides examples and recommendations to help developers avoid common mistakes and pitfalls, 10 | including code examples in Go that provide practical guidance on implementing the recommendations. 11 | Go-SCP covers the OWASP [Secure Coding Practices Quick Reference Guide][scp-qrf] topic-by-topic: 12 | 13 | * Input Validation 14 | * Sanitization Output Encoding 15 | * Authentication and Password Management 16 | * Session Management 17 | * Access Control 18 | * Cryptographic Practices 19 | * Error Handling and Logging 20 | * Data Protection 21 | * Communication Security 22 | * System Configuration 23 | * Database Security 24 | * File Management 25 | * Memory Management 26 | * General Coding Practices 27 | 28 | The [Go Secure Coding Practices][go-scp-project] book is available in various formats: 29 | 30 | * PDF 31 | * ePub 32 | * DocX 33 | * MOBI 34 | 35 | #### Why use Go-SCP? 36 | 37 | Development teams often need help and support in getting the security right for web applications, 38 | and part of this help comes from secure coding guidelines and best practices. 39 | Go-SCP provides this guidance for a wide range of secure coding topics as well as providing practical code examples 40 | for each coding practice. 41 | 42 | #### How to use Go-SCP? 43 | 44 | The primary audience of the Go Secure Coding Practices Guide is developers, 45 | particularly those with previous experience in other programming languages. 46 | 47 | Download the [Go-SCP document][go-scp-download] in one of the formats: PDF, ePub, DocX and MOBI. 48 | Refer to the specific topic chapter and then use the example Go code snippets 49 | for practical guidance on secure coding using Go. 50 | 51 | ---- 52 | 53 | The OWASP Developer Guide is a community effort; if there is something that needs changing 54 | then [submit an issue][issue070102] or [edit on GitHub][edit070102]. 55 | 56 | [edit070102]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/01-documentation/02-go-scp.md 57 | [go-scp-download]: https://github.com/OWASP/Go-SCP/tree/master/dist 58 | [go-scp-project]: https://owasp.org/www-project-go-secure-coding-practices-guide/ 59 | [issue070102]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/01-documentation/02-go-scp 60 | [scp-qrf]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ 61 | -------------------------------------------------------------------------------- /docs/en/05-implementation/01-documentation/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Documentation is used here as part of the SAMM [Training and Awareness][sammgegta] activity, 4 | which in turn is part of the SAMM [Education & Guidance][sammgeg] security practice 5 | within the [Governance][sammg] business function. 6 | 7 | It is important that development teams have good documentation on security techniques, frameworks, tools and threats. 8 | Documentation helps to promote security awareness for all teams involved in software development, 9 | and provides guidance on building security into applications and systems. 10 | 11 | ---- 12 | 13 | The OWASP Developer Guide is a community effort; if there is something that needs changing 14 | then [submit an issue][issue0710] or [edit on GitHub][edit0710]. 15 | 16 | [edit0710]: https://github.com/OWASP/DevGuide/blob/main/docs/es/07-implementation/01-documentation/index.md 17 | [issue0710]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2007-implementation/01-documentation/index 18 | [sammg]: https://owaspsamm.org/model/governance/ 19 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 20 | [sammgegta]: https://owaspsamm.org/model/governance/education-and-guidance/stream-a/ 21 | -------------------------------------------------------------------------------- /docs/en/05-implementation/02-dependencies/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Management of software dependencies is described by the SAMM [Software Dependencies][sammisbsd] activity, 4 | which in turn is part of the SAMM [Secure Build][sammisb] security practice 5 | within the [Implementation][sammi] business function. 6 | 7 | It is important to record all dependencies used throughout the application in a production environment. 8 | This can be achieved by Software Composition Analysis (SCA) to identify the third party dependencies. 9 | 10 | A Software Bill of Materials (SBOM) provides a record of the dependencies within the system / application, 11 | and provides information on each dependency so that it can be tracked : 12 | 13 | * Where it is used or referenced 14 | * Version used 15 | * License 16 | * Source information and repository 17 | * Support and maintenance status of the dependency 18 | 19 | Having an SBOM provides the ability to quickly find out which applications are affected by a specific 20 | [Common Vulnerability and Exposure][cve] (CVE), or what CVEs are present in a particular application. 21 | 22 | ---- 23 | 24 | The OWASP Developer Guide is a community effort; if there is something that needs changing 25 | then [submit an issue][issue0702] or [edit on GitHub][edit0702]. 26 | 27 | [cve]: https://cve.mitre.org/ 28 | [edit0702]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/02-dependencies/index.md 29 | [issue0702]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-implementation/02-dependencies/index 30 | [sammi]: https://owaspsamm.org/model/implementation/ 31 | [sammisb]: https://owaspsamm.org/model/implementation/secure-build/ 32 | [sammisbsd]: https://owaspsamm.org/model/implementation/secure-build/stream-b/ 33 | -------------------------------------------------------------------------------- /docs/en/05-implementation/03-secure-libraries/02-csrf-guard.md: -------------------------------------------------------------------------------- 1 | OWASP [CSRFGuard][csrfguard] is a security control that helps protect Java applications 2 | against [Cross-Site Request Forgery][cscsrf] (CSRF) attacks. 3 | 4 | The CSRFGuard Builder/Breaker Tool project is an OWASP Production Project 5 | and is being actively maintained by a pool of international volunteers. 6 | 7 | #### What is CSRFGuard? 8 | 9 | OWASP [CSRFGuard][csrfguard] is a library that implements a variant of the synchronizer token pattern to mitigate 10 | the risk of Cross-Site Request Forgery (CSRF) attacks for Java applications. 11 | 12 | The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated 13 | and manual ways to integrate per-session or pseudo-per-request tokens into HTML. 14 | When a user interacts with this HTML, CSRF prevention tokens are submitted with the corresponding HTTP request. 15 | CSRFGuard ensures the token is present and is valid for the current HTTP request. 16 | 17 | #### Why use it? 18 | 19 | The OWASP CSRFGuard library is widely used for Java applications, and will help mitigate against CSRF. 20 | 21 | #### How to use it 22 | 23 | Pre-compiled versions of the CSRFGuard library can be downloaded from 24 | the [Maven Central repository][csrfguard-maven] or the [OSS Sonatype Nexus][csrfguard-nexus] repository. 25 | 26 | Follow the [instructions][csrfguard-build] to build CSRFGuard into the Java application using Maven. 27 | 28 | #### References 29 | 30 | * OWASP [CSRFGuard][csrfguard] 31 | * OWASP [Cross-Site Request Forgery Prevention Cheat Sheet][cscsrf] 32 | 33 | ---- 34 | 35 | The OWASP Developer Guide is a community effort; if there is something that needs changing 36 | then [submit an issue][issue070302] or [edit on GitHub][edit070302]. 37 | 38 | [csrfguard]: https://owasp.org/www-project-csrfguard/ 39 | [csrfguard-build]: https://github.com/OWASP/www-project-csrfguard/blob/master/readme.md#using-with-maven 40 | [csrfguard-nexus]: https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~ 41 | [csrfguard-maven]: https://central.sonatype.com/search?q=csrfguard&smo=true 42 | [cscsrf]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet 43 | [edit070302]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/02-csrf-guard.md 44 | [issue070302]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/02-csrf-guard 45 | -------------------------------------------------------------------------------- /docs/en/05-implementation/03-secure-libraries/03-secure-headers.md: -------------------------------------------------------------------------------- 1 | ![Secure Headers logo](../../../assets/images/logos/secure_headers.png "OWASP Secure Headers"){ align=right width=150 } 2 | 3 | The OWASP Secure Headers Project ([OSHP][oshp]) provides information on HTTP response headers 4 | to increase the security of a web application. 5 | 6 | The OSHP documentation project is an OWASP Lab Project and raises awareness of secure headers and their use. 7 | 8 | #### What is OSHP? 9 | 10 | The [OSHP project][oshp] provides explanations for the HTTP response headers that an application can use 11 | to increase the security of the application. 12 | Once set the HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. 13 | 14 | OSHP contains guidance and downloads on: 15 | 16 | * Response headers explanations and usage 17 | * Links to individual browser support 18 | * Guidance and best practices 19 | * Technical resources in the form of tools and documents 20 | * Code snippets to help working with HTTP security headers 21 | 22 | #### Why use it? 23 | 24 | The OSHP is a documentation project that explains the reasoning and usage of HTTP response headers. 25 | It is the go-to document for guidance and best practices; 26 | the information on HTTP response headers is the best advice, in one location, and is kept up to date. 27 | 28 | #### How to use it 29 | 30 | The OWASP Spotlight series provides an overview of this project and its uses: 31 | 'Project 24 - [OWASP Security Headers Project][spotlight24]'. 32 | 33 | OSHP provides links to development [libraries][oshp-libs] that provide for secure HTTP response headers 34 | in a range of languages and frameworks: DotNet, Go, HAPI, Java, NodeJS, PHP, Python, Ruby, Rust. 35 | The OSHP also lists [various tools][oshp-tools] useful for inspection, analysis and scanning of HTTP response headers. 36 | 37 | ---- 38 | 39 | The OWASP Developer Guide is a community effort; if there is something that needs changing 40 | then [submit an issue][issue070303] or [edit on GitHub][edit070303]. 41 | 42 | [edit070303]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/03-secure-headers.md 43 | [issue070303]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/03-secure-headers 44 | [oshp]: https://owasp.org/www-project-secure-headers/ 45 | [oshp-libs]: https://owasp.org/www-project-secure-headers/#development-libraries 46 | [oshp-tools]: https://owasp.org/www-project-secure-headers/#analysis-tools 47 | [spotlight24]: https://youtu.be/N4F3VWQYU9E 48 | -------------------------------------------------------------------------------- /docs/en/05-implementation/03-secure-libraries/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | The use of secure libraries is part of the technology management that helps to fulfill security requirements. 4 | Standard libraries enable the adoption of common design patterns and security solutions, 5 | and provide standardized technologies and frameworks that can be used throughout different applications. 6 | 7 | [Technology Management][sammdsatm] for the software applications is described by SAMM as an activity 8 | within the SAMM [Security Architecture][sammdsa] security practice 9 | which in turn is part of the [Design][sammd] business function. 10 | 11 | ---- 12 | 13 | The OWASP Developer Guide is a community effort; if there is something that needs changing 14 | then [submit an issue][issue0703] or [edit on GitHub][edit0703]. 15 | 16 | [edit0703]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/index.md 17 | [issue0703]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/index 18 | [sammd]: https://owaspsamm.org/model/design/ 19 | [sammdsa]: https://owaspsamm.org/model/design/secure-architecture/ 20 | [sammdsatm]: https://owaspsamm.org/model/design/secure-architecture/stream-b/ 21 | -------------------------------------------------------------------------------- /docs/en/05-implementation/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | The [Implementation][sammi] business function is described by the OWASP [Software Assurance Maturity Model][sammm] (SAMM). 4 | Implementation is focused on the processes and activities related to how an organization 5 | builds and deploys software components and its related defects. 6 | Implementation activities have the most impact on the daily life of developers, 7 | and an important goal of Implementation is to ship reliably working software with minimum defects. 8 | 9 | Implementation should include security practices such as : 10 | 11 | * Secure Build 12 | * Secure Deployment 13 | * Defect Management 14 | 15 | Implementation is where the application / system begins to take shape; source code is written and tests are created. 16 | The implementation of the application follows a secure development lifecycle, with security built in from the start. 17 | 18 | The implementation will use a secure method of source code control and storage to fulfill the design security requirements. 19 | The development team will be referring to documentation advising them of best practices, 20 | they will be using secure libraries wherever possible in addition to checking and tracking external dependencies. 21 | 22 | Much of the skill of implementation comes from experience, and taking into account the Do's and Don'ts 23 | of secure development is an important knowledge activity in itself. 24 | 25 | ---- 26 | 27 | The OWASP Developer Guide is a community effort; if there is something that needs changing 28 | then [submit an issue][issue0700] or [edit on GitHub][edit0700]. 29 | 30 | [edit0700]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/index.md 31 | [issue0700]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-implementation/index 32 | [sammm]: https://owaspsamm.org/model/ 33 | [sammi]: https://owaspsamm.org/model/implementation/ 34 | -------------------------------------------------------------------------------- /docs/en/06-verification/01-guides/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm]. 4 | The verification activities are wide ranging, and will include: 5 | 6 | * Testing of security controls 7 | * Review of controls and security mechanisms 8 | * Evaluation and assessment of the security architecture 9 | * and others 10 | 11 | Given the breadth of techniques and knowledge required, guides are an important resource for verification activities. 12 | 13 | ---- 14 | 15 | The OWASP Developer Guide is a community effort; if there is something that needs changing 16 | then [submit an issue][issue0810] or [edit on GitHub][edit0810]. 17 | 18 | [edit0810]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/01-guides/index.md 19 | [issue0810]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/01-guides/index 20 | [samm]: https://owaspsamm.org/about/ 21 | [sammv]: https://owaspsamm.org/model/verification/ 22 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/01-dast.md: -------------------------------------------------------------------------------- 1 | Dynamic application security testing (DAST) represents a non-functional testing process to identify security weaknesses and 2 | vulnerabilities in applications. The testing process can be carried out manually or be automated. Manual assessment of an 3 | application involves human intervention to identify security flaws which might slip from an automated tool. Usually 4 | business logic errors, race condition checks, and certain zero-day vulnerabilities can only be identified using manual 5 | assessments. 6 | 7 | DAST tools are programs which communicates with a web application through the web front-end in order to identify potential 8 | security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike static 9 | application security testing tools, DAST tools do not have access to the source code and therefore detect vulnerabilities 10 | by actually performing attacks. 11 | 12 | #### Different DAST tools 13 | 14 | The OWASP Community contains a [list of DAST tools][dast] that can be used to conduct DAST. 15 | All of these tools have their own strengths and weaknesses. 16 | If you are interested in the effectiveness of DAST tools, check out the [OWASP Benchmark][benchmark] project, 17 | which attempts to scientifically measure the effectiveness of all types of 18 | vulnerability detection tools, including DAST. 19 | 20 | #### Why use it? 21 | 22 | The big advantage of these types of tools are that they can scan year-round to be constantly searching for vulnerabilities. 23 | With new vulnerabilities being discovered regularly this allows companies to find and patch vulnerabilities before they 24 | can become exploited. 25 | 26 | #### Cons 27 | 28 | Because these tools does dynamic testing, it cannot cover 100% of the source code of the application and then, the 29 | application itself. The penetration tester should look at the coverage of the web application or of its attack surface to 30 | know if the tool was configured correctly or was able to understand the web application. 31 | 32 | #### References 33 | 34 | * [Dynamic application security testing][wikipedia] 35 | * [Vulnerability Scanning Tools][dast] 36 | 37 | ---- 38 | 39 | The OWASP Developer Guide is a community effort; if there is something that needs changing 40 | then [submit an issue][issue080201] or [edit on GitHub][edit080201]. 41 | 42 | [benchmark]: https://owasp.org/www-project-benchmark/ 43 | [dast]: https://owasp.org/www-community/Vulnerability_Scanning_Tools 44 | [edit080201]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/02-tools/01-dast.md 45 | [issue080201]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/01-dast 46 | [wikipedia]: https://en.wikipedia.org/wiki/Dynamic_application_security_testing 47 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/02-amass.md: -------------------------------------------------------------------------------- 1 | ![Amass logo](../../../assets/images/logos/amass.png "OWASP Amass"){ align=right width=80 } 2 | 3 | The OWASP Amass is a tool that provides attack surface management for an organization's web sites and applications. 4 | It used during penetration testing for network mapping of attack surfaces 5 | and external asset discovery by integrating various existing security tools. 6 | 7 | The Amass [breaker/tool project][amass] is an OWASP Flagship Project and installers can be 8 | downloaded from the project's github repository [release area][amass-download]. 9 | 10 | #### What is Amass? 11 | 12 | Amass is a command line tool that provides information on an organization's web sites, 13 | using various open source information gathering tools and active reconnaissance techniques. 14 | 15 | It is run from the command line with [subcommands][amass-docs] : 16 | 17 | 1. 'amass intel' collects intelligence on the target organization 18 | 2. 'amass enum' performs DNS enumeration and network mapping to populate the results database 19 | 3. 'amass db' 20 | 21 | Each command comes with a wide set of options that controls the tools used and the format of the findings. 22 | 23 | #### Why use it? 24 | 25 | Amass is an important tool for security test teams. Amass is included in the [Kali Linux][kali] distribution, 26 | which is widely used by penetration testing teams, with Amass providing a straightforward way 27 | of running a wide set of reconnaissance and enumeration tools. 28 | 29 | In addition Amass is an easily used tool that is available to both legitimate test teams and malicious actors. 30 | It is very likely that any given organization has been scanned and enumerated by Amass at some point, 31 | either maliciously or legitimately, 32 | so it is important that the tool is run to determine what information a malicious actor can obtain. 33 | 34 | #### How to use it 35 | 36 | If [Kali Linux][kali] is being used then Amass comes ready installed, 37 | otherwise a wide set of [installers][amass-install] is provided for other platforms. 38 | 39 | The extensive [Amass tutorial][amass-tutorial] provides the best way of learning to use Amass and its features. 40 | 41 | ---- 42 | 43 | The OWASP Developer Guide is a community effort; if there is something that needs changing 44 | then [submit an issue][issue080202] or [edit on GitHub][edit080202]. 45 | 46 | [amass]: https://owasp.org/www-project-amass/ 47 | [amass-docs]: https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md 48 | [amass-download]: https://github.com/owasp-amass/amass/releases 49 | [amass-install]: https://github.com/owasp-amass/amass/blob/master/doc/install.md 50 | [amass-tutorial]: https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md 51 | [edit080202]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/02-tools/02-amass.md 52 | [issue080202]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/02-amass 53 | [kali]: https://www.kali.org/ 54 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/03-owtf.md: -------------------------------------------------------------------------------- 1 | ![OWTF logo](../../../assets/images/logos/owtf.png "OWASP OWTF"){ align=right width=80 } 2 | 3 | OWASP Offensive Web Testing Framework ([OWTF][owtf]) is a penetration test tool 4 | that provides pen-testers with a framework for organizing and running security test suites. 5 | It also helps align the pen-testing to various standards and security guides, 6 | allowing the testing to be more creative and comprehensive. 7 | 8 | The OWTF defender/tool project is an OWASP Flagship Project 9 | and can be downloaded from the project's github repository [release area][owtfdownload]. 10 | 11 | #### What is OWTF? 12 | 13 | The [OWTF][owtf]tool is a penetration test framework used to organize and run suites of security and pen-testing tools. 14 | It is designed to be run on [Kali Linux][kali]; it can also be run on MacOS but with some modification of scripts and paths. 15 | 16 | OWTF is very much a penetration tester's tool; there is an expectation that the 17 | user has a reasonable expertise and grasp of penetration testing environments and tools. 18 | The [documentation][owtfdocs] on installing and running OWTF requires is not extensive, 19 | and some in-depth knowledge on the target system is required to configure the tool. 20 | 21 | #### Why use it? 22 | 23 | [OWTF][owtf] is easily configurable and plugins can be created or new tests added using the configuration files. 24 | It can be quickly installed on [Kali Linux][kali], a distribution of Ubuntu that is widely used by pen-testers, 25 | and allows for a whole suite of tests to be directed against the target. 26 | 27 | #### How to use it 28 | 29 | The OWTF [documentation][owtfdocs] is relatively old, last updated in 2016, 30 | and the [install][owtfinstall] instructions may need adapting to run on MacOS or Kali. 31 | 32 | ---- 33 | 34 | The OWASP Developer Guide is a community effort; if there is something that needs changing 35 | then [submit an issue][issue080203] or [edit on GitHub][edit080203]. 36 | 37 | [edit080203]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/02-tools/03-owtf.md 38 | [issue080203]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/03-owtf 39 | [kali]: https://www.kali.org/ 40 | [owtfinstall]: https://owtf.readthedocs.io/en/develop/installation/methods.html 41 | [owtfdocs]: https://owtf.readthedocs.io/ 42 | [owtfdownload]: https://github.com/owtf/owtf/releases 43 | [owtf]: https://owasp.org/www-project-owtf/ 44 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/04-nettacker.md: -------------------------------------------------------------------------------- 1 | ![Nettacker logo](../../../assets/images/logos/nettacker.png "OWASP Nettacker"){ align=right width=180 } 2 | 3 | OWASP Nettacker is a command line utility for automated network and vulnerability scanning. 4 | It can be used during penetration testing for both internal and external security assessments of networks. 5 | 6 | The Nettacker [breaker/tool project][nettacker-project] is an OWASP Incubator Project; 7 | the latest version can be downloaded from the project's [github repository][nettacker-install]. 8 | 9 | #### What is Nettacker? 10 | 11 | [Nettacker][nettacker-project] is an automated penetration testing tool. 12 | It is used to scan a network to discover nodes and servers on the network including subdomains. 13 | Nettacker can then identify servers, services and port numbers in use. 14 | 15 | Nettacker is a modular python application that that can be extended with other scanning functions. 16 | The many modules available are grouped into domains: 17 | 18 | * [Scan][nettacker-scan] modules for reconnaissance 19 | * [Vulnerability][nettacker-vuln] modules that attempt specific exploits 20 | * [Brute force][nettacker-brute] modules 21 | 22 | Nettacker runs on Windows, Linux and MacOS. 23 | 24 | #### Why use it? 25 | 26 | Nettacker is easy to use from the command line, making it easy to use in scripts, 27 | and also comes with a web browser interface for easy navigation of the results. 28 | This makes it a quick and reliable way to gain information from a network. 29 | 30 | Nettacker can be used both for auditing purposes and also for penetration testing. 31 | 32 | #### How to use it 33 | 34 | The OWASP Spotlight series provides an overview of attack surface management using Nettacker: 35 | 'Project 11 - [Nettacker][spotlight11]'. 36 | 37 | The documentation for Nettacker is provided in the repository wiki pages; 38 | follow [these instructions][nettacker-install] to install it. 39 | 40 | Nettacker is a flexible and modular scanning tool that can be used in many ways and with many options. 41 | The best way to start using it is by following the [introduction video][nettacker-intro] and then taking it from there. 42 | 43 | ---- 44 | 45 | The OWASP Developer Guide is a community effort; if there is something that needs changing 46 | then [submit an issue][issue080204] or [edit on GitHub][edit080204]. 47 | 48 | [edit080204]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/02-tools/04-nettacker.md 49 | [issue080204]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/04-nettacker 50 | [nettacker-brute]: https://github.com/OWASP/Nettacker/wiki/Modules#brute-modules 51 | [nettacker-install]: https://github.com/OWASP/Nettacker/wiki/Installation 52 | [nettacker-intro]: https://github.com/OWASP/Nettacker/wiki#introduction 53 | [nettacker-project]: https://owasp.org/www-project-nettacker/ 54 | [nettacker-scan]: https://github.com/OWASP/Nettacker/wiki/Modules#scan-modules 55 | [nettacker-vuln]: https://github.com/OWASP/Nettacker/wiki/Modules#vuln-modules 56 | [spotlight11]: https://www.youtube.com/watch?v=OGv7OtG127A 57 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/05-secure-headers.md: -------------------------------------------------------------------------------- 1 | ![OSHP logo](../../../assets/images/logos/oshp.png "OSHP"){ align=right width=140 } 2 | 3 | The OWASP Secure Headers Project ([OSHP][oshp]) provides information on HTTP response headers 4 | to increase the security of a web application. 5 | 6 | The OSHP documentation project is an OWASP Lab Project and raises awareness of secure headers and their use. 7 | 8 | #### What is OSHP? 9 | 10 | The [OSHP project][oshp]) provides explanations for the HTTP response headers that an application can use 11 | to increase the security of the application. 12 | Once set the HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. 13 | 14 | OSHP contains guidance and downloads on: 15 | 16 | * Response headers explanations and usage 17 | * Links to individual browser support 18 | * Guidance and best practices 19 | * Technical resources in the form of tools and documents 20 | * Code snippets to help working with HTTP security headers 21 | 22 | #### Why use it? 23 | 24 | The OSHP is a documentation project that explains the reasoning and usage of HTTP response headers. 25 | It is the go-to document for guidance and best practices; 26 | the information on HTTP response headers is the best advice, in one location, and is kept up to date. 27 | 28 | #### How to use it 29 | 30 | The OWASP Spotlight series provides an overview of this project and its uses: 31 | 'Project 24 - [OWASP Security Headers Project][spotlight24]'. 32 | 33 | OSHP documents [various tools][oshp-tools] useful for inspection, analysis and scanning of HTTP response headers: 34 | 35 | * hsecscan 36 | * humble 37 | * SecurityHeaders.com 38 | * Mozilla Observatory 39 | * Recx Security Analyser 40 | * testssl.sh 41 | * DrHEADer 42 | * csp-evaluator 43 | 44 | OSHP also provides links to development [libraries][oshp-libs] that provide for secure HTTP response headers 45 | in a range of languages and frameworks. 46 | 47 | ---- 48 | 49 | The OWASP Developer Guide is a community effort; if there is something that needs changing 50 | then [submit an issue][issue080205] or [edit on GitHub][edit080205]. 51 | 52 | [edit080205]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/02-tools/05-secure-headers.md 53 | [issue080205]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/05-secure-headers 54 | [oshp]: https://owasp.org/www-project-secure-headers/ 55 | [oshp-libs]: https://owasp.org/www-project-secure-headers/#development-libraries 56 | [oshp-tools]: https://owasp.org/www-project-secure-headers/#analysis-tools 57 | [spotlight24]: https://youtu.be/N4F3VWQYU9E 58 | -------------------------------------------------------------------------------- /docs/en/06-verification/02-tools/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm]. 4 | 5 | The SAMM [Security Testing][sammvst] activity describes the use of both 6 | automated security testing and manual expert security testing to discover security defects. 7 | This security testing should be automated as part of the development, build and deployment processes; 8 | and can be complemented with regular manual security penetration tests. 9 | 10 | Automated security testing tools are fast and scale well to numerous applications, 11 | whereas manual security testing of high-risk components requires good knowledge of the application and its business logic. 12 | 13 | ---- 14 | 15 | The OWASP Developer Guide is a community effort; if there is something that needs changing 16 | then [submit an issue][issue0820] or [edit on GitHub][edit0820]. 17 | 18 | [edit0820]: https://github.com/OWASP/DevGuide/blob/main/docs/en/08-verification/02-tools/index.md 19 | [issue0820]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2008-verification/02-tools/index 20 | [samm]: https://owaspsamm.org/about/ 21 | [sammv]: https://owaspsamm.org/model/verification/ 22 | [sammvst]: https://owaspsamm.org/model/verification/security-testing/ 23 | -------------------------------------------------------------------------------- /docs/en/06-verification/03-frameworks/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm] 4 | and both [Security Testing][sammvst] and [Requirements-driven Testing][sammvrt] are an important part of verification. 5 | 6 | Verification testing can benefit from using frameworks to support continuous and automated security testing. 7 | Use of a framework can provide: 8 | 9 | * automation of a security analysis pipeline 10 | * flexibility to run a series of tools in a pipeline 11 | * scalability for multiple security scanners 12 | * control interfaces 13 | 14 | ---- 15 | 16 | The OWASP Developer Guide is a community effort; if there is something that needs changing 17 | then [submit an issue][issue0830] or [edit on GitHub][edit0830]. 18 | 19 | [edit0830]: https://github.com/OWASP/DevGuide/blob/main/docs/es/08-verification/03-frameworks/index.md 20 | [issue0830]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-verification/03-frameworks/index 21 | [samm]: https://owaspsamm.org/about/ 22 | [sammv]: https://owaspsamm.org/model/verification/ 23 | [sammvrt]: https://owaspsamm.org/model/verification/requirements-driven-testing/ 24 | [sammvst]: https://owaspsamm.org/model/verification/security-testing/ 25 | -------------------------------------------------------------------------------- /docs/en/06-verification/04-vulnerability-management/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm]. 4 | Vulnerability management helps maintain the application security level after bug fixes, changes or during maintenance. 5 | 6 | The SAMM [Requirements-driven Testing][sammvrt] practice describes the outcomes for effective vulnerability management, 7 | and why it is necessary to have these processes in place. 8 | For example using security unit tests to provide regression testing 9 | gives some degree of confidence that applications are not vulnerable to known exploits. 10 | 11 | ---- 12 | 13 | The OWASP Developer Guide is a community effort; if there is something that needs changing 14 | then [submit an issue][issue0840] or [edit on GitHub][edit0840]. 15 | 16 | [edit0840]: https://github.com/OWASP/DevGuide/blob/main/docs/es/08-verification/04-vulnerability-management/index.md 17 | [issue0840]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-verification/04-vulnerability-management/index 18 | [samm]: https://owaspsamm.org/about/ 19 | [sammv]: https://owaspsamm.org/model/verification/ 20 | [sammvrt]: https://owaspsamm.org/model/verification/requirements-driven-testing/ 21 | -------------------------------------------------------------------------------- /docs/en/06-verification/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm]. 4 | 5 | Verification focuses on the processes and activities related to how an organization checks 6 | and tests artifacts produced throughout software development. 7 | This typically includes quality assurance work such as testing, and also includes other review and evaluation activities. 8 | 9 | Verification activities should include: 10 | 11 | * Architecture assessment, validation and mitigation 12 | * Requirements-driven testing 13 | * Security control verification and misuse/abuse testing 14 | * Automated security testing and baselining 15 | * Manual security testing and penetration testing 16 | 17 | These activities are supported by: 18 | 19 | * Security guides 20 | * Test tools 21 | * Test frameworks 22 | * Vulnerability management 23 | * Checklists 24 | 25 | Verification is an activity central to the secure software development lifecycle. 26 | Refer to the [Security Culture][culturetest] project section for the various types of security testing. 27 | 28 | ---- 29 | 30 | The OWASP Developer Guide is a community effort; if there is something that needs changing 31 | then [submit an issue][issue0800] or [edit on GitHub][edit0800]. 32 | 33 | [culturetest]: https://owasp.org/www-project-security-culture/stable/7-Security_Testing/ 34 | [edit0800]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/index.md 35 | [issue0800]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/index 36 | [samm]: https://owaspsamm.org/about/ 37 | [sammv]: https://owaspsamm.org/model/verification/ 38 | -------------------------------------------------------------------------------- /docs/en/07-training-education/01-vulnerable-apps/04-security-shepherd.md: -------------------------------------------------------------------------------- 1 | OWASP Security Shepherd is a web and [mobile application security][csmas] training platform 2 | that helps to foster and improve security awareness for development teams. 3 | 4 | The Security Shepherd [tool project][sec-shep] is an OWASP Flagship Project 5 | and can be downloaded from the project's [github repository][sec-shep-repo]. 6 | 7 | #### What is Security Shepherd? 8 | 9 | Security Shepherd is a teaching tool that provides lessons and an environment 10 | to learn how to attack both web and mobile applications. 11 | This enables users to learn or to improve upon existing their manual penetration testing skills. 12 | 13 | Security Shepherd is run on a web server such as Apache Tomcat and this can be installed manually. 14 | There is also a pre-built virtual machine available or a docker image can be composed to run as a container. 15 | 16 | #### Why use it? 17 | 18 | Security Shepherd can train inexperienced pen-testers to security expert level by sharpening their testing skill-set. 19 | Pen-testing is often included as a required stage in a organization's secure software development lifecycle (SDLC). 20 | 21 | #### How to use it 22 | 23 | Security Shepherd can be run as a Docker container, as a Virtual Machine or manually on top of a web server. 24 | 25 | The Security Shepherd wiki has step by step installation instructions: 26 | 27 | * either [compose the Docker image][sec-shep-docker] and run the container 28 | * or download the [virtual machine][sec-shep-vm] and run on a hypervisor such as [Virtual Box][vbox] 29 | * or [install on a Tomcat][sec-shep-tomcat] web server 30 | * or [install on windows][sec-shep-windows] using a Tomcat web server 31 | 32 | Once installed and logged in, the lessons and vulnerable applications are available to use. 33 | Security Shepherd has modes which it can be used for different training goals: 34 | 35 | * CTF (Capture the Flag) Mode 36 | * Open Floor Mode 37 | * Tournament Mode 38 | 39 | ---- 40 | 41 | The OWASP Developer Guide is a community effort; if there is something that needs changing 42 | then [submit an issue][issue090104] or [edit on GitHub][edit090104]. 43 | 44 | [csmas]: https://cheatsheetseries.owasp.org/cheatsheets/Mobile_Application_Security_Cheat_Sheet 45 | [edit090104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/07-training-education/01-vulnerable-apps/04-security-shepherd.md 46 | [issue090104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2007-training-education/01-vulnerable-apps/04-security-shepherd 47 | [sec-shep]: https://owasp.org/www-project-security-shepherd/ 48 | [sec-shep-docker]: https://github.com/OWASP/SecurityShepherd/wiki/Docker-Environment-Setup 49 | [sec-shep-repo]: https://github.com/OWASP/SecurityShepherd 50 | [sec-shep-tomcat]: https://github.com/OWASP/SecurityShepherd/wiki/Manual-Shepherd-Setup 51 | [sec-shep-vm]: https://github.com/OWASP/SecurityShepherd/wiki/Using-the-Shepherd-VM 52 | [sec-shep-windows]: https://github.com/OWASP/SecurityShepherd/wiki/Manual-Shepherd-Set-Up-(Windows) 53 | [vbox]: https://www.virtualbox.org/wiki/Downloads 54 | -------------------------------------------------------------------------------- /docs/en/07-training-education/01-vulnerable-apps/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Vulnerable applications are useful for the Training and Education activities 4 | described in the SAMM [Training and Awareness][sammgegta] section, 5 | which in turn is part of the SAMM [Education & Guidance][sammgeg] security practice 6 | within the [Governance][sammg] business function. 7 | 8 | The intentionally-vulnerable applications provide a safe environment where various vulnerable targets can be attacked. 9 | This provides practice in using various penetration tools available to a tester, 10 | without the risk of attack traffic triggering intrusion detection systems. 11 | The OWASP [Vulnerable Web Applications Directory Project][vwad] (VWAD) provides a comprehensive list of 12 | available intentionally-vulnerable web applications: 13 | 14 | * Vulnerable [mobile applications][vwad-mobile] 15 | * [Offline][vwad-offline] vulnerable web applications 16 | * [Containerized][vwad-containers] vulnerable web applications 17 | * vulnerable web applications [available Online][vwad-online] 18 | 19 | ---- 20 | 21 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0910]. 22 | 23 | [issue0910]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2007-training-education/01-vulnerable-apps/00-toc 24 | [sammg]: https://owaspsamm.org/model/governance/ 25 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 26 | [sammgegta]: https://owaspsamm.org/model/governance/education-and-guidance/stream-a/ 27 | [vwad]: https://owasp.org/www-project-vulnerable-web-applications-directory/ 28 | [vwad-containers]: https://owasp.org/www-project-vulnerable-web-applications-directory/#div-container 29 | [vwad-mobile]: https://owasp.org/www-project-vulnerable-web-applications-directory/#div-mobile 30 | [vwad-online]: https://owasp.org/www-project-vulnerable-web-applications-directory/#div-online 31 | [vwad-offline]: https://owasp.org/www-project-vulnerable-web-applications-directory/#div-offline 32 | -------------------------------------------------------------------------------- /docs/en/07-training-education/02-secure-coding-dojo.md: -------------------------------------------------------------------------------- 1 | The OWASP [Secure Coding Dojo][codedojo-project] is a platform for delivering 2 | secure coding training to software development teams. 3 | Secure Coding Dojo is an OWASP Lab project and has been continuously supported and developed since 2017. 4 | 5 | #### What is the Secure Coding Dojo? 6 | 7 | The aim of Secure Coding Dojo is to teach developers how to recognize security flaws during code reviews. 8 | 9 | The training platform has a set of training lessons and also blocks of code where the developer has to identify 10 | which block of code is written in an insecure way. 11 | A leader board is provided for the development teams to track their progress. 12 | 13 | Each lesson is built as an attack/defense pair. 14 | The developers can observe the software weaknesses by conducting the attack 15 | and after solving the challenge they learn about the associated software defenses. 16 | The predefined lessons are based on the MITRE most dangerous software errors (also known as SANS 25) 17 | so the focus is on software errors rather than attack techniques. 18 | 19 | The training platform can be customized to integrate with custom vulnerable websites and other CTF challenges. 20 | 21 | #### Why use it? 22 | 23 | Development teams are often required to have Secure Coding training, and this may be an annual compliance requirement. 24 | The Secure Coding Dojo provides this compliant training in reviewing software 25 | for security bugs in representative source code. 26 | 27 | #### How to use it 28 | 29 | The OWASP Spotlight series provides an overview of the developer training provided by the Secure Coding Dojo: 30 | 'Project 14 - [OWASP Secure Coding Dojo][spotlight14]'. 31 | 32 | There is a [demonstration site][codedojo] for Secure Coding Dojo which provides access to the 33 | training modules, code blocks and a public leader board. 34 | Note that the demonstration site does not provide the deliberately insecure web sites, such as the 'Insecure.Inc' Java site, 35 | because this would encourage attack traffic across a public network. 36 | 37 | Ideally Secure Coding Dojo is deployed by the organization providing the training, rather than by using the demo site, 38 | because development teams can then log in securely to the Dojo. 39 | Deployment is [straight forward][codedojo-install], 40 | consisting of cloning the repository and running `docker-compose` with environment variables. 41 | This also allows deployment of the associated deliberately [insecure web site][codedojo-insecure] 42 | to practice penetration testing. 43 | 44 | ---- 45 | 46 | The OWASP Developer Guide is a community effort; if there is something that needs changing 47 | then [submit an issue][issue0902] or [edit on GitHub][edit0902]. 48 | 49 | [codedojo]: https://securecodingdojo.owasp.org/ 50 | [codedojo-insecure]: https://github.com/OWASP/SecureCodingDojo/wiki/Running-Insecure.Inc 51 | [codedojo-install]: https://github.com/OWASP/SecureCodingDojo/wiki/Deploying-with-Docker 52 | [codedojo-project]: https://owasp.org/www-project-secure-coding-dojo/ 53 | [edit0902]: https://github.com/OWASP/DevGuide/blob/main/docs/en/07-training-education/02-secure-coding-dojo.md 54 | [issue0902]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2007-training-education/02-secure-coding-dojo 55 | [spotlight14]: https://youtu.be/7nVkDkL9cyE 56 | -------------------------------------------------------------------------------- /docs/en/07-training-education/07-api-top-ten.md: -------------------------------------------------------------------------------- 1 | ![API Top10 logo](../../assets/images/logos/top10_api.png "API Top 10"){ align=right width=180 } 2 | 3 | The OWASP [API Security Project][apisec] (API Top 10) explains strategies and solutions to help the understanding 4 | and mitigation of the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). 5 | 6 | The [API Top 10][apisec-project] is an OWASP Laboratory Project 7 | which is accessed as a [web based document][apisec-doc]. 8 | 9 | #### What is the API Top 10? 10 | 11 | The use of Application Programming Interfaces (APIs) comes with security risks. 12 | Given that APIs are widely used in various types of applications, 13 | the OWASP API Security Project created and maintains the Top 10 API Security Risks document 14 | as well as a documentation portal for best practices when creating or assessing APIs. 15 | 16 | * [API1:2023][api01] - Broken Object Level Authorization 17 | * [API2:2023][api02] - Broken Authentication 18 | * [API3:2023][api03] - Broken Object Property Level Authorization 19 | * [API4:2023][api04] - Unrestricted Resource Consumption 20 | * [API5:2023][api05] - Broken Function Level Authorization 21 | * [API6:2023][api06] - Unrestricted Access to Sensitive Business Flows 22 | * [API7:2023][api07] - Server Side Request Forgery 23 | * [API8:2023][api08] - Security Misconfiguration 24 | * [API9:2023][api09] - Improper Inventory Management 25 | * [API10:2023][api10] - Unsafe Consumption of APIs 26 | 27 | #### Why use it? 28 | 29 | Most software projects use APIs in some form or another. 30 | Developers and security engineers should be encouraged to refer to the [API Security Top 10][apisec] 31 | to assist them when acting as security builders, breakers, and defenders for an organization. 32 | 33 | ---- 34 | 35 | The OWASP Developer Guide is a community effort; if there is something that needs changing 36 | then [submit an issue][issue0907] or [edit on GitHub][edit0907]. 37 | 38 | [api01]: https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/ 39 | [api02]: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/ 40 | [api03]: https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization/ 41 | [api04]: https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/ 42 | [api05]: https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/ 43 | [api06]: https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/ 44 | [api07]: https://owasp.org/API-Security/editions/2023/en/0xa7-server-side-request-forgery/ 45 | [api08]: https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/ 46 | [api09]: https://owasp.org/API-Security/editions/2023/en/0xa9-improper-inventory-management/ 47 | [api10]: https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/ 48 | [apisec]: https://owasp.org/API-Security 49 | [apisec-doc]: https://owasp.org/API-Security/editions/2023/en/0x00-header/ 50 | [apisec-project]: https://owasp.org/www-project-api-security/ 51 | [edit0907]: https://github.com/OWASP/DevGuide/blob/main/docs/en/07-training-education/07-api-top-ten.md 52 | [issue0907]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2007-training-education/07-api-top-ten 53 | -------------------------------------------------------------------------------- /docs/en/07-training-education/08-wrongsecrets.md: -------------------------------------------------------------------------------- 1 | ![WrongSecrets logo](../../assets/images/logos/wrongsecrets.png "OWASP WrongSecrets"){ align=right width=180 } 2 | 3 | OWASP [WrongSecrets][wrongsecrets-project] is a production status project 4 | and provides challenges focused on secrets management using an intentionally vulnerable application and environment. 5 | The project offers standalone and Capture-the-flag modes, with a demo on [Heroku][wsheroku]. 6 | 7 | #### What is WrongSecrets? 8 | 9 | [WrongSecrets][wrongsecrets] goals are to: 10 | 11 | * Educate on secret management and its pitfalls 12 | * Help people reflect on their secrets management strategy 13 | * Promote secrets management as an important facet of security 14 | 15 | The project provides challenges around secrets management across several layers: 16 | 17 | * A Spring Boot Java application 18 | * Application configuration 19 | * Docker 20 | * Kubernetes 21 | * Vault 22 | * AWS, GCP, or Azure 23 | * Binaries / Reverse engineering 24 | 25 | Scenarios vary in difficulty, and you can solve some of them just by using the browser on your mobile phone. 26 | For others, you would need knowledge of [cloud security][cscloud] or reverse engineering tools and cryptography. 27 | 28 | #### Why use it? 29 | 30 | If you, your team or your organization want to learn about secrets management and potential pitfalls, 31 | you can do so with WrongSecrets' challenges. 32 | 33 | Alternatively you can use WrongSecrets as a testbed/benchmark for testing secret detector tools; 34 | the tool _should_ be able to detect the secrets wrongly managed in the WrongSecrets applications. 35 | 36 | #### How to use it 37 | 38 | The demo is available on [Heroku][wsheroku]. 39 | 40 | You can set WrongSecrets up in standalone or in capture the flag (CTF) mode on Docker, Kubernetes, AWS, GCP or Azure. 41 | For the setting up a CTF project, WrongSecrets provides the [set-up guides][ctf] 42 | and an example [Helm chart][wrongsecrets-helm]. 43 | Set-up guides for the standalone version are available in the [project README][readme]. 44 | 45 | #### References 46 | 47 | * OWASP [WrongSecrets][wrongsecrets-project] 48 | * [Secure Cloud Architecture][cscloud] cheat sheet 49 | * [WrongSecrets demo][wsheroku] 50 | 51 | --- 52 | 53 | The OWASP Developer Guide is a community effort; if there is something that needs changing 54 | then [submit an issue][issue0908] or [edit on GitHub][edit0908]. 55 | 56 | [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet 57 | [ctf]: https://github.com/OWASP/wrongsecrets/blob/master/ctf-instructions.md 58 | [edit0908]: https://github.com/OWASP/DevGuide/blob/main/docs/en/07-training-education/08-wrongsecrets.md 59 | [wsheroku]: https://wrongsecrets.herokuapp.com/ 60 | [issue0908]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2007-training-education/08-wrongsecrets 61 | [readme]: https://github.com/OWASP/wrongsecrets/blob/master/README.md 62 | [wrongsecrets]: https://github.com/OWASP/wrongsecrets 63 | [wrongsecrets-helm]: https://owasp.org/wrongsecrets-ctf-party/ 64 | [wrongsecrets-project]: https://owasp.org/www-project-wrongsecrets/ 65 | -------------------------------------------------------------------------------- /docs/en/07-training-education/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Training and Education activities are described by in the SAMM [Training and Awareness][sammgegta] section, 4 | which in turn is part of the SAMM [Education & Guidance][sammgeg] security practice 5 | within the [Governance][sammg] business function. 6 | 7 | The goal of security training and education is to increase the awareness of application security threats and risks 8 | along with security best practices and secure software design principles. 9 | The security awareness training should be customized for all roles currently involved in the management, 10 | development, testing, or auditing of the applications and systems. 11 | In addition a Learning Management System or equivalent should be in place to track 12 | the employee training and certification processes. 13 | 14 | It is important to provide activities for development teams; 15 | we are all human and our security knowledge can become stale without a plan for refreshing it. 16 | The [Security Culture][cultureacts] project describes various activities that can help developers 17 | keep up to date and motivated. 18 | 19 | OWASP provides various resources and environments that can help with this security training and education 20 | ranging from vulnerable applications, training platforms and gamification. 21 | 22 | ---- 23 | 24 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0900]. 25 | 26 | [cultureacts]: https://owasp.org/www-project-security-culture/stable/5-Activities/ 27 | [issue0900]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2007-training-education/00-toc 28 | [sammg]: https://owaspsamm.org/model/governance/ 29 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 30 | [sammgegta]: https://owaspsamm.org/model/governance/education-and-guidance/stream-a/ 31 | -------------------------------------------------------------------------------- /docs/en/08-culture-process/02-security-champions/03-security-champions-playbook.md: -------------------------------------------------------------------------------- 1 | The [Security Champions Playbook][sec-champs] is a project that describes the process of establishing 2 | a Security Champions program within an organization. 3 | 4 | #### What are Security Champions? 5 | 6 | Security Champions are active members of a team that act as a core element of the security assurance process 7 | within a product or service. 8 | They are often are the initial point of contact within the team when it comes to security concerns and incidents. 9 | 10 | Some advantages of encouraging Security Champions within a team are : 11 | 12 | * Scaling security through multiple teams 13 | * Engaging non-security engineers in security 14 | * Establishing the security culture throughout an organization 15 | 16 | The Security Champion should be given extra training to carry out this role, 17 | which is often in addition to their existing responsibilities. 18 | 19 | #### How to use the playbook 20 | 21 | Security Champions Playbook lists six steps which include general recommendations: 22 | 23 | 1. [Identify teams](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/1.%20Identify%20teams.md) 24 | 2. [Define the role](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/2.%20Define%20the%20role.md) 25 | 3. [Nominate Champions](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/3.%20Nominate%20Champions.md) 26 | 4. [Set up communication channels](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/4.%20Set%20up%20communication%20channels.md) 27 | 5. [Build solid knowledge base](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/5.%20Build%20solid%20knowledge%20base.md) 28 | 6. [Maintain interest](https://github.com/c0rdis/security-champions-playbook/blob/master/Security%20Playbook/6.%20Maintain%20interest.md) 29 | 30 | Use these recommendations to build up a Security Champions program that is tailored to the needs of the organization. 31 | 32 | ---- 33 | 34 | The OWASP Developer Guide is a community effort; if there is something that needs changing 35 | then [submit an issue][issue1023] or [edit on GitHub][edit1023]. 36 | 37 | [issue1023]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2008-culture-process/02-security-champions/03-security-champions-playbook 38 | [edit1023]: https://github.com/OWASP/DevGuide/blob/main/docs/en/08-culture-process/02-security-champions/03-security-champions-playbook.md 39 | [sec-champs]: https://github.com/c0rdis/security-champions-playbook 40 | -------------------------------------------------------------------------------- /docs/en/08-culture-process/02-security-champions/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | A 'Security Champion' is a member of a software development team who is 4 | the liaison between Information Security and developers. 5 | This helps to embed security into the development organization. 6 | 7 | Security Champions and the necessary supporting program are described in 8 | the SAMM [Organization and Culture][sammgegtb] section, 9 | which in turn is part of the SAMM [Education & Guidance][sammgeg] security practice 10 | within the [Governance][sammg] business function. 11 | 12 | Depending on the development team the Security Champion may be a software developer, tester, product manager 13 | or any role within the team; what matters most is an enthusiasm for software security and a willingness to learn. 14 | Security Champions can assist with researching, verifying, 15 | and prioritizing security and compliance related software defects within the application/product. 16 | 17 | Security Champions will usually be involved in risk/threat assessments and architectural reviews 18 | and can often help identify opportunities to remediate security defects; 19 | making the architecture of the application more resilient and reducing the attack threat surface. 20 | Security Champions also participate in periodic briefings to increase awareness 21 | and expertise in different security disciplines. 22 | 23 | The two goals of the Security Champion program are to increase effectiveness of application security and compliance 24 | and to strengthen the relationship between development teams and Information Security teams. 25 | The program should supply Security Champions with additional training 26 | to help develop their role as a software security subject matter expert. 27 | If possible the Security Champion should be provided with time for Information Security related activities, 28 | and this may well have to be negotiated with the development management hierarchy. 29 | 30 | Importantly it should be recognized that Security Champions are often taking on an extra role 31 | in addition to their existing one, and it is important that support is provided by the program for their well-being. 32 | 33 | ---- 34 | 35 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1020]. 36 | 37 | [issue1020]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-culture-process/02-security-champions/00-toc 38 | [sammg]: https://owaspsamm.org/model/governance/ 39 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 40 | [sammgegtb]: https://owaspsamm.org/model/governance/education-and-guidance/stream-b/ 41 | -------------------------------------------------------------------------------- /docs/en/08-culture-process/05-mas.md: -------------------------------------------------------------------------------- 1 | ![MAS logo](../../assets/images/logos/mas.png "OWASP MAS"){ align=right width=180 } 2 | 3 | The [MAS Verification Standard][masvs] (MASVS) explains the processes, techniques 4 | and tools used for security testing a mobile application. 5 | 6 | The OWASP [MAS Crackmes][mascrack], also known as UnCrackable Apps, 7 | is a collection of reverse engineering challenges for the OWASP [Mobile Application Security][masproject] (MAS). 8 | 9 | #### What is MAS Crackmes? 10 | 11 | OWASP [MAS Crackmes][mascrack] is a set of reverse engineering challenges for mobile applications. 12 | These challenges are used as examples throughout the OWASP [Mobile Application Security Testing Guide][mastg] (MASTG) 13 | and, of course, you can also solve them for fun. 14 | 15 | There are challenges for [Android][masandroid] and also a couple for [Apple iOS][masios]. 16 | 17 | #### Why use MAS Crackmes? 18 | 19 | Working through the challenges will improve understanding of [mobile application security][csmas] 20 | and will also give an insight into the examples provided in the MASTG. 21 | 22 | #### How to try the challenges 23 | 24 | 1. Select and download a challenge into your mobile application environment 25 | 2. Satisfy the individual challenge exercise 26 | 3. Have fun 27 | 28 | Each challenge has various solutions provided by the community; these can be used to compare with your solution. 29 | 30 | #### References 31 | 32 | * OWASP [Mobile Application Security][mas] (MAS) 33 | * MAS [project][masproject] 34 | * MAS [Crackmes][mascrack] UnCrackable Apps 35 | * MAS [Testing Guide][mastg] (MASTG) 36 | * MAS [Verification Standard][masvs] (MASVS) 37 | * OWASP [Mobile Application Security][csmas] cheat sheet 38 | 39 | ---- 40 | 41 | The OWASP Developer Guide is a community effort; if there is something that needs changing 42 | then [submit an issue][issue1005] or [edit on GitHub][edit1005]. 43 | 44 | [csmas]: https://cheatsheetseries.owasp.org/cheatsheets/Mobile_Application_Security_Cheat_Sheet 45 | [edit1005]: https://github.com/OWASP/DevGuide/blob/main/docs/en/08-culture-process/05-mas.md 46 | [issue1005]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-culture-process/05-mas 47 | [mas]: https://mas.owasp.org/ 48 | [masproject]: https://owasp.org/www-project-mobile-app-security/ 49 | [masandroid]: https://mas.owasp.org/crackmes/Android/ 50 | [mascrack]: https://mas.owasp.org/crackmes/ 51 | [masios]: https://mas.owasp.org/crackmes/iOS/ 52 | [mastg]: https://mas.owasp.org/MASTG/ 53 | [masvs]: https://mas.owasp.org/MASVS/ 54 | -------------------------------------------------------------------------------- /docs/en/08-culture-process/index.md: -------------------------------------------------------------------------------- 1 | [Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Culture building and Process maturing is described by the SAMM [Organization and Culture][sammgegoc] activity, 4 | which in turn is part of the SAMM [Education & Guidance][sammgeg] security practice 5 | within the [Governance][sammg] business function. 6 | 7 | The maturity of security processes and culture is wide ranging, with indicators of a mature process and culture including: 8 | 9 | * Security champions have been identified for each development team 10 | * A program is in place to support the security champions 11 | * Secure coding practices are in place to define standards and improve software development 12 | * Developers and application security professionals across the organization are able to communicate and share best practice 13 | 14 | ---- 15 | 16 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1000]. 17 | 18 | [issue1000]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2008-culture-process/00-toc 19 | [sammg]: https://owaspsamm.org/model/governance/ 20 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 21 | [sammgegoc]: https://owaspsamm.org/model/governance/education-and-guidance/stream-b/ 22 | -------------------------------------------------------------------------------- /docs/en/09-operations/02-coraza.md: -------------------------------------------------------------------------------- 1 | ![Coraza logo](../../assets/images/logos/coraza.png "OWASP Coraza"){ align=right width=300 } 2 | 3 | The [OWASP Coraza][coraza-project] project provides a golang enterprise-grade Web Application Firewall framework 4 | that supports the [ModSecurity][modsec] seclang language and is completely compatible with OWASP [CRS][crs]. 5 | Coraza is in active development as an OWASP Production code project, 6 | with the first stable version released in September 2021 and several releases since then. 7 | 8 | #### What is Coraza? 9 | 10 | The [Coraza][coraza] Web Application Firewall framework is used to enforce policies, 11 | providing a first line of defense to stop attack on web applications and servers. 12 | Coraza can be configured using the OWASP [CRS][crs] and also custom policies can be created. 13 | 14 | Coraza can be deployed: 15 | 16 | * as a library in an existing web server 17 | * within an application server acting as a WAF 18 | * as a reverse proxy 19 | * using a docker container 20 | 21 | #### Why use Coraza? 22 | 23 | Web Application Firewalls are usually the first line of defense against HTTP attacks on web applications and servers. 24 | The Coraza WAF is widely used for providing this security, especially for [cloud applications][cscloud], 25 | along with the original OWASP [ModSecurity][modsec] WAF. 26 | 27 | #### How to use Coraza 28 | 29 | The best way to start is to create a Coraza WAF instance and then add rules to this WAF, 30 | following the Coraza [Quick Start tutorial][coraza-tutorial]. 31 | 32 | There are multiple ways of running Coraza, and the one chosen will depend on an individual organization's deployment: 33 | 34 | * Coraza [SPOA connector][coraza-spoa] runs the Coraza WAF as a backing service for HAProxy 35 | * Coraza [Caddy Module][coraza-caddy] provides Web Application Firewall capabilities for Caddy 36 | * the Coraza [Proxy WASM][coraza-wasm] filter can be loaded directly from Envoy or used as an Istio plugin 37 | * Coraza as a [C library][coraza-lib], used for applications written in C rather than golang 38 | 39 | #### References 40 | 41 | * OWASP [Coraza][coraza] 42 | * OWASP [CRS][crs] 43 | * OWASP [ModSecurity][modsec] 44 | * [Secure Cloud Architecture][cscloud] cheat sheet 45 | 46 | ---- 47 | 48 | The OWASP Developer Guide is a community effort; if there is something that needs changing 49 | then [submit an issue][issue1102] or [edit on GitHub][edit1102]. 50 | 51 | [coraza]: https://coraza.io/ 52 | [coraza-caddy]: https://github.com/corazawaf/coraza-caddy 53 | [coraza-lib]: https://github.com/corazawaf/libcoraza 54 | [coraza-project]: https://owasp.org/www-project-coraza-web-application-firewall/ 55 | [coraza-spoa]: https://coraza.io/connectors/coraza-spoa/ 56 | [coraza-tutorial]: https://coraza.io/docs/tutorials/quick-start/ 57 | [coraza-wasm]: https://github.com/corazawaf/coraza-proxy-wasm 58 | [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet 59 | [edit1102]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/02-coraza.md 60 | [issue1102]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/02-coraza 61 | [crs]: https://coreruleset.org/ 62 | [modsec]: https://owasp.org/www-project-modsecurity/ 63 | -------------------------------------------------------------------------------- /docs/en/09-operations/03-modsecurity.md: -------------------------------------------------------------------------------- 1 | [ModSecurity][modsec] is an open source Web Application Firewall (WAF) widely deployed on web servers 2 | that has been in continuous development and widespread use since 2002. 3 | 4 | In 2024 it became an OWASP Production project, supported by the existing leadership and contributors. 5 | 6 | #### What is ModSecurity? 7 | 8 | In January 2024 the [ModSecurity][modsec] Web Application Firewall project was [adopted by OWASP][modsec-press], 9 | previously [TrustWave][trustwave] had been the custodian of this project. 10 | ModSecurity itself has a long history as an open source project, the first release was in November 2002, 11 | and is widely used as a web application firewall for [cloud applications][cscloud] and on-premises web servers. 12 | 13 | The ModSecurity WAF needs to be configured in operational deployments, 14 | and this can be done using the OWASP [CRS][crs]. 15 | 16 | #### Why use ModSecurity? 17 | 18 | Web Application Firewalls are often the first line of defense against HTTP attacks on web applications and servers. 19 | The ModSecurity WAF is widely used for this purpose along with the [Coraza WAF][coraza], also provided by OWASP. 20 | 21 | #### How to use ModSecurity 22 | 23 | ModSecurity is a Web Application Firewall, which scans the incoming and outgoing HTTP traffic to a web server. 24 | The ModSecurity WAF is deployed as a proxy server in front of a web application, 25 | or deployed within the web server itself, to provide protection against HTTP attacks. 26 | 27 | The rules applied to the HTTP traffic are provided as configuration to ModSecurity, 28 | and these rules allow many different actions to be applied such as blocking traffic, redirecting requests, and many more. 29 | See the documentation for [deploying and running][modsec-docs] ModSecurity, 30 | along with the documentation on configuring ModSecurity with the [CRS][crs]. 31 | 32 | ---- 33 | 34 | The OWASP Developer Guide is a community effort; if there is something that needs changing 35 | then [submit an issue][issue1103] or [edit on GitHub][edit1103]. 36 | 37 | [coraza]: https://coraza.io/ 38 | [crs]: https://coreruleset.org/ 39 | [cscloud]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet 40 | [edit1103]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/03-modsecurity.md 41 | [issue1103]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/03-modsecurity 42 | [modsec]: https://owasp.org/www-project-modsecurity/ 43 | [modsec-docs]: https://www.modsecurity.org/ 44 | [modsec-press]: https://owasp.org/blog/2024/01/09/ModSecurity.html 45 | [trustwave]: https://www.trustwave.com/ 46 | -------------------------------------------------------------------------------- /docs/en/09-operations/04-crs.md: -------------------------------------------------------------------------------- 1 | ![CRS logo](../../assets/images/logos/crs.png "OWASP CRS"){ align=right width=180 } 2 | 3 | The [OWASP CRS][crs-project] project, formerly known as Core Rule Set, is a set of generic attack detection rules 4 | for use with [ModSecurity][modsec] compatible web application firewalls such as [OWASP Coraza][coraza]. 5 | CRS is an OWASP [Flagship tool project][crs-project] and can be [downloaded][crs-download] 6 | for either Apache or IIS/Nginx web servers. 7 | 8 | #### What is the CRS? 9 | 10 | The [CRS][crs] are attack detection rules for use with [ModSecurity][modsec], 11 | [Coraza][coraza] and other ModSecurity compatible web application firewalls. 12 | The CRS aims to protect web applications from a wide range of attacks with a minimum of false alerts. 13 | The CRS provides protection against many common attack categories, including those in the OWASP Top Ten. 14 | 15 | #### Why use it? 16 | 17 | If an organization is using a Coraza, ModSecurity or compatible Web Application Firewall (WAF) 18 | then it is very likely that the [CRS][crs] is already in use by this WAF. 19 | The CRS provides the policy for the Coraza / Modsecurity engine so that traffic to a web application is inspected 20 | for various attacks and malicious traffic is blocked. 21 | 22 | #### How to use it 23 | 24 | The use of the CRS assumes that a ModSecurity, Coraza or compatible WAF has been installed. 25 | Refer to the [Coraza tutorial][coraza-tutorial] or the [ModSecurity][modsec-docs] on how to do this. 26 | 27 | To get started with CRS refer to the CRS [installation instructions][crs-download]. 28 | 29 | The OWASP Spotlight series provides an overview of how to use this CRS: 30 | 'Project 3 - [Core Rule Set (CRS) - 1st Line of Defense][spotlight03]'. 31 | 32 | #### References 33 | 34 | * OWASP [CRS][crs] 35 | * OWASP [ModSecurity][modsec] 36 | * OWASP [Coraza][coraza] 37 | 38 | ---- 39 | 40 | The OWASP Developer Guide is a community effort; if there is something that needs changing 41 | then [submit an issue][issue1104] or [edit on GitHub][edit1104]. 42 | 43 | [coraza]: https://coraza.io/ 44 | [coraza-tutorial]: https://coraza.io/docs/tutorials/quick-start/ 45 | [edit1104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/09-operations/04-crs.md 46 | [issue1104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2009-operations/04-crs 47 | [crs]: https://coreruleset.org/ 48 | [crs-download]: https://coreruleset.org/docs/deployment/install/ 49 | [crs-project]: https://owasp.org/www-project-modsecurity-core-rule-set/ 50 | [modsec]: https://owasp.org/www-project-modsecurity/ 51 | [modsec-docs]: https://www.modsecurity.org/ 52 | [spotlight03]: https://youtu.be/88ZMKpiZbRI 53 | -------------------------------------------------------------------------------- /docs/en/09-operations/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Operations are those activities necessary to ensure that confidentiality, integrity, and availability 4 | are maintained throughout the operational lifetime of an application and its associated data. 5 | The aim of Operations is to provide greater assurance that the organization is resilient 6 | in the face of operational disruptions, and responsive to changes in the operational landscape. 7 | This is described by the [Operations][sammo] business function in the OWASP [SAMM model][samm]. 8 | 9 | Operations generally cover the security practices: 10 | 11 | * [Incident Management][sammoim] of security breaches and incidents 12 | * [Environment Management][sammoem] such as configuration hardening, patching and updating 13 | * [Operational Management][sammoom] which includes data protection and system / legacy management 14 | 15 | OWASP projects provide the CRS that is used for both Coraza and ModSecurity web application firewalls, 16 | which are widely used for data and system management. 17 | 18 | ---- 19 | 20 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1100]. 21 | 22 | [issue1100]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2009-operations/00-toc 23 | [samm]: https://owaspsamm.org/about/ 24 | [sammo]: https://owaspsamm.org/model/operations/ 25 | [sammoem]: https://owaspsamm.org/model/operations/environment-management/ 26 | [sammoim]: https://owaspsamm.org/model/operations/incident-management 27 | [sammoom]: https://owaspsamm.org/model/operations/operational-management/ 28 | -------------------------------------------------------------------------------- /docs/en/10-metrics/index.md: -------------------------------------------------------------------------------- 1 | Metrics are important in an organization for various reasons, and in software security they can be used to: 2 | 3 | * measure the effectiveness of security controls 4 | * determine security posture 5 | * provide justification for security programs 6 | * and others 7 | 8 | At present the OWASP [Integration Standards project Application Wayfinder][intstand] project 9 | does not identify any OWASP projects that gather or process metrics; this may change in the future. 10 | 11 | ### Strategy and Metrics 12 | 13 | The software security program is foundational to the strategic planning an organizations security posture. 14 | Metrics keep track of the security activities within the plan and provide the information for gap analysis. 15 | 16 | The [Software Assurance Maturity Model][samm] (SAMM) provides descriptions and definitions 17 | for the [Strategy and Metrics][sammgsm] business practices within the [Governance][sammg] business function. 18 | It provides two streams for achieving organizational maturity: 19 | 20 | * [Create and Promote][sammgsma] 21 | which concerns the risks identified with the organization and what level of risk is acceptable 22 | * [Measure and Improve][sammgsmb] which describes monitoring the security strategy through metrics 23 | 24 | The categories of metrics suggested by SAMM are : 25 | 26 | * Effort metrics: the effort spent on security 27 | * Result metrics: the results of security efforts 28 | * Environment metrics: the environment where security efforts take place 29 | 30 | There are other metrics, perhaps specific to an individual organization, that can also be collected and acted on. 31 | The [Security Culture][culturemetrics] project provides various examples of metrics that can be considered. 32 | 33 | ---- 34 | 35 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1200]. 36 | 37 | [culturemetrics]: https://owasp.org/www-project-security-culture/stable/8-Metrics/ 38 | [issue1200]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2010-metrics/00-toc 39 | [samm]: https://owaspsamm.org/about/ 40 | [sammg]: https://owaspsamm.org/model/governance/ 41 | [sammgsm]: https://owaspsamm.org/model/governance/strategy-and-metrics/ 42 | [sammgsma]: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-a/ 43 | [sammgsmb]: https://owaspsamm.org/model/governance/strategy-and-metrics/stream-b/ 44 | [intstand]: https://owasp.org/www-project-integration-standards/ 45 | -------------------------------------------------------------------------------- /docs/en/11-security-gap-analysis/01-guides/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Security gap analysis and security gap evaluation are central to Governance, Risk & Compliance activities 4 | and are used to gain and maintain certification to a management system standard 5 | such as [ISO 27001][iso27001] 'Information security, cybersecurity and privacy protection'. 6 | 7 | Guidance is important for these analysis and evaluation activities, with the OWASP projects [SAMM][samm], 8 | [MASVS][masvs] and [ASVS][asvs] providing this information and advice. 9 | 10 | ---- 11 | 12 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1301]. 13 | 14 | [asvs]: https://owasp.org/www-project-application-security-verification-standard/ 15 | [iso27001]: https://www.iso.org/standard/82875.html 16 | [issue1301]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2011-security-gap-analysis/01-guides/00-toc 17 | [masvs]: https://mas.owasp.org/MASVS/ 18 | [samm]: https://owaspsamm.org/about/ 19 | -------------------------------------------------------------------------------- /docs/en/11-security-gap-analysis/02-blt.md: -------------------------------------------------------------------------------- 1 | ![MAS logo](../../assets/images/logos/blt.png "OWASP MAS"){ align=right width=180 } 2 | 3 | The OWASP [Bug Logging Tool][blt] (BLT) is a community database of bugs found in an organization's web site or application. 4 | BLT is an OWASP Production tool project and has its own [bug recording site][bltsite]. 5 | 6 | #### What is BLT? 7 | 8 | BLT is a bug recording and bounty tool that allows external users to register and advise 9 | about bugs in an organization's web site or application. 10 | It allows an organization to run a bug bounty program without having to go through a commercial provider. 11 | 12 | The [BLT core project][bltcore] provides a development server docker image that can be used for the 13 | bug bounty program. 14 | The [BLT-Flutter application][bltapp] provides an integrated method for reporters/users to report bugs. 15 | The [BLT Extension][bltchrome] is a Chrome extension that helps BLT reporters/users 16 | to take screenshots and add them to a BLT website. 17 | 18 | #### Why use it? 19 | 20 | Bug bounty programs are an important path for reporting security bugs to an organization. 21 | These programs can be paid-for services provided by commercial companies, or they can be provided by 22 | the company / organization itself; and this is where BLT can help. 23 | 24 | External reporters of bugs in web sites and applications are a valuable way of identifying security 25 | related bugs and issues; it provides a diverse range of individuals to hunt for bugs. 26 | BLT can provide the route for these security bugs to be responsibly disclosed to the organization. 27 | 28 | #### How to use it 29 | 30 | BLT has its own [bug recording site][bltsite] which can be used to disclose any type of bug in any web site. 31 | Ideally this is not used for security related bugs because these bugs need [responsible disclosure][csdisclose]. 32 | The organization should run its own [BLT core site][bltcore] to accept submission of security related bugs, 33 | and encourage users/reporters to use the [BLT app][bltapp] and chrome [extension][bltchrome]. 34 | 35 | ---- 36 | 37 | The OWASP Developer Guide is a community effort; if there is something that needs changing 38 | then [submit an issue][issue1302] or [edit on GitHub][edit1302]. 39 | 40 | [blt]: https://owasp.org/www-project-bug-logging-tool/ 41 | [bltchrome]: https://github.com/OWASP/BLT-Extension 42 | [bltcore]: https://github.com/OWASP/BLT 43 | [bltapp]: https://github.com/OWASP/BLT-Flutter 44 | [bltsite]: https://blt.owasp.org/ 45 | [csdisclose]: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet 46 | [edit1302]: https://github.com/OWASP/DevGuide/blob/main/docs/en/11-security-gap-analysis/02-blt.md 47 | [issue1302]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2011-security-gap-analysis/02-blt 48 | -------------------------------------------------------------------------------- /docs/en/11-security-gap-analysis/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | A security gap analysis is an activity where the information security posture of an organization is assessed 4 | and any shortfalls or operation gaps are identified. 5 | This activity can also be combined with a security gap evaluation where the existing controls and processes 6 | are assessed for effectiveness and relevance. 7 | Security gap analysis is required to gain or maintain certification to a management system standard 8 | such as [ISO 27001][iso27001] 'Information security, cybersecurity and privacy protection'. 9 | 10 | The security gap analysis is often associated with Governance, Risk & Compliance activities, 11 | where the compliance with a management system standard is periodically reviewed and updated. 12 | Guides and tools are useful for these compliance activities and the OWASP projects [SAMM][samm], 13 | [MASVS][masvs] and [ASVS][asvs] provide information and advice in meeting management system standards. 14 | 15 | ---- 16 | 17 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1300]. 18 | 19 | [asvs]: https://owasp.org/www-project-application-security-verification-standard/ 20 | [iso27001]: https://www.iso.org/standard/82875.html 21 | [issue1300]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2011-security-gap-analysis/00-toc 22 | [masvs]: https://mas.owasp.org/MASVS/ 23 | [samm]: https://owaspsamm.org/about/ 24 | -------------------------------------------------------------------------------- /docs/en/12-appendices/01-implementation-dos-donts/04-application-spoofing.md: -------------------------------------------------------------------------------- 1 | Here is a collection of Do's and Don'ts when it comes to application spoofing, gathered from practical experiences. 2 | Some of these are language specific and others have more general applicability. 3 | 4 | What is application spoofing: 5 | 6 | * A threat actor including an application in a malicious iFrame 7 | * A threat actor creating dependencies with similar names as legitimate ones (typo squatting) 8 | 9 | How can it be addressed: 10 | 11 | #### Application spoofing / clickjacking 12 | 13 | Set `X-FRAME-OPTIONS` header to `SAMEORIGIN` or `DENY`, depending on what the business requirement is 14 | for rendering the web page. 15 | This will help prevent a malicious actor including your application in an iFrame to capture credentials/exfiltrate data. 16 | As a caveat, this will not work with Meta Tags. X-FRAME-OPTIONS must be applied as HTTP Response Header 17 | 18 | Use Content Security Policy: 19 | 20 | Common uses of CSP frame-ancestors: 21 | 22 | Content-Security-Policy: frame-ancestors 'none'; 23 | 24 | This prevents any domain from framing the content. This setting is recommended unless a specific need 25 | has been identified for framing. 26 | 27 | Content-Security-Policy: frame-ancestors 'self'; 28 | 29 | This only allows the current site to frame the content. 30 | 31 | Content-Security-Policy: frame-ancestors 'self' `*.somesite.com https://myfriend.site.com;` 32 | 33 | This allows the current site, as well as any page on `somesite.com` (using any protocol), 34 | and only the page `myfriend.site.com`, using HTTPS only on the default port (443). 35 | 36 | Use `SameSite` Cookies 37 | 38 | Use `httpOnly` cookies 39 | 40 | #### Domain squatting / typo squatting 41 | 42 | What is domain squatting (also known as cybersquatting): 43 | 44 | * A threat actor creating a malicious domain with the same spelling as a legitimate domain 45 | but use different UTF characters (domain squatting) 46 | * A threat actor registering, trafficking in, or using an Internet domain name, 47 | with an intent to profit from the goodwill of a trademark belonging to someone else 48 | * Though domain squatting impacts brand value directly, it has an impact from a security perspective 49 | * It can result in the following kind of scenario: (also known as typosquatting) 50 | Wherein the domain with U+00ED may be a malicious application trying to harvest credentials 51 | * Typo squatting is achieved with supply chain manipulation. 52 | 53 | How can it be addressed: 54 | 55 | * Use threat intelligence to monitor lookalikes for your domain 56 | * In the event a dispute needs to be raised, it can be done with [URDP][urdp] 57 | * Verify packages in registries before using them 58 | 59 | ---- 60 | 61 | The OWASP Developer Guide is a community effort; if there is something that needs changing 62 | then [submit an issue][issue140104] or [edit on GitHub][edit140104]. 63 | 64 | [edit140104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/12-appendices/01-implementation-dos-donts/04-application-spoofing.md 65 | [issue140104]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%20/12-appendices/01-implementation-dos-donts/04-application-spoofing 66 | [urdp]: https://www.icann.org/resources/pages/help/dndr/udrp-en 67 | -------------------------------------------------------------------------------- /docs/en/12-appendices/01-implementation-dos-donts/07-file-management.md: -------------------------------------------------------------------------------- 1 | Here is a collection of Do's and Don'ts when it comes to file management, gathered from practical experiences. 2 | 3 | * Validate all filenames and directories before use, ensuring that there are no special characters 4 | that might lead to accessing an unintended file 5 | * Use safe directories for all file access except those initiated by the end user 6 | e.g. document saving and restoring to a user-chosen location 7 | * Use a sub-domain with one way trust for the downloaded files. 8 | Such that any compromise of the sub-domain does not impact the main domain. 9 | Do not save files in the same web context as the application. 10 | Files should either go to the content server or in the database 11 | * Have at least 64 bits of randomness in all temporary file names 12 | * where applicable, require authentication before allowing a file to be uploaded 13 | * Limit the type of files that can be uploaded to only those types that are needed for business purposes 14 | * Validate uploaded files are the expected type by checking file headers 15 | * Prevent or restrict the uploading of any file that may be interpreted by the web server 16 | * Turn off execution privileges on file upload directories 17 | * Implement safe uploading in UNIX by mounting the targeted file directory as a logical drive 18 | using the associated path or the chrooted environment 19 | * When referencing existing files, use an allow list of allowed file names and types. 20 | Validate the value of the parameter being passed and if it does not match one of the expected values, 21 | either reject it or use a hard coded default file value for the content instead 22 | * Do not pass user supplied data into a dynamic redirect. 23 | If this must be allowed, then the redirect should accept only validated, relative path URLs 24 | * Do not pass directory or file paths, use index values mapped to pre-defined list of paths 25 | * Never send the absolute file path to the client 26 | * Ensure application files and resources are read-only 27 | * Scan user uploaded files for viruses and malware 28 | 29 | ---- 30 | 31 | The OWASP Developer Guide is a community effort; if there is something that needs changing 32 | then [submit an issue][issue140107] or [edit on GitHub][edit140107]. 33 | 34 | [edit140107]: https://github.com/OWASP/DevGuide/blob/main/docs/en/12-appendices/01-implementation-dos-donts/07-file-management.md 35 | [issue140107]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%20/12-appendices/01-implementation-dos-donts/07-file-management 36 | -------------------------------------------------------------------------------- /docs/en/12-appendices/01-implementation-dos-donts/08-memory-management.md: -------------------------------------------------------------------------------- 1 | Here is a collection of Do's and Don'ts when it comes to memory management, gathered from practical experiences. 2 | 3 | * Check that the buffer is as large as specified 4 | * When using functions that accept a number of bytes to copy, such as `strncpy()`, 5 | be aware that if the destination buffer size is equal to the source buffer size, 6 | it may not NULL-terminate the string 7 | * Check buffer boundaries if calling the function in a loop and make sure there is no danger 8 | of writing past the allocated space 9 | * Truncate all input strings to a reasonable length before passing them to the copy and concatenation functions 10 | * Specifically close resources, do not rely on garbage collection. (for example connection objects, file handles, etc.) 11 | * Properly free allocated memory upon the completion of functions and at all exit points. 12 | 13 | ---- 14 | 15 | The OWASP Developer Guide is a community effort; if there is something that needs changing 16 | then [submit an issue][issue140108] or [edit on GitHub][edit140108]. 17 | 18 | [edit140108]: https://github.com/OWASP/DevGuide/blob/main/docs/en/12-appendices/01-implementation-dos-donts/08-memory-management.md 19 | [issue140108]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2012-appendices/01-implementation-dos-donts/08-memory-management 20 | -------------------------------------------------------------------------------- /docs/en/12-appendices/01-implementation-dos-donts/index.md: -------------------------------------------------------------------------------- 1 | [Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Implementation demands technical knowledge, skill and experience. 4 | There is no substitute for experience, but learning from past mistakes and the experience of others can go a long way. 5 | This section of the Developer Guide is a collection of Do's and Don'ts, 6 | some of which may be directly relevant to any given project and some of which will be less so. 7 | It is worth considering all of these Do's and Don'ts and picking out the ones that will be of most use. 8 | 9 | ---- 10 | 11 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue0740]. 12 | 13 | [issue0740]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2012-appendices/01-implementation-dos-donts/00-toc 14 | -------------------------------------------------------------------------------- /docs/en/12-appendices/02-verification-dos-donts/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../../assets/images/dg_logo_bbd.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | [Verification][sammv] is one of the business functions described by the [OWASP SAMM][samm]. 4 | 5 | Verification takes skill and knowledge, so it is important to build on the existing experience 6 | contained in these Do's and Dont's. 7 | 8 | ---- 9 | 10 | The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue1402]. 11 | 12 | [issue1402]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2012-appendices/02-verification-dos-donts/00-toc 13 | [samm]: https://owaspsamm.org/about/ 14 | [sammv]: https://owaspsamm.org/model/verification/ 15 | -------------------------------------------------------------------------------- /docs/es/02-foundations/index.md: -------------------------------------------------------------------------------- 1 | ![Logo la guía del desarrollador](../../assets/images/dg_logo.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | Existen varios conceptos y terminología fundamentales que se utilizan comúnmente en la seguridad del software. 4 | 5 | Aunque muchos de estos conceptos son complejos de implementar y se basan en una teoría muy estricta, 6 | los principios suelen ser bastante sencillos y accesibles para todos los ingenieros de software. 7 | 8 | Una comprensión razonable de estos conceptos fundamentales permite a los equipos de desarrollo entender e implementar 9 | Seguridad de software para la aplicación o sistema en desarrollo. 10 | Esta Guía del Desarrollador solo puede brindar una breve descripción general de estos conceptos. 11 | para lograr un conocimiento más profundo, consulte los numerosos textos sobre seguridad, 12 | como [El conjunto de conocimientos sobre seguridad cibernética (The Cyber Security Body Of Knowledge)][cbok]. 13 | 14 | ---- 15 | 16 | Traducción de versión [original en inglés][en0400]. 17 | 18 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 19 | si ve algo que necesita cambios, entonces [cree un issue][issue0400] o [edítelo en GitHub][edit0400]. 20 | 21 | [cbok]: https://www.cybok.org/ 22 | [edit0400]: https://github.com/OWASP/DevGuide/blob/main/docs/es/02-foundations/index.md 23 | [en0400]: https://devguide.owasp.org/en/02-foundations/ 24 | [issue0400]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2002-foundations/index 25 | -------------------------------------------------------------------------------- /docs/es/03-requirements/index.md: -------------------------------------------------------------------------------- 1 | ![Logo de la guía del desarrollador](../../assets/images/dg_logo.png "Guía del Desarrollador OWASP"){ align=right width=180 } 2 | 3 | Los requisitos de seguridad también proporcionan una base de funcionalidad de seguridad minuciosamente verificada 4 | para una aplicación. 5 | En lugar de crear un enfoque personalizado de seguridad para cada aplicación, 6 | los requisitos de seguridad estándar permiten a los desarrolladores reutilizar 7 | la definición de controles de seguridad y mejores prácticas; 8 | esos mismos requisitos de seguridad verificados proporcionan soluciones para problemas de seguridad 9 | que han ocurrido en el pasado. 10 | 11 | La importancia de comprender los requisitos clave de seguridad se describe en 12 | la práctica de [Requisitos de Seguridad][sammdsr] 13 | que forma parte de la sección de función empresarial [Diseño][sammd] dentro del [modelo SAMM][samm] de OWASP. 14 | Idealmente, los requisitos de seguridad de software estructurados están disponibles dentro de 15 | un marco de requisitos de seguridad, 16 | y estos son utilizados tanto por los equipos de desarrolladores como por los equipos de producto. 17 | Además, los proveedores de la organización deben cumplir con los requisitos de seguridad; 18 | incorporar la seguridad en los acuerdos con proveedores para garantizar el cumplimiento de 19 | los requisitos de seguridad organizacionales. 20 | 21 | En resumen, los requisitos de seguridad existen para prevenir la repetición de fallos de seguridad pasados. 22 | 23 | ---- 24 | 25 | Traducción de versión [original en inglés][en0500]. 26 | 27 | La Guía de Desarrollador OWASP es un esfuerzo comunitario; si hay algo que necesite cambios 28 | entonces [cree un issue][issue0500] o [edítelo en GitHub][edit0500]. 29 | 30 | [edit0500]: https://github.com/OWASP/DevGuide/blob/main/docs/es/03-requirements/index.md 31 | [en0500]: https://devguide.owasp.org/en/03-requirements/ 32 | [issue0500]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2003-requirements/index 33 | [samm]: https://owaspsamm.org/about/ 34 | [sammd]: https://owaspsamm.org/model/design/ 35 | [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ 36 | -------------------------------------------------------------------------------- /docs/es/04-design/01-threat-modeling/04-cornucopia.md: -------------------------------------------------------------------------------- 1 | ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 } 2 | 3 | No hay traducción de esta página, consulte [versión original en inglés][en060104]. 4 | 5 | ---- 6 | 7 | [en060104]: https://devguide.owasp.org/en/04-design/01-threat-modeling/04-cornucopia/ 8 | -------------------------------------------------------------------------------- /docs/es/04-design/01-threat-modeling/05-linddun-go.md: -------------------------------------------------------------------------------- 1 | ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 } 2 | 3 | No hay traducción de esta página, consulte [versión original en inglés][en060105]. 4 | 5 | ---- 6 | 7 | [en060105]: https://devguide.owasp.org/en/04-design/01-threat-modeling/05-linddun-go/ 8 | -------------------------------------------------------------------------------- /docs/es/04-design/01-threat-modeling/06-toolkit.md: -------------------------------------------------------------------------------- 1 | ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 } 2 | 3 | No hay traducción de esta página, consulte [versión original en inglés][release060106]. 4 | 5 | ---- 6 | 7 | [release060106]: hhttps://devguide.owasp.org/04-design/01-threat-modeling/06-toolkit/ 8 | -------------------------------------------------------------------------------- /docs/es/04-design/01-threat-modeling/index.md: -------------------------------------------------------------------------------- 1 | ![logo la Guía del Desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | Según la [Hoja de Referencia de Modelado de Amenazas][cstm], 4 | el modelado de amenazas es un enfoque estructurado para identificar y priorizar amenazas potenciales a un sistema. 5 | El proceso de modelado de amenazas incluye determinar el valor que las posibles mitigaciones tendrían 6 | para reducir o neutralizar estas amenazas. 7 | 8 | Evaluar las amenazas potenciales durante la fase de diseño de su proyecto puede ahorrar recursos significativos 9 | si durante una fase posterior del proyecto se requiere refactorización para incluir mitigaciones de riesgos. 10 | Los resultados de las actividades de modelado de amenazas generalmente incluyen: 11 | 12 | * Documentar cómo fluyen los datos a través de un sistema para identificar dónde podría ser atacado 13 | * Identificar tantas amenazas potenciales al sistema como sea posible 14 | * Sugerir controles de seguridad que pueden implementarse para reducir la probabilidad o el impacto de una amenaza potencial 15 | 16 | --- 17 | 18 | Traducción de versión [original en inglés][en0601]. 19 | 20 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 21 | si ve algo que necesita cambios, entonces [cree un issue][issue0601] o [edítelo en GitHub][edit0601]. 22 | 23 | [cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet 24 | [edit0601]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/01-threat-modeling/index.md 25 | [en0601]: https://devguide.owasp.org/en/04-design/01-threat-modeling/ 26 | [issue0601]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/01-threat-modeling/index 27 | -------------------------------------------------------------------------------- /docs/es/04-design/02-web-app-checklist/04-encode-escape-data.md: -------------------------------------------------------------------------------- 1 | La codificación y el escapado de datos de salida son técnicas defensivas destinadas a detener ataques de inyección 2 | en un sistema o aplicación objetivo que está recibiendo los datos de salida. 3 | 4 | El sistema objetivo puede ser otro componente de software o puede reflejarse de nuevo en el sistema inicial, 5 | como comandos del sistema operativo, 6 | por lo que codificar y escapar datos de salida ayuda a proporcionar defensa en profundidad para el sistema en su conjunto. 7 | 8 | Consulte el control proactivo [C3: Validar todas las Entradas y Manejar Excepciones][control3] 9 | y sus [hojas de referencia][csproactive-c4] 10 | para más contexto del proyecto OWASP Top 10 Controles Proactivos, 11 | y use la lista a continuación como sugerencias para una lista de comprobación adaptada al proyecto individual. 12 | 13 | #### 1. Codificación de caracteres y canonicalización 14 | 15 | 1. Aplicar codificación a la salida justo antes de que el contenido sea pasado al sistema objetivo 16 | 2. Realizar toda la codificación de salida en un sistema confiable 17 | 3. Utilizar una rutina estándar y probada para cada tipo de codificación de salida 18 | 4. Especificar conjuntos de caracteres, como UTF-8, para todas las salidas 19 | 5. Aplicar canonicalización para convertir datos unicode en una forma estándar 20 | 6. Asegurar que la codificación de salida sea segura para todos los sistemas objetivo 21 | 7. En particular, desinfectar todas las salidas utilizadas para comandos del sistema operativo 22 | 23 | #### 2. Codificación contextual de salida 24 | 25 | La codificación contextual de salida de datos se basa en cómo será utilizada por el objetivo. 26 | Los métodos específicos varían dependiendo de la forma en que se utilizan los datos de salida, 27 | como la codificación de entidades HTML. 28 | 29 | 1. Codificar contextualmente todos los datos devueltos al cliente desde fuentes no confiables 30 | 2. Codificar contextualmente toda la salida de datos no confiables en consultas para SQL, XML y LDAP 31 | 32 | #### Referencias 33 | 34 | * [Hoja de Referencia: Prevención de Inyección][ipcs] de OWASP 35 | * [Proyecto Java Encoder][encoder] de OWASP 36 | * [Top 10 Controles Proactivos][proactive10] de OWASP 37 | 38 | ---- 39 | 40 | Traducción de versión [original en inglés][en060204]. 41 | 42 | La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse 43 | entonces [cree un issue][issue060204] o [edítelo en GitHub][edit060204]. 44 | 45 | [csproactive-c4]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c4-encode-and-escape-data 46 | [control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/ 47 | [edit060204]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/02-web-app-checklist/04-encode-escape-data.md 48 | [encoder]: https://www.owasp.org/index.php/OWASP_Java_Encoder_Project 49 | [ipcs]: https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet 50 | [en060204]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/04-encode-escape-data/ 51 | [issue060204]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/04-encode-escape-data 52 | [proactive10]: https://top10proactive.owasp.org/ 53 | -------------------------------------------------------------------------------- /docs/es/04-design/02-web-app-checklist/07-access-controls.md: -------------------------------------------------------------------------------- 1 | El Control de Acceso o [Autorización][csauthz] es el proceso de conceder o denegar solicitudes específicas 2 | de un usuario, programa o proceso. 3 | 4 | Consulte el control proactivo [C1: Implementar Controles de Acceso][control1] y sus [hojas de referencia][csproactive-c7] 5 | para obtener más contexto del proyecto OWASP Top 10 Controles Proactivos, 6 | y utilice la lista a continuación como sugerencias para una lista de verificación adaptada para el proyecto individual. 7 | 8 | #### 1. Autorización 9 | 10 | 1. Diseñar el control de acceso / autorización a fondo desde el principio 11 | 2. Forzar que todas las solicitudes pasen por verificaciones de control de acceso a menos que sean públicas 12 | 3. Denegar por defecto; si una solicitud no está específicamente permitida, entonces es denegada 13 | 4. Aplicar el privilegio mínimo, proporcionando el menor acceso que sea necesario 14 | 5. Registrar todos los eventos de autorización 15 | 16 | #### 2. Control de acceso 17 | 18 | 1. Obligar al uso de controles de autorización en cada solicitud 19 | 2. Utilizar solo objetos de sistema confiables para tomar decisiones de autorización de acceso 20 | 3. Utilizar un único componente para todo el sitio para verificar la autorización de acceso 21 | 4. Los controles de acceso deben fallar de manera segura 22 | 5. Denegar todo acceso si la aplicación no puede acceder a su información de configuración de seguridad 23 | 6. Segregar la lógica privilegiada del resto del código de la aplicación 24 | 7. Limitar el número de transacciones que un solo usuario o dispositivo puede realizar en un período de tiempo determinado, 25 | lo suficientemente bajo para disuadir ataques automatizados pero por encima del requisito real del negocio 26 | 8. Si se permiten sesiones autenticadas largas, revalidar periódicamente la autorización de un usuario 27 | 9. Implementar auditoría de cuentas y hacer obligatoria la desactivación de cuentas no utilizadas 28 | 10. La aplicación debe admitir la terminación de sesiones cuando cese la autorización 29 | 30 | #### Referencias 31 | 32 | * [Hoja de Referencia: Autorización][csauthz] de OWASP 33 | * [Top 10 Controles Proactivos][proactive10] de OWASP 34 | 35 | ---- 36 | 37 | Traducción de versión [original en inglés][en060207]. 38 | 39 | La Guía para Desarrolladores OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse, 40 | [cree un issue][issue060207] o [edítelo en GitHub][edit060207]. 41 | 42 | [csproactive-c7]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c7-enforce-access-controls 43 | [control1]: https://top10proactive.owasp.org/the-top-10/c1-accesscontrol/ 44 | [csauthz]: https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet 45 | [edit060207]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/02-web-app-checklist/07-access-controls.md 46 | [en060207]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/07-access-controls/ 47 | [issue060207]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/07-access-controls 48 | [proactive10]: https://top10proactive.owasp.org/ 49 | -------------------------------------------------------------------------------- /docs/es/04-design/02-web-app-checklist/10-handle-errors-exceptions.md: -------------------------------------------------------------------------------- 1 | Manejar [excepciones y errores][cserror] correctamente es crítico para hacer que su código sea confiable y seguro. 2 | El manejo de errores y excepciones ocurre en todas las áreas de una aplicación, incluyendo la lógica crítica del negocio 3 | así como las características de seguridad y el código del framework. 4 | 5 | Consulte el control proactivo [C3: Validar todas las Entradas y Manejar Excepciones][control3] 6 | y sus [hojas de referencia][csproactive-c10] para obtener más contexto del proyecto OWASP Top 10 Controles Proactivos, 7 | y utilice la lista a continuación como sugerencias para una lista de verificación adaptada para el proyecto individual. 8 | 9 | #### 1. Errores y excepciones 10 | 11 | 1. Gestionar las excepciones de manera centralizada para evitar bloques try/catch duplicados en el código 12 | 2. Asegurar que todo comportamiento inesperado se maneje correctamente dentro de la aplicación 13 | 3. Asegurar que los mensajes de error mostrados a los usuarios no filtren datos críticos, 14 | pero que sean lo suficientemente detallados para permitir la respuesta adecuada del usuario 15 | 4. Asegurar que los registros de excepciones proporcionen información suficiente para los equipos de soporte, 16 | control de calidad, forense o respuesta a incidentes 17 | 5. Probar y verificar cuidadosamente el código de manejo de errores 18 | 6. No revelar información sensible en las respuestas de error, por ejemplo 19 | detalles del sistema, identificadores de sesión o información de la cuenta 20 | 7. Utilizar manejadores de errores que no muestren información de depuración o de seguimiento de pila 21 | 8. Implementar mensajes de error genéricos y utilizar páginas de error personalizadas 22 | 9. La aplicación debe manejar los errores de la aplicación y no depender de la configuración del servidor 23 | 10. Liberar adecuadamente la memoria asignada cuando ocurran condiciones de error 24 | 11. La lógica de manejo de errores asociada con los controles de seguridad debe denegar el acceso por defecto 25 | 26 | #### Referencias 27 | 28 | * [Guía de Revisión de Código: Manejo de Errores][review] de OWASP 29 | * [Manejo Inadecuado de Errores][handle] de OWASP 30 | * [Top 10 Controles Proactivos][proactive10] de OWASP 31 | 32 | ---- 33 | 34 | Traducción de versión [original en inglés][en060210]. 35 | 36 | La Guía para Desarrolladores OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse, 37 | [cree un issue][issue060210] o [edítelo en GitHub][edit060210]. 38 | 39 | [cserror]: https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet 40 | [csproactive-c10]: https://cheatsheetseries.owasp.org/IndexProactiveControls.html#c10-handle-all-errors-and-exceptions 41 | [control3]: https://top10proactive.owasp.org/the-top-10/c3-validate-input-and-handle-exceptions/ 42 | [edit060210]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/02-web-app-checklist/10-handle-errors-exceptions.md 43 | [handle]: https://owasp.org/www-community/Improper_Error_Handling 44 | [en060210]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/10-handle-errors-exceptions/ 45 | [issue060210]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/02-web-app-checklist/10-handle-errors-exceptions 46 | [proactive10]: https://top10proactive.owasp.org/ 47 | [review]: https://owasp.org/www-project-code-review-guide/ 48 | -------------------------------------------------------------------------------- /docs/es/04-design/02-web-app-checklist/index.md: -------------------------------------------------------------------------------- 1 | ![logo la Guía del Desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | ### 4.2 Lista de verificación para aplicaciones web 4 | 5 | Las listas de verificación son un recurso valioso para los equipos de desarrollo. 6 | Proporcionan estructura para establecer buenas prácticas y procesos 7 | y también son útiles durante las revisiones de código y actividades de diseño. 8 | 9 | Las listas de verificación que siguen son listas generales categorizadas para seguir los controles enumerados en el 10 | proyecto [Top 10 Controles Proactivos de OWASP][proactive10]. 11 | Estas listas de verificación proporcionan sugerencias que definitivamente deben adaptarse a 12 | los requisitos y entorno específicos de un proyecto; no están destinadas a seguirse en su totalidad. 13 | 14 | Probablemente el mejor punto de partida para una lista de verificación es el proporcionado 15 | por el [Estándar de Verificación de Seguridad de Aplicaciones (ASVS)][asvs]. 16 | El ASVS puede utilizarse para proporcionar un marco para una lista de verificación inicial, 17 | según el nivel de verificación de seguridad, y esta lista de verificación inicial 18 | del ASVS puede ampliarse utilizando las siguientes secciones de la lista de verificación. 19 | 20 | ---- 21 | 22 | Traducción de versión [original en inglés][en0602]. 23 | 24 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 25 | si ve algo que necesita cambios, entonces [cree un issue][issue0602] o [edítelo en GitHub][edit0602]. 26 | 27 | [asvs]: https://owasp.org/www-project-application-security-verification-standard/ 28 | [edit0602]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/02-web-app-checklist/index.md 29 | [en0602]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/ 30 | [issue0602]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/02-web-app-checklist/index 31 | [proactive10]: https://owasp.org/www-project-proactive-controls/ 32 | -------------------------------------------------------------------------------- /docs/es/04-design/index.md: -------------------------------------------------------------------------------- 1 | ![logo la Guía del Desarrollador](../../assets/images/dg_logo.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | Refiriéndose a la [Hoja de Referencia de Diseño de Producto Seguro][spdcs], 4 | el propósito de la arquitectura y diseño seguros es garantizar 5 | que todos los productos cumplan o excedan los requisitos de seguridad establecidos por la organización, 6 | centrándose en la seguridad vinculada a los componentes y tecnologías utilizados durante el desarrollo de la aplicación. 7 | 8 | El Diseño de Arquitectura Segura examina la selección y composición de componentes que forman la base de la solución. 9 | La Gestión de Tecnología examina la seguridad de las tecnologías de apoyo utilizadas durante el desarrollo, 10 | despliegue y operaciones, como el stack de tecnología de desarrollo y sus herramientas, herramientas de despliegue, 11 | y sistemas operativos y sus herramientas. 12 | 13 | Un diseño seguro ayudará a establecer valores predeterminados seguros, minimizar el área de superficie de ataque 14 | y fallar de manera segura hacia valores predeterminados bien definidos y comprendidos. 15 | También considerará y seguirá varios principios, como: 16 | 17 | * Privilegio Mínimo y Separación de Deberes 18 | * Defensa en Profundidad 19 | * Confianza Cero 20 | * Seguridad en lo Abierto 21 | 22 | Un Ciclo de Vida de Desarrollo Seguro (SDLC) ayuda a asegurar que todas las decisiones de seguridad tomadas 23 | sobre el producto en desarrollo sean elecciones explícitas y resulten en el nivel correcto de seguridad 24 | para el diseño del producto. 25 | Se pueden utilizar varios ciclos de vida de desarrollo seguro y generalmente incluyen el modelado de amenazas 26 | en el proceso de diseño. 27 | 28 | Las listas de verificación y las Hojas de Referencia son herramientas importantes durante el proceso de diseño; 29 | proporcionan una referencia fácil de conocimiento y ayudan a evitar la repetición de errores y fallos de diseño. 30 | 31 | El [Diseño][sammd] de aplicaciones de software es una de las principales funciones de negocio descritas en 32 | el [Modelo de Madurez de Aseguramiento de Software (SAMM)][samm], e incluye prácticas de seguridad: 33 | 34 | * [Evaluación de Amenazas][sammdta] 35 | * [Requisitos de Seguridad][sammdsr] 36 | * [Arquitectura de Seguridad][sammdsa] 37 | 38 | ---- 39 | 40 | Traducción de versión [original en inglés][en0600]. 41 | 42 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 43 | si ve algo que necesita cambios, entonces [cree un issue][issue0600] o [edítelo en GitHub][edit0600]. 44 | 45 | [edit0600]: https://github.com/OWASP/DevGuide/blob/main/docs/es/04-design/index.md 46 | [en0600]: https://devguide.owasp.org/en/04-design/ 47 | [issue0600]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/index 48 | [samm]: https://owaspsamm.org/about/ 49 | [sammd]: https://owaspsamm.org/model/design/ 50 | [sammdsa]: https://owaspsamm.org/model/design/secure-architecture/ 51 | [sammdsr]: https://owaspsamm.org/model/design/security-requirements/ 52 | [sammdta]: https://owaspsamm.org/model/design/threat-assessment/ 53 | [spdcs]: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet 54 | -------------------------------------------------------------------------------- /docs/es/05-implementation/01-documentation/02-go-scp.md: -------------------------------------------------------------------------------- 1 | Las Prácticas de Codificación Segura en Go de OWASP (Go-SCP) son un conjunto de prácticas de codificación segura 2 | para el lenguaje de programación Go. 3 | 4 | El [proyecto de documentación Go-SCP][go-scp-project] es un Proyecto Incubadora de OWASP 5 | que tiene suficiente soporte a largo plazo para alcanzar pronto el estado de Laboratorio. 6 | El documento publicado puede ser [descargado en varios formatos][go-scp-download] desde el repositorio de GitHub. 7 | 8 | #### ¿Qué es Go-SCP? 9 | 10 | Go-SCP proporciona ejemplos y recomendaciones para ayudar a los desarrolladores a evitar errores e inconvenientes comunes, 11 | incluyendo ejemplos de código en Go que proporcionan una guía práctica para implementar las recomendaciones. 12 | Go-SCP cubre la [Guía de Referencia Rápida de Prácticas de Codificación Segura][scp-qrf] de OWASP tema por tema: 13 | 14 | * Validación de Entrada 15 | * Sanitización y Codificación de Salida 16 | * Autenticación y Gestión de Contraseñas 17 | * Gestión de Sesiones 18 | * Control de Acceso 19 | * Prácticas Criptográficas 20 | * Manejo de Errores y Registro 21 | * Protección de Datos 22 | * Seguridad en las Comunicaciones 23 | * Configuración del Sistema 24 | * Seguridad de Bases de Datos 25 | * Gestión de Archivos 26 | * Gestión de Memoria 27 | * Prácticas Generales de Codificación 28 | 29 | El libro [Prácticas de Codificación Segura en Go][go-scp-project] está disponible en varios formatos: 30 | 31 | * PDF 32 | * ePub 33 | * DocX 34 | * MOBI 35 | 36 | #### ¿Por qué usar Go-SCP? 37 | 38 | Los equipos de desarrollo a menudo necesitan ayuda y soporte para implementar correctamente 39 | la seguridad en aplicaciones web, y parte de esta ayuda proviene de directrices y mejores prácticas de codificación segura. 40 | Go-SCP proporciona esta orientación para una amplia gama de temas de codificación segura, 41 | además de proporcionar ejemplos prácticos de código para cada práctica de codificación. 42 | 43 | #### Cómo usar Go-SCP 44 | 45 | La audiencia principal de la Guía de Prácticas de Codificación Segura en Go son los desarrolladores, 46 | particularmente aquellos con experiencia previa en otros lenguajes de programación. 47 | 48 | Descargue el [documento Go-SCP][go-scp-download] en uno de los formatos: PDF, ePub, DocX y MOBI. 49 | Consulte el capítulo específico del tema y luego utilice los fragmentos de código de ejemplo en Go 50 | para obtener una guía práctica sobre codificación segura usando Go. 51 | 52 | ---- 53 | 54 | Traducción de versión [original en inglés][en070102]. 55 | 56 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse 57 | entonces [cree un issue][issue070102] o [edítelo en GitHub][edit070102]. 58 | 59 | [edit070102]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/01-documentation/02-go-scp.md 60 | [en070102]: https://devguide.owasp.org/en/05-implementation/01-documentation/02-go-scp/ 61 | [go-scp-download]: https://github.com/OWASP/Go-SCP/tree/master/dist 62 | [go-scp-project]: https://owasp.org/www-project-go-secure-coding-practices-guide/ 63 | [issue070102]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/01-documentation/02-go-scp 64 | [scp-qrf]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/ 65 | -------------------------------------------------------------------------------- /docs/es/05-implementation/01-documentation/index.md: -------------------------------------------------------------------------------- 1 | ![Logo de guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | La documentación se utiliza aquí como parte de la actividad [Capacitación y Concienciación][sammgegta] de SAMM, 4 | que a su vez forma parte de la práctica de seguridad [Educación y Orientación][sammgeg] de SAMM 5 | dentro de la función de negocio [Gobernanza][sammg]. 6 | 7 | Es importante que los equipos de desarrollo dispongan de buena documentación sobre técnicas de seguridad, 8 | frameworks, herramientas y amenazas. 9 | La documentación ayuda a promover la concienciación sobre seguridad para todos los equipos involucrados 10 | en el desarrollo de software, y proporciona orientación sobre cómo incorporar la seguridad en aplicaciones y sistemas. 11 | 12 | ---- 13 | 14 | Traducción de versión [original en inglés][en0710]. 15 | 16 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 17 | si ve algo que necesita cambios, entonces [cree un issue][issue0710] o [edítelo en GitHub][edit0710]. 18 | 19 | [edit0710]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/01-documentation/index.md 20 | [en0710]: https://devguide.owasp.org/en/05-implementation/01-documentation/ 21 | [issue0710]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-implementation/01-documentation/index 22 | [sammg]: https://owaspsamm.org/model/governance/ 23 | [sammgeg]: https://owaspsamm.org/model/governance/education-and-guidance/ 24 | [sammgegta]: https://owaspsamm.org/model/governance/education-and-guidance/stream-a/ 25 | -------------------------------------------------------------------------------- /docs/es/05-implementation/02-dependencies/index.md: -------------------------------------------------------------------------------- 1 | ![Logo la guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | La gestión de dependencias de software se describe en la actividad [Dependencias de Software][sammisbsd] de SAMM, 4 | que a su vez forma parte de la práctica de seguridad [Construcción Segura][sammisb] de SAMM 5 | dentro de la función de negocio [Implementación][sammi]. 6 | 7 | Es importante registrar todas las dependencias utilizadas en todo el entorno de producción de la aplicación. 8 | Esto puede lograrse mediante el Análisis de Composición de Software (SCA) para identificar las dependencias de terceros. 9 | 10 | Una Lista de Materiales de Software (SBOM) proporciona un registro de las dependencias dentro del sistema/aplicación, 11 | y ofrece información sobre cada dependencia para que pueda ser rastreada: 12 | 13 | * Dónde se utiliza o referencia 14 | * Versión utilizada 15 | * Licencia 16 | * Información de origen y repositorio 17 | * Estado de soporte y mantenimiento de la dependencia 18 | 19 | Disponer de un SBOM proporciona la capacidad de averiguar rápidamente qué aplicaciones se ven afectadas por una 20 | [Vulnerabilidad y Exposición Común][cve] (CVE) específica, o qué CVEs están presentes en una aplicación particular. 21 | 22 | ---- 23 | 24 | Traducción de versión [original en inglés][en0702]. 25 | 26 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 27 | si ve algo que necesita cambios, entonces [cree un issue][issue0702] o [edítelo en GitHub][edit0702]. 28 | 29 | [cve]: https://cve.mitre.org/ 30 | [edit0702]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/02-dependencies/index.md 31 | [en0702]: https://devguide.owasp.org/en/05-implementation/02-dependencies/ 32 | [issue0702]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-implementation/02-dependencies/index 33 | [sammi]: https://owaspsamm.org/model/implementation/ 34 | [sammisb]: https://owaspsamm.org/model/implementation/secure-build/ 35 | [sammisbsd]: https://owaspsamm.org/model/implementation/secure-build/stream-b/ 36 | -------------------------------------------------------------------------------- /docs/es/05-implementation/03-secure-libraries/02-csrf-guard.md: -------------------------------------------------------------------------------- 1 | OWASP [CSRFGuard][csrfguard] es un control de seguridad que ayuda a proteger las aplicaciones Java 2 | contra ataques de [Falsificación de Petición en Sitios Cruzados][cscsrf] (CSRF). 3 | 4 | El proyecto CSRFGuard Builder/Breaker Tool es un Proyecto de Producción OWASP 5 | y está siendo mantenido activamente por un grupo de voluntarios internacionales. 6 | 7 | #### ¿Qué es CSRFGuard? 8 | 9 | OWASP [CSRFGuard][csrfguard] es una librería que implementa una variante del patrón de token sincronizador 10 | para mitigar el riesgo de ataques de Falsificación de Petición en Sitios Cruzados (CSRF) para aplicaciones Java. 11 | 12 | La librería OWASP CSRFGuard se integra mediante el uso de un Filtro JavaEE y expone varias formas automatizadas 13 | y manuales para integrar tokens por sesión o pseudo-por-petición en HTML. Cuando un usuario interactúa con este HTML, 14 | los tokens de prevención CSRF se envían con la petición HTTP correspondiente. 15 | CSRFGuard asegura que el token esté presente y sea válido para la petición HTTP actual. 16 | 17 | #### ¿Por qué usarlo? 18 | 19 | La librería OWASP CSRFGuard es ampliamente utilizada para aplicaciones Java, y ayudará a mitigar contra CSRF. 20 | 21 | #### Cómo usarlo 22 | 23 | Las versiones precompiladas de la biblioteca CSRFGuard pueden descargarse 24 | desde el [repositorio Maven Central][csrfguard-maven] o el repositorio [OSS Sonatype Nexus][csrfguard-nexus]. 25 | 26 | Sigue las [instrucciones][csrfguard-build] para integrar CSRFGuard en la aplicación Java utilizando Maven. 27 | 28 | #### Referencias 29 | 30 | * [CSRFGuard][csrfguard] de OWASP 31 | * [Hoja de Referencia para Prevención de Falsificación de Petición en Sitios Cruzados][cscsrf] de OWASP 32 | 33 | ---- 34 | 35 | Traducción de versión [original en inglés][en070302]. 36 | 37 | La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse, 38 | [cree un issue][issue070302] o [edítelo en GitHub][edit070302]. 39 | 40 | [csrfguard]: https://owasp.org/www-project-csrfguard/ 41 | [csrfguard-build]: https://github.com/OWASP/www-project-csrfguard/blob/master/readme.md#using-with-maven 42 | [csrfguard-nexus]: https://oss.sonatype.org/#nexus-search;gav~~csrfguard~~~ 43 | [csrfguard-maven]: https://central.sonatype.com/search?q=csrfguard&smo=true 44 | [cscsrf]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet 45 | [edit070302]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/03-secure-libraries/02-csrf-guard.md 46 | [en070302]: https://devguide.owasp.org/en/05-implementation/03-secure-libraries/02-csrf-guard/ 47 | [issue070302]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/02-csrf-guard 48 | -------------------------------------------------------------------------------- /docs/es/05-implementation/03-secure-libraries/03-secure-headers.md: -------------------------------------------------------------------------------- 1 | ![Logo de Secure Headers](../../../assets/images/logos/secure_headers.png "Secure Headers de OWASP"){ align=right width=150 } 2 | 3 | El Proyecto OWASP Secure Headers ([OSHP][oshp]) proporciona información sobre cabeceras de respuesta HTTP 4 | para incrementar la seguridad de una aplicación web. 5 | 6 | El proyecto de documentación OSHP es un Proyecto de Laboratorio OWASP 7 | y crea conciencia sobre las cabeceras seguras y su uso. 8 | 9 | #### ¿Qué es OSHP? 10 | 11 | El [proyecto OSHP][oshp] proporciona explicaciones para las cabeceras de respuesta HTTP que una aplicación 12 | puede utilizar para aumentar la seguridad de la aplicación. Una vez establecidas, las cabeceras de respuesta HTTP 13 | pueden restringir a los navegadores modernos de ejecutar vulnerabilidades fácilmente prevenibles. 14 | 15 | OSHP contiene guías y descargas sobre: 16 | 17 | * Explicaciones y uso de las cabeceras de respuesta 18 | * Enlaces al soporte individual de cada navegador 19 | * Orientación y mejores prácticas 20 | * Recursos técnicos en forma de herramientas y documentos 21 | * Fragmentos de código para ayudar a trabajar con cabeceras de seguridad HTTP 22 | 23 | #### ¿Por qué usarlo? 24 | 25 | El OSHP es un proyecto de documentación que explica el razonamiento y uso de las cabeceras de respuesta HTTP. 26 | Es el documento de referencia para orientación y mejores prácticas; 27 | la información sobre cabeceras de respuesta HTTP es el mejor consejo, en una sola ubicación, y se mantiene actualizada. 28 | 29 | #### Cómo usarlo 30 | 31 | La serie OWASP Spotlight proporciona una visión general de este proyecto 32 | y sus usos: 'Proyecto 24 - [Proyecto Security Headers de OWASP][spotlight24]'. 33 | 34 | OSHP proporciona enlaces a [bibliotecas][oshp-libs] de desarrollo que proveen cabeceras de respuesta HTTP seguras 35 | en una variedad de lenguajes y frameworks: DotNet, Go, HAPI, Java, NodeJS, PHP, Python, Ruby, Rust. 36 | El OSHP también enumera [varias herramientas][oshp-tools] útiles para la inspección, análisis 37 | y escaneo de cabeceras de respuesta HTTP. 38 | 39 | ---- 40 | 41 | Traducción de versión [original en inglés][en070303]. 42 | 43 | La Guía para Desarrolladores de OWASP es un esfuerzo comunitario; si hay algo que necesita cambiarse, 44 | [cree un issue][issue070303] o [edítelo en GitHub][edit070303]. 45 | 46 | [edit070303]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/03-secure-libraries/03-secure-headers.md 47 | [en070303]: https://devguide.owasp.org/en/05-implementation/03-secure-libraries/03-secure-headers/ 48 | [issue070303]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/03-secure-headers 49 | [oshp]: https://owasp.org/www-project-secure-headers/ 50 | [oshp-libs]: https://owasp.org/www-project-secure-headers/#development-libraries 51 | [oshp-tools]: https://owasp.org/www-project-secure-headers/#analysis-tools 52 | [spotlight24]: https://youtu.be/N4F3VWQYU9E 53 | 54 | \newpage 55 | -------------------------------------------------------------------------------- /docs/es/05-implementation/03-secure-libraries/index.md: -------------------------------------------------------------------------------- 1 | ![Logotipo de la guía](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | El uso de bibliotecas seguras es parte de la gestión tecnológica que ayuda a cumplir con los requisitos de seguridad. 4 | Las bibliotecas estándar permiten la adopción de patrones de diseño comunes y soluciones de seguridad, 5 | y proporcionan tecnologías y marcos estandarizados que pueden utilizarse en diferentes aplicaciones. 6 | 7 | La [Gestión Tecnológica][sammdsatm] para las aplicaciones de software es descrita por SAMM como una actividad 8 | dentro de la práctica de seguridad [Arquitectura de Seguridad][sammdsa] de SAMM, 9 | que a su vez es parte de la función empresarial de [Diseño][sammd]. 10 | 11 | ---- 12 | 13 | Traducción de versión [original en inglés][en0703]. 14 | 15 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 16 | si ve algo que necesita cambios, entonces [cree un issue][issue0703] o [edítelo en GitHub][edit0703]. 17 | 18 | [edit0703]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/03-secure-libraries/index.md 19 | [en0703]: https://devguide.owasp.org/en/05-implementation/03-secure-libraries/ 20 | [issue0703]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/index 21 | [sammd]: https://owaspsamm.org/model/design/ 22 | [sammdsa]: https://owaspsamm.org/model/design/secure-architecture/ 23 | [sammdsatm]: https://owaspsamm.org/model/design/secure-architecture/stream-b/ 24 | -------------------------------------------------------------------------------- /docs/es/05-implementation/index.md: -------------------------------------------------------------------------------- 1 | ![Logo de la guía del desarrollador](../../assets/images/dg_logo.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | ## 5. Implementación 4 | 5 | La función de negocio [Implementación][sammi] está descrita por 6 | el [Modelo de Madurez de Aseguramiento de Software][sammm] (SAMM) de OWASP. 7 | La Implementación se centra en los procesos y actividades relacionadas con la manera en que una organización 8 | construye y despliega componentes de software y sus defectos relacionados. 9 | Las actividades de Implementación tienen el mayor impacto en la vida diaria de los desarrolladores, 10 | y un objetivo importante de la Implementación es entregar software que funcione de manera confiable 11 | con un mínimo de defectos. 12 | 13 | La Implementación debe incluir prácticas de seguridad como: 14 | 15 | * Construcción Segura 16 | * Despliegue Seguro 17 | * Gestión de Defectos 18 | 19 | La Implementación es donde la aplicación/sistema comienza a tomar forma; se escribe el código fuente y se crean las pruebas. 20 | La implementación de la aplicación sigue un ciclo de vida de desarrollo seguro, con seguridad incorporada desde el inicio. 21 | 22 | La implementación utilizará un método seguro de control y almacenamiento del código fuente 23 | para cumplir con los requisitos de seguridad del diseño. 24 | El equipo de desarrollo se referirá a la documentación que aconseja sobre las mejores prácticas, 25 | utilizará bibliotecas seguras siempre que sea posible, 26 | además de verificar y realizar seguimiento de las dependencias externas. 27 | 28 | Gran parte de la habilidad de implementación proviene de la experiencia, 29 | y tener en cuenta lo que se debe hacer y lo que no se debe hacer 30 | durante el desarrollo seguro es en sí misma una actividad de conocimiento importante. 31 | 32 | ---- 33 | 34 | Traducción de versión [original en inglés][en0700]. 35 | 36 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 37 | si ve algo que necesita cambios, entonces [cree un issue][issue0700] o [edítelo en GitHub][edit0700]. 38 | 39 | [edit0700]: https://github.com/OWASP/DevGuide/blob/main/docs/es/05-implementation/index.md 40 | [en0700]: https://devguide.owasp.org/en/05-implementation/ 41 | [issue0700]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2005-implementation/index 42 | [sammm]: https://owaspsamm.org/model/ 43 | [sammi]: https://owaspsamm.org/model/implementation/ 44 | -------------------------------------------------------------------------------- /docs/es/06-verification/01-guides/index.md: -------------------------------------------------------------------------------- 1 | ![Logo a guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | [Verificación][sammv] es una de las funciones de negocio descritas por [OWASP SAMM][samm]. 4 | Las actividades de verificación son exhaustivas, e incluirán: 5 | 6 | * Pruebas de controles de seguridad 7 | * Revisión de controles y mecanismos de seguridad 8 | * Evaluación y valoración de la arquitectura de seguridad 9 | * y otros 10 | 11 | Dada la amplitud de técnicas y conocimientos requeridos, las guías son un recurso importante 12 | para las actividades de verificación. 13 | 14 | ---- 15 | 16 | Traducción de versión [original en inglés][en0810]. 17 | 18 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 19 | si ve algo que necesita cambios, entonces [cree un issue][issue0810] o [edítelo en GitHub][edit0810]. 20 | 21 | [edit0810]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/01-guides/index.md 22 | [en0810]: https://devguide.owasp.org/en/06-verification/01-guides/ 23 | [issue0810]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/01-guides/index 24 | [samm]: https://owaspsamm.org/about/ 25 | [sammv]: https://owaspsamm.org/model/verification/ 26 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/01-dast.md: -------------------------------------------------------------------------------- 1 | Las pruebas dinámicas de seguridad de aplicaciones (DAST) representan un proceso de prueba no funcional 2 | para identificar debilidades de seguridad y vulnerabilidades en aplicaciones. 3 | El proceso de prueba puede realizarse manualmente o automatizarse. 4 | La evaluación manual de una aplicación implica intervención humana para identificar fallos de seguridad 5 | que podrían pasar desapercibidos para una herramienta automatizada. 6 | Normalmente, los errores de lógica de negocio, verificaciones de condiciones de carrera 7 | y ciertas vulnerabilidades de día cero solo pueden identificarse mediante evaluaciones manuales. 8 | 9 | ### 6.2.1 Herramientas DAST 10 | 11 | Las herramientas DAST son programas que se comunican con una aplicación web a través de la interfaz web 12 | para identificar posibles vulnerabilidades de seguridad en la aplicación web y debilidades arquitectónicas. 13 | Realizan pruebas de caja negra. A diferencia de las herramientas de pruebas estáticas de seguridad de aplicaciones, 14 | las herramientas DAST no tienen acceso al código fuente y, por lo tanto, 15 | detectan vulnerabilidades realizando ataques reales. 16 | 17 | #### Diferentes herramientas DAST 18 | 19 | La Comunidad OWASP contiene una [lista de herramientas DAST][dast] que pueden utilizarse para realizar DAST. 20 | Todas estas herramientas tienen sus propias fortalezas y debilidades. 21 | Si está interesado en la efectividad de las herramientas DAST, consulte el proyecto [OWASP Benchmark][benchmark], 22 | que intenta medir científicamente la efectividad de todos los tipos de herramientas de detección de vulnerabilidades, 23 | incluyendo DAST. 24 | 25 | #### ¿Por qué utilizarlas? 26 | 27 | La gran ventaja de este tipo de herramientas es que pueden escanear 28 | durante todo el año para buscar constantemente vulnerabilidades. 29 | Con nuevas vulnerabilidades siendo descubiertas regularmente, esto permite a las empresas encontrar 30 | y parchar vulnerabilidades antes de que puedan ser explotadas. 31 | 32 | #### Contras 33 | 34 | Debido a que estas herramientas realizan pruebas dinámicas, no pueden cubrir el 100% del código fuente de la aplicación y, 35 | por tanto, la aplicación en sí misma. 36 | El evaluador de penetración debe observar la cobertura de la aplicación web o de su superficie de ataque 37 | para saber si la herramienta se configuró correctamente o si fue capaz de entender la aplicación web. 38 | 39 | #### Referencias 40 | 41 | * [Pruebas dinámicas de seguridad de aplicaciones][wikipedia] 42 | * [Herramientas de Escaneo de Vulnerabilidades][dast] 43 | 44 | ---- 45 | 46 | Traducción de versión [original en inglés][en080201]. 47 | 48 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 49 | si hay algo que necesita cambios, [cree un issue][issue080201] o [edítelo en GitHub][edit080201]. 50 | 51 | [benchmark]: https://owasp.org/www-project-benchmark/ 52 | [dast]: https://owasp.org/www-community/Vulnerability_Scanning_Tools 53 | [edit080201]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/01-dast.md 54 | [en080201]: https://devguide.owasp.org/en/06-verification/02-tools/01-dast/ 55 | [issue080201]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/01-dast 56 | [wikipedia]: https://en.wikipedia.org/wiki/Dynamic_application_security_testing 57 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/02-amass.md: -------------------------------------------------------------------------------- 1 | ![Amass logo](../../../assets/images/logos/amass.png "OWASP Amass"){ align=right width=80 } 2 | 3 | OWASP Amass es una herramienta que proporciona gestión de superficie de ataque para los sitios web 4 | y aplicaciones de una organización. 5 | Se utiliza durante pruebas de penetración para el mapeo de redes de superficies de ataque 6 | y descubrimiento de activos externos mediante la integración de varias herramientas de seguridad existentes. 7 | 8 | El [proyecto atacante/herramienta][amass] Amass es un Proyecto Insignia de OWASP y los instaladores pueden 9 | descargarse desde el [área de versiones][amass-download] del repositorio github del proyecto. 10 | 11 | #### ¿Qué es Amass? 12 | 13 | Amass es una herramienta de línea de comandos que proporciona información sobre los sitios web de una organización, 14 | utilizando varias herramientas de recopilación de información de código abierto y técnicas de reconocimiento activo. 15 | 16 | Se ejecuta desde la línea de comandos con [subcomandos][amass-docs]: 17 | 18 | 1. 'amass intel' recopila inteligencia sobre la organización objetivo 19 | 2. 'amass enum' realiza enumeración DNS y mapeo de red para poblar la base de datos de resultados 20 | 3. 'amass db' 21 | 22 | Cada comando viene con un amplio conjunto de opciones que controlan las herramientas utilizadas 23 | y el formato de los hallazgos. 24 | 25 | #### ¿Por qué utilizarla? 26 | 27 | Amass es una herramienta importante para los equipos de testeo de seguridad. 28 | Amass está incluida en la distribución [Kali Linux][kali], 29 | que es ampliamente utilizada por equipos de pruebas de penetración, con Amass proporcionando una forma sencilla 30 | de ejecutar un amplio conjunto de herramientas de reconocimiento y enumeración. 31 | 32 | Además, Amass es una herramienta de fácil uso que está disponible tanto para equipos de pruebas legítimos 33 | como para actores maliciosos. 34 | Es muy probable que cualquier organización haya sido escaneada y enumerada por Amass en algún momento, 35 | ya sea maliciosamente o legítimamente, 36 | por lo que es importante ejecutar la herramienta para determinar qué información puede obtener un actor malicioso. 37 | 38 | #### Cómo utilizarla 39 | 40 | Si se está utilizando [Kali Linux][kali], entonces Amass viene ya instalado, 41 | de lo contrario, existe un amplio conjunto de [instaladores][amass-install] para otras plataformas. 42 | 43 | El extenso [tutorial de Amass][amass-tutorial] proporciona la mejor manera de aprender a usar Amass y sus características. 44 | 45 | ---- 46 | 47 | Traducción de versión [original en inglés][en080202]. 48 | 49 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; si hay algo que necesita cambios, 50 | [cree un issue][issue080202] o [edítelo en GitHub][edit080202]. 51 | 52 | [amass]: https://owasp.org/www-project-amass/ 53 | [amass-docs]: https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md 54 | [amass-download]: https://github.com/owasp-amass/amass/releases 55 | [amass-install]: https://github.com/owasp-amass/amass/blob/master/doc/install.md 56 | [amass-tutorial]: https://github.com/owasp-amass/amass/blob/master/doc/tutorial.md 57 | [edit080202]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/02-amass.md 58 | [en080202]: https://devguide.owasp.org/en/06-verification/02-tools/02-amass/ 59 | [issue080202]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/02-amass 60 | [kali]: https://www.kali.org/ 61 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/03-owtf.md: -------------------------------------------------------------------------------- 1 | ![Logo de OWTF](../../../assets/images/logos/owtf.png "OWTF de OWASP"){ align=right width=80 } 2 | 3 | El framework ofensivo de pruebas OWASP - Offensive Web Testing Framework ([OWTF][owtf]) 4 | es una herramienta de pruebas de penetración que proporciona a los evaluadores de penetración un marco para organizar 5 | y ejecutar conjuntos de pruebas de seguridad. 6 | También ayuda a alinear las pruebas de penetración con varios estándares y guías de seguridad, 7 | permitiendo que las pruebas sean más creativas y completas. 8 | 9 | El proyecto defensor/herramienta OWTF es un Proyecto Insignia de OWASP 10 | y puede ser descargado desde el [área de versiones][owtfdownload] del repositorio github del proyecto. 11 | 12 | #### ¿Qué es OWTF? 13 | 14 | La herramienta [OWTF][owtf] es un marco de pruebas de penetración utilizado para organizar 15 | y ejecutar conjuntos de herramientas de seguridad y pruebas de penetración. 16 | Está diseñada para ejecutarse en [Kali Linux][kali]; 17 | también puede ejecutarse en MacOS pero con algunas modificaciones de scripts y rutas. 18 | 19 | OWTF es claramente una herramienta para evaluadores de penetración tambien llamados pentesters; 20 | existe la expectativa de que el usuario tenga una experiencia razonable 21 | y comprensión de los entornos y herramientas de pruebas de penetración. 22 | La [documentación][owtfdocs] sobre la instalación y ejecución de OWTF no es extensa, 23 | y se requiere un conocimiento profundo del sistema objetivo para configurar la herramienta. 24 | 25 | #### ¿Por qué utilizarla? 26 | 27 | [OWTF][owtf] es fácilmente configurable y se pueden crear complementos o añadir nuevas pruebas 28 | utilizando los archivos de configuración. 29 | Se puede instalar rápidamente en [Kali Linux][kali], una distribución de Ubuntu ampliamente utilizada 30 | por evaluadores de penetración, 31 | y permite dirigir todo un conjunto de pruebas contra el objetivo. 32 | 33 | #### Cómo utilizarla 34 | 35 | La [documentación][owtfdocs] de OWTF es relativamente antigua, actualizada por última vez en 2016, 36 | y las instrucciones de [instalación][owtfinstall] pueden necesitar adaptación para ejecutarse en MacOS o Kali. 37 | 38 | ---- 39 | 40 | Traducción de versión [original en inglés][en080203]. 41 | 42 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; si hay algo que necesita cambios, 43 | [cree un issue][issue080203] o [edítelo en GitHub][edit080203]. 44 | 45 | [edit080203]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/03-owtf.md 46 | [en080203]: https://devguide.owasp.org/en/06-verification/02-tools/03-owtf/ 47 | [issue080203]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/03-owtf 48 | [kali]: https://www.kali.org/ 49 | [owtfinstall]: https://owtf.readthedocs.io/en/develop/installation/methods.html 50 | [owtfdocs]: https://owtf.readthedocs.io/ 51 | [owtfdownload]: https://github.com/owtf/owtf/releases 52 | [owtf]: https://owasp.org/www-project-owtf/ 53 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/04-nettacker.md: -------------------------------------------------------------------------------- 1 | ![Logo de Nettacker](../../../assets/images/logos/nettacker.png "Nettacker de OWASP"){ align=right width=180 } 2 | 3 | ### 6.2.4 Nettacker 4 | 5 | OWASP Nettacker es una utilidad de línea de comandos para escaneo automatizado de redes y vulnerabilidades. 6 | Puede utilizarse durante pruebas de penetración tanto para evaluaciones de seguridad internas como externas de redes. 7 | 8 | El [proyecto atacante/herramienta][nettacker-project] Nettacker es un Proyecto Incubadora de OWASP; 9 | la última versión puede descargarse desde el [repositorio github][nettacker-install] del proyecto. 10 | 11 | #### ¿Qué es Nettacker? 12 | 13 | [Nettacker][nettacker-project] es una herramienta automatizada de pruebas de penetración. 14 | Se utiliza para escanear una red para descubrir nodos y servidores en la red, incluyendo subdominios. 15 | Nettacker puede luego identificar servidores, servicios y números de puerto en uso. 16 | 17 | Nettacker es una aplicación modular en Python que puede extenderse con otras funciones de escaneo. 18 | Los numerosos módulos disponibles están agrupados en dominios: 19 | 20 | * Módulos de [escaneo][nettacker-scan] para reconocimiento 21 | * Módulos de [vulnerabilidad][nettacker-vuln] que intentan exploits específicos 22 | * Módulos de [fuerza bruta][nettacker-brute] 23 | 24 | Nettacker se ejecuta en Windows, Linux y MacOS. 25 | 26 | #### ¿Por qué utilizarla? 27 | 28 | Nettacker es fácil de usar desde la línea de comandos, lo que facilita su uso en scripts, 29 | y también viene con una interfaz de navegador web para una fácil navegación de los resultados. 30 | Esto lo convierte en una forma rápida y confiable de obtener información de una red. 31 | 32 | Nettacker puede utilizarse tanto para fines de auditoría como para pruebas de penetración. 33 | 34 | #### Cómo utilizarla 35 | 36 | La serie OWASP Spotlight proporciona una descripción general de la gestión de superficie de ataque utilizando Nettacker: 37 | 'Proyecto 11 - [Nettacker][spotlight11]'. 38 | 39 | La documentación para Nettacker se proporciona en las páginas wiki del repositorio; 40 | siga [estas instrucciones][nettacker-install] para instalarlo. 41 | 42 | Nettacker es una herramienta de escaneo flexible y modular que puede utilizarse de muchas formas y con muchas opciones. 43 | La mejor manera de comenzar a utilizarla es siguiendo el [video de introducción][nettacker-intro] 44 | y luego continuar desde allí. 45 | 46 | ---- 47 | 48 | Traducción de versión [original en inglés][en080204]. 49 | 50 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; si hay algo que necesita cambios, 51 | [cree un issue][issue080204] o [edítelo en GitHub][edit080204]. 52 | 53 | [edit080204]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/04-nettacker.md 54 | [en080204]: https://devguide.owasp.org/en/06-verification/02-tools/04-nettacker/ 55 | [issue080204]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/04-nettacker 56 | [nettacker-brute]: https://github.com/OWASP/Nettacker/wiki/Modules#brute-modules 57 | [nettacker-install]: https://github.com/OWASP/Nettacker/wiki/Installation 58 | [nettacker-intro]: https://github.com/OWASP/Nettacker/wiki#introduction 59 | [nettacker-project]: https://owasp.org/www-project-nettacker/ 60 | [nettacker-scan]: https://github.com/OWASP/Nettacker/wiki/Modules#scan-modules 61 | [nettacker-vuln]: https://github.com/OWASP/Nettacker/wiki/Modules#vuln-modules 62 | [spotlight11]: https://www.youtube.com/watch?v=OGv7OtG127A 63 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/05-secure-headers.md: -------------------------------------------------------------------------------- 1 | ![OSHP logo](../../../assets/images/logos/oshp.png "OSHP"){ align=right width=140 } 2 | 3 | El Proyecto de Cabeceras Seguras de OWASP - OWASP Secure Headers Project ([OSHP][oshp]) proporciona información 4 | sobre las cabeceras de respuesta HTTP 5 | para aumentar la seguridad de una aplicación web. 6 | 7 | El proyecto de documentación OSHP es un Proyecto de Laboratorio de OWASP 8 | y concientiza sobre las cabeceras seguras y su uso. 9 | 10 | #### ¿Qué es OSHP? 11 | 12 | El [proyecto OSHP][oshp] proporciona explicaciones para las cabeceras de respuesta HTTP 13 | que una aplicación puede utilizar para aumentar la seguridad de la aplicación. 14 | Una vez establecidas, las cabeceras de respuesta HTTP pueden restringir a los navegadores modernos 15 | de incurrir en vulnerabilidades fácilmente prevenibles. 16 | 17 | OSHP contiene orientación y descargas sobre: 18 | 19 | * Explicaciones y uso de cabeceras de respuesta 20 | * Enlaces a soporte individual de navegadores 21 | * Orientación y mejores prácticas 22 | * Recursos técnicos en forma de herramientas y documentos 23 | * Fragmentos de código para ayudar a trabajar con cabeceras de seguridad HTTP 24 | 25 | #### ¿Por qué utilizarlo? 26 | 27 | El OSHP es un proyecto de documentación que explica el razonamiento y uso de las cabeceras de respuesta HTTP. 28 | Es el documento de referencia para orientación y mejores prácticas; 29 | la información sobre cabeceras de respuesta HTTP es el mejor consejo, en una sola ubicación, y se mantiene actualizada. 30 | 31 | #### Cómo utilizarlo 32 | 33 | La serie OWASP Spotlight proporciona una descripción general de este proyecto y sus usos: 34 | 'Proyecto 24 - [OWASP Security Headers Project][spotlight24]'. 35 | 36 | OSHP documenta [varias herramientas][oshp-tools] útiles para la inspección, análisis 37 | y escaneo de cabeceras de respuesta HTTP: 38 | 39 | * hsecscan 40 | * humble 41 | * SecurityHeaders.com 42 | * Mozilla Observatory 43 | * Recx Security Analyser 44 | * testssl.sh 45 | * DrHEADer 46 | * csp-evaluator 47 | 48 | OSHP también proporciona enlaces a [bibliotecas][oshp-libs] de desarrollo 49 | que proporcionan cabeceras de respuesta HTTP seguras en una variedad de lenguajes y frameworks. 50 | 51 | ---- 52 | 53 | Traducción de versión [original en inglés][en080205]. 54 | 55 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; si hay algo que necesita cambios, 56 | [cree un issue][issue080205] o [edítelo en GitHub][edit080205]. 57 | 58 | [edit080205]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/05-secure-headers.md 59 | [en080205]: https://devguide.owasp.org/en/06-verification/02-tools/05-secure-headers/ 60 | [issue080205]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/05-secure-headers 61 | [oshp]: https://owasp.org/www-project-secure-headers/ 62 | [oshp-libs]: https://owasp.org/www-project-secure-headers/#development-libraries 63 | [oshp-tools]: https://owasp.org/www-project-secure-headers/#analysis-tools 64 | [spotlight24]: https://youtu.be/N4F3VWQYU9E 65 | -------------------------------------------------------------------------------- /docs/es/06-verification/02-tools/index.md: -------------------------------------------------------------------------------- 1 | ![Logo a guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | [Verificación][sammv] es una de las funciones de negocio descritas por [OWASP SAMM][samm]. 4 | 5 | La actividad de [Testeo de Seguridad][sammvst] de SAMM describe el uso tanto de pruebas de seguridad automatizadas 6 | como pruebas de seguridad manuales por expertos para descubrir defectos de seguridad. 7 | Estas pruebas de seguridad deben ser automatizadas como parte de los procesos de desarrollo, construcción y despliegue; 8 | y pueden ser complementadas con pruebas manuales de seguridad de penetración de forma regular. 9 | 10 | Las herramientas automatizadas de pruebas de seguridad son rápidas y escalan bien para numerosas aplicaciones, 11 | mientras que las pruebas de seguridad manuales de componentes de alto riesgo requieren 12 | un buen conocimiento de la aplicación y su lógica de negocio. 13 | 14 | ---- 15 | 16 | Traducción de versión [original en inglés][en0820]. 17 | 18 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 19 | si ve algo que necesita cambios, entonces [cree un issue][issue0820] o [edítelo en GitHub][edit0820]. 20 | 21 | [edit0820]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/02-tools/index.md 22 | [en0820]: https://devguide.owasp.org/en/06-verification/02-tools/ 23 | [issue0820]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2006-verification/02-tools/index 24 | [samm]: https://owaspsamm.org/about/ 25 | [sammv]: https://owaspsamm.org/model/verification/ 26 | [sammvst]: https://owaspsamm.org/model/verification/security-testing/ 27 | -------------------------------------------------------------------------------- /docs/es/06-verification/03-frameworks/index.md: -------------------------------------------------------------------------------- 1 | ![logo la guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | La [Verificación][sammv] es una de las funciones de negocio descritas por [OWASP SAMM][samm] 4 | y tanto las [Pruebas de Seguridad][sammvst] como las [Pruebas Basadas en Requisitos][sammvrt] 5 | son una parte importante de la verificación. 6 | 7 | Las pruebas de verificación pueden beneficiarse del uso de frameworks para apoyar pruebas de seguridad continuas 8 | y automatizadas. 9 | El uso de un framework puede proporcionar: 10 | 11 | * automatización de un pipeline de análisis de seguridad 12 | * flexibilidad para ejecutar una serie de herramientas en un pipeline 13 | * escalabilidad para múltiples escáneres de seguridad 14 | * interfaces de control 15 | 16 | ---- 17 | 18 | Traducción de versión [original en inglés][en0830]. 19 | 20 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 21 | si ve algo que necesita cambios, entonces [cree un issue][issue0830] o [edítelo en GitHub][edit0830]. 22 | 23 | [edit0830]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/03-frameworks/index.md 24 | [en0830]: https://devguide.owasp.org/en/06-verification/03-frameworks/ 25 | [issue0830]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-verification/03-frameworks/index 26 | [samm]: https://owaspsamm.org/about/ 27 | [sammv]: https://owaspsamm.org/model/verification/ 28 | [sammvrt]: https://owaspsamm.org/model/verification/requirements-driven-testing/ 29 | [sammvst]: https://owaspsamm.org/model/verification/security-testing/ 30 | -------------------------------------------------------------------------------- /docs/es/06-verification/04-vulnerability-management/index.md: -------------------------------------------------------------------------------- 1 | ![logo la guía del desarrollador](../../../assets/images/dg_logo_bbd.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | La [Verificación][sammv] es una de las funciones de negocio descritas por [OWASP SAMM][samm]. 4 | La gestión de vulnerabilidades ayuda a mantener el nivel de seguridad de la aplicación 5 | después de correcciones de errores, cambios o durante el mantenimiento. 6 | 7 | La práctica de [Pruebas Basadas en Requisitos][sammvrt] de SAMM describe los resultados 8 | para una gestión de vulnerabilidades efectiva, 9 | y por qué es necesario tener estos procesos implementados. 10 | Por ejemplo, el uso de pruebas unitarias de seguridad para proporcionar pruebas de regresión 11 | da cierto grado de confianza de que las aplicaciones no son vulnerables a exploits conocidos. 12 | 13 | ---- 14 | 15 | Traducción de versión [original en inglés][en0840]. 16 | 17 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 18 | si ve algo que necesita cambios, entonces [cree un issue][issue0840] o [edítelo en GitHub][edit0840]. 19 | 20 | [edit0840]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/04-vulnerability-management/index.md 21 | [en0840]: https://devguide.owasp.org/en/06-verification/04-vulnerability-management/ 22 | [issue0840]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-verification/04-vulnerability-management/index 23 | [samm]: https://owaspsamm.org/about/ 24 | [sammv]: https://owaspsamm.org/model/verification/ 25 | [sammvrt]: https://owaspsamm.org/model/verification/requirements-driven-testing/ 26 | -------------------------------------------------------------------------------- /docs/es/06-verification/index.md: -------------------------------------------------------------------------------- 1 | ![Logo la guía del desarrollador](../../assets/images/dg_logo.png "Guía del Desarrollador"){ align=right width=180 } 2 | 3 | [Verificación][sammv] es una de las funciones de negocio descritas por [OWASP SAMM][samm]. 4 | 5 | La verificación se centra en los procesos y actividades relacionados con cómo una organización comprueba 6 | y prueba los artefactos producidos durante el desarrollo de software. 7 | Esto típicamente incluye trabajo de aseguramiento de calidad como pruebas, 8 | y también incluye otras actividades de revisión y evaluación. 9 | 10 | Las actividades de verificación deberían incluir: 11 | 12 | * Evaluación, validación y mitigación de la arquitectura 13 | * Pruebas basadas en requisitos 14 | * Verificación de controles de seguridad y pruebas de mal uso/abuso 15 | * Pruebas de seguridad automatizadas y establecimiento de líneas base 16 | * Pruebas de seguridad manuales y pruebas de penetración 17 | 18 | Estas actividades están respaldadas por: 19 | 20 | * Guías de seguridad 21 | * Herramientas de prueba 22 | * Frameworks de prueba 23 | * Gestión de vulnerabilidades 24 | * Listas de verificación 25 | 26 | La verificación es una actividad central en el ciclo de vida de desarrollo de software seguro. 27 | Consulte la sección del proyecto [Cultura de Seguridad][culturetest] para los diversos tipos de pruebas de seguridad. 28 | 29 | ---- 30 | 31 | Traducción de versión [original en inglés][en0800]. 32 | 33 | La Guía del Desarrollador de OWASP es un esfuerzo comunitario; 34 | si ve algo que necesita cambios, entonces [cree un issue][issue0800] o [edítelo en GitHub][edit0800]. 35 | 36 | [culturetest]: https://owasp.org/www-project-security-culture/stable/7-Security_Testing/ 37 | [edit0800]: https://github.com/OWASP/DevGuide/blob/main/docs/es/06-verification/index.md 38 | [en0800]: https://devguide.owasp.org/en/06-verification/ 39 | [issue0800]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2006-verification/index 40 | [samm]: https://owaspsamm.org/about/ 41 | [sammv]: https://owaspsamm.org/model/verification/ 42 | -------------------------------------------------------------------------------- /docs/pt-br/02-foundations/index.md: -------------------------------------------------------------------------------- 1 | ![Developer guide logo](../../assets/images/dg_logo.png "OWASP Developer Guide"){ align=right width=180 } 2 | 3 | Existem vários conceitos e terminologias fundamentais que são comumente usados ​​em segurança de software. 4 | Embora muitos desses conceitos sejam complexos de implementar e sejam baseados em teorias pesadas, 5 | os princípios são geralmente bastante diretos e acessíveis para todos os engenheiros de software. 6 | 7 | Uma compreensão razoável desses conceitos fundamentais permite que as equipes de desenvolvimento entendam e implementem 8 | segurança de software para o aplicativo ou sistema em desenvolvimento. 9 | Este Guia do desenvolvedor oferece apenas uma breve visão geral desses conceitos, 10 | para conhecimento aprofundado, consulte os diversos textos sobre segurança, 11 | como o [The Cyber ​​Security Body Of Knowledge][cbok]. 12 | 13 | Se mudanças estiverem sendo introduzidas na cultura de segurança de uma organização, 14 | certifique-se de que haja apoio da administração e metas claras a serem alcançadas. 15 | Sem isso, as tentativas de melhorar a postura de segurança provavelmente falharão - veja o 16 | projeto [Cultura de Segurança][culturegoal] para a importância de obter gerenciamento, 17 | equipes de segurança e desenvolvimento trabalhando juntos. 18 | 19 | ---- 20 | 21 | O Guia do Desenvolvedor do OWASP é um trabalho da comunidade; se há algo que precisa ser mudado 22 | então [submeta uma issue][issue0400] ou [edite no GitHub][edit0400]. 23 | 24 | [cbok]: https://www.cybok.org/ 25 | [culturegoal]: https://owasp.org/www-project-security-culture/stable/3-Goal_Setting_and_Security_Team_Collaboration/ 26 | [edit0400]: https://github.com/OWASP/DevGuide/blob/main/docs/pt-br/02-foundations/index.md 27 | [issue0400]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2002-foundations/index 28 | -------------------------------------------------------------------------------- /release-process.md: -------------------------------------------------------------------------------- 1 | ### Release process 2 | 3 | The [web document][latest] is always the latest version that has been accepted via the pull request process. 4 | 5 | If major or significant minor changes are made then it is good to tag this with a semantic version, such as `4.1.8`. 6 | 7 | To do this: 8 | 9 | 1. Ensure that all pull-requests are up to date 10 | 2. navigate to the [release area][release] 11 | 3. Click on the 'Draft a new release' button to create a [new release][new-release] 12 | 4. Choose a tag, for example `v4.1.8` and select target branch to be 'main' 13 | 5. Provide the release title, such as 'Version 4.1.8' 14 | 6. Describe the release in the Description, consider including the text below 15 | 7. Obtain the latest PDF file form the latest (successful) [commit action][commits] 16 | 8. Upload this PDF file to the draft release 17 | 9. Ensure 'Set as the latest release' is selected 18 | 10. Apply 'Publish release' 19 | 11. Announce on the #project-developer-guide [Slack channel][slack] 20 | 12. Announce on the [Blue Sky channel][bluesky] 21 | 22 | ```text 23 | Contact the current [leaders][leaders] for any queries about this version. 24 | 25 | The [PDF][pdf-guide] version of the [web document][devguide] can be downloaded for version 4.1.8 . 26 | 27 | [devguide]: devguide.owasp.org 28 | [leaders]: https://github.com/OWASP/www-project-developer-guide/blob/main/leaders.md 29 | [pdf-guide]: https://github.com/OWASP/threat-dragon/releases/download/v4.1.8/OWASP_Developer_Guide-V4.1.8.pdf 30 | ``` 31 | 32 | ---- 33 | 34 | OWASP DevGuide: _accessible security for developers_ 35 | 36 | [bluesky]: https://bsky.app/profile/devguide.bsky.social 37 | [commits]: https://github.com/OWASP/DevGuide/actions/workflows/ci.yaml 38 | [latest]: https://devguide.owasp.org/ 39 | [new-release]: https://github.com/OWASP/DevGuide/releases/new 40 | [release]: https://github.com/OWASP/DevGuide/releases 41 | [slack]: https://owasp.slack.com/messages/C04QN6CMNAC 42 | -------------------------------------------------------------------------------- /security.md: -------------------------------------------------------------------------------- 1 | ## Security Policy 2 | 3 | This project is built on markdown which is used to create binary files, 4 | such as `.pdf` and the site itself. 5 | It is not impossible that a malicious actor could somehow embed malware 6 | in the markdown or subvert the document creation process. 7 | If you find anything suspicious in either the markdown or pipeline scripts 8 | then let us know ASAP and we will fix it as a priority. 9 | 10 | Open a [security advisory][advisory] and this will be provided 11 | only to the project's admins and in strict confidence. 12 | 13 | ---- 14 | 15 | OWASP DevGuide: _accessible security for developers_ 16 | 17 | [advisory]: https://github.com/OWASP/www-project-developer-guide/security/advisories/new 18 | --------------------------------------------------------------------------------