├── .github
    └── workflows
    │   ├── ci.yml
    │   └── deploy.yml
├── .gitignore
├── .markdownlint.yaml
├── .spellcheck.yaml
├── .wordlist.txt
├── LICENSE
├── README.md
├── docs
    ├── CNAME
    ├── archive
    │   ├── 2014
    │   │   └── index.md
    │   ├── 2016
    │   │   ├── in-the-news.md
    │   │   └── index.md
    │   ├── 2018
    │   │   ├── 0x01-about-owasp.md
    │   │   ├── 0x02-about-project.md
    │   │   ├── 0x03-about-structure.md
    │   │   ├── 0x04-introduction.md
    │   │   ├── c1-security-requirements.md
    │   │   ├── c10-errors-exceptions.md
    │   │   ├── c2-leverage-security-frameworks-libraries.md
    │   │   ├── c3-secure-database.md
    │   │   ├── c4-encode-escape-data.md
    │   │   ├── c5-validate-inputs.md
    │   │   ├── c6-digital-identity.md
    │   │   ├── c7-enforce-access-controls.md
    │   │   ├── c8-protect-data-everywhere.md
    │   │   ├── c9-security-logging.md
    │   │   ├── final-word.md
    │   │   ├── in-the-news.md
    │   │   └── translations.md
    │   └── 2024
    │   │   ├── final-word.md
    │   │   ├── index.md
    │   │   ├── introduction
    │   │       ├── about-owasp.md
    │   │       ├── contributing.md
    │   │       ├── in-the-news.md
    │   │       └── related-owasp-projects.md
    │   │   └── the-top-10
    │   │       ├── c1-accesscontrol.md
    │   │       ├── c10-stop-server-side-request-forgery.md
    │   │       ├── c2-crypto.md
    │   │       ├── c3-validate-input-and-handle-exceptions.md
    │   │       ├── c4-secure-architecture.md
    │   │       ├── c5-secure-by-default.md
    │   │       ├── c6-use-secure-dependencies.md
    │   │       ├── c7-secure-digital-identities.md
    │   │       ├── c8-leverage-browser-security-features.md
    │   │       ├── c9-security-logging-and-monitoring.md
    │   │       └── index.md
    ├── final-word.md
    ├── index.md
    ├── introduction
    │   ├── about-owasp.md
    │   ├── contributing.md
    │   ├── in-the-news.md
    │   └── related-owasp-projects.md
    └── the-top-10
    │   ├── c1-accesscontrol.md
    │   ├── c10-stop-server-side-request-forgery.md
    │   ├── c2-crypto.md
    │   ├── c3-validate-input-and-handle-exceptions.md
    │   ├── c4-secure-architecture.md
    │   ├── c5-secure-by-default.md
    │   ├── c6-use-secure-dependencies.md
    │   ├── c7-secure-digital-identities.md
    │   ├── c8-leverage-browser-security-features.md
    │   ├── c9-security-logging-and-monitoring.md
    │   └── index.md
├── leaders.md
├── mkdocs.yml
├── overrides
    ├── 404.html
    └── google6fbf6cc04efaa5b5.html
├── v2
    ├── OWASPTop10ProactiveControls2016-Chinese.pdf
    ├── OWASPTop10ProactiveControls2016-Japanese.pdf
    ├── OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf
    ├── OWASP_Proactive_Controls_2-Hebrew.pdf
    ├── OWASP_Top_10_Proactive_Controls_-_V2.0.docx
    ├── OWASP_Top_10_Proactive_Controls_V2.pdf
    └── OWASP_Top_Ten_Proactive_Controls_v2.pptx
└── v3
    ├── .DS_Store
    ├── OWASP-OPC-IEEEE-OTop10-OTMobTop10-ssdf.pdf
    ├── OWASP_TOP_10_Proactive_Controls_2018_V3_ES-AR.pdf
    ├── OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf
    ├── OWASP_TOP_10_Proactive_Controls_2018_V3_PT-BR.pdf
    ├── OWASP_Top_10_Proactive_Controls_V3-AR.pdf
    ├── OWASP_Top_10_Proactive_Controls_V3-IT.pdf
    ├── OWASP_Top_10_Proactive_Controls_V3.docx
    ├── OWASP_Top_10_Proactive_Controls_V3.pdf
    ├── OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf
    ├── OWASP_Top_Ten_Proactive_Controls_v3.pptx
    ├── Owasp-top-10-proactive-controls-2018-russian.pdf
    ├── generate-doc.sh
    ├── images
        ├── controls-logo.png
        └── proactive-header.jpg
    └── templates
        ├── 2-cols.docx
        ├── template.docx
        └── ~$mplate.docx


/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | name: CI pipeline
 2 | on:
 3 |   push:
 4 |     branches:
 5 |       - main
 6 |       - master
 7 |   workflow_dispatch:
 8 | 
 9 | # for security reasons the github actions are pinned to specific release versions
10 | jobs:
11 |   link_checker:
12 |     name: Link checker
13 |     runs-on: ubuntu-24.04
14 |     steps:
15 |       - name: Checkout markdown
16 |         uses: actions/checkout@v4.1.1
17 | 
18 |       - name: Link Checker
19 |         uses: lycheeverse/lychee-action@v1.10.0
20 |         with:
21 |           args: --no-progress --max-retries 5 --exclude-path './docs/archive/' './docs/**/*.md'
22 |           fail: true
23 |         env:
24 |           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
25 | 
26 |   md_linter:
27 |     name: Lint markdown
28 |     runs-on: ubuntu-24.04
29 |     steps:
30 |       - name: Checkout markdown
31 |         uses: actions/checkout@v4.1.1
32 | 
33 |       - name: Lint markdown
34 |         uses: DavidAnson/markdownlint-cli2-action@v16.0.0
35 |         with:
36 |           config: '.markdownlint.yaml'
37 |           globs: './docs/**/*.md'
38 | 
39 |   spell_checker:
40 |     name: Check spelling
41 |     runs-on: ubuntu-24.04
42 |     steps:
43 |       - name: Checkout markdown
44 |         uses: actions/checkout@v4.1.1
45 | 
46 |       - name: spell_checker
47 |         uses: rojopolis/spellcheck-github-actions@0.41.0


--------------------------------------------------------------------------------
/.github/workflows/deploy.yml:
--------------------------------------------------------------------------------
 1 | name: Build Github Pages
 2 | on:
 3 |   push:
 4 |     branches:
 5 |       - main
 6 |       - master
 7 | permissions:
 8 |   contents: write
 9 | jobs:
10 |   deploy:
11 |     runs-on: ubuntu-latest
12 |     steps:
13 |       - uses: actions/checkout@v4
14 |         with:
15 |           fetch-depth: 0
16 |       - uses: actions/setup-python@v5
17 |         with:
18 |           python-version: 3.x
19 |       - uses: actions/cache@v2
20 |         with:
21 |           key: ${{ github.ref }}
22 |           path: .cache
23 |       - name: Install Dependencies
24 |         run: pip install mkdocs-material mkdocs-redirects
25 |       - run: mkdocs gh-deploy --force --clean
26 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | __pycache__
2 | env
3 | .vscode
4 | _site/
5 | .DS_Store
6 | venv/
7 | 


--------------------------------------------------------------------------------
/.markdownlint.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | no-trailing-punctuation: false
 3 | no-inline-html: false
 4 | first-line-heading: false
 5 | link-fragments: false
 6 | 
 7 | # MD013 - Line length
 8 | MD013:
 9 |   code_block_line_length: 125
10 |   code_blocks: true
11 |   heading_line_length: 100
12 |   #heading_line_length: 80
13 |   headings: true
14 |   # line_length: 125
15 |   line_length: 2048
16 |   stern: true
17 |   strict: false
18 |   tables: true


--------------------------------------------------------------------------------
/.spellcheck.yaml:
--------------------------------------------------------------------------------
 1 | matrix:
 2 | - name: Markdown
 3 |   aspell:
 4 |     lang: en
 5 |   dictionary:
 6 |     wordlists:
 7 |     - .wordlist.txt
 8 |     output: wordlist.dic
 9 |     encoding: utf-8
10 |   pipeline:
11 |   - pyspelling.filters.markdown:
12 |       markdown_extensions:
13 |       - pymdownx.superfences:
14 |   - pyspelling.filters.html:
15 |       comments: false
16 |       ignores:
17 |       - code
18 |       - pre
19 |   sources:
20 |   - 'docs/**/*.md'
21 |   default_encoding: utf-8


--------------------------------------------------------------------------------
/.wordlist.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | AAL
  3 | ABAC
  4 | Abdessamad
  5 | Adriaan
  6 | AES
  7 | allowlist
  8 | allowlisting
  9 | Allowlisting
 10 | Andreas
 11 | AntiXssEncoder
 12 | AntiXSSEncoder
 13 | APIs
 14 | AppSec
 15 | Aref
 16 | ASVS
 17 | authenticator
 18 | autobinding
 19 | backend
 20 | Baillon
 21 | bcrypt
 22 | biometrics
 23 | Biometrics
 24 | Braiterman
 25 | BSIMM
 26 | caniuse
 27 | Caniuse
 28 | canonicalization
 29 | Canonicalization
 30 | Capellan
 31 | Cassio
 32 | cd
 33 | cheatsheets
 34 | cheatsheetseries
 35 | Checkov
 36 | Chih
 37 | Chorzevski
 38 | CIS
 39 | CLI
 40 | clickjacking
 41 | Clickjacking
 42 | Cloudmapper
 43 | Coiro
 44 | ColdFusion
 45 | conf
 46 | config
 47 | CORS
 48 | Coursera
 49 | crypto
 50 | cryptographic
 51 | cryptographically
 52 | CSP
 53 | CSRF
 54 | CSRF
 55 | CVE
 56 | CWE
 57 | Cx
 58 | Cybuck
 59 | Cyrille
 60 | DAC
 61 | danielmiessler
 62 | Datz
 63 | de
 64 | decrypt
 65 | denylist
 66 | denylisting
 67 | Denylisting
 68 | Der
 69 | deserialization
 70 | deserialize
 71 | deserializes
 72 | DevOps
 73 | DevOpsSec
 74 | DevSecOps
 75 | DevSlop
 76 | DNS
 77 | docx
 78 | DOM
 79 | DOMPurify
 80 | Dracea
 81 | DSS
 82 | DTOs
 83 | Elnaggar
 84 | Escaper
 85 | Estrin
 86 | EU's
 87 | Eyal
 88 | Fenstrom
 89 | Frédéric
 90 | Fujimoto
 91 | Gaz
 92 | GDPR
 93 | github
 94 | GitRob
 95 | Goldschmidt
 96 | goto
 97 | Grandval
 98 | Graziani
 99 | Grossman
100 | HackerCombat
101 | Happe
102 | Hashicorp
103 | Hashicorp's
104 | Heyes
105 | Hidenori
106 | Hiroaki
107 | Hiroshi
108 | Hsiang
109 | HSTS
110 | Hsu
111 | html
112 | httpOnly
113 | https
114 | HTTPS
115 | IaC
116 | ideation
117 | IDOR
118 | iframes
119 | intransparency
120 | io
121 | ISC
122 | Ishaq
123 | Ivashchenko
124 | Jasmin
125 | JavaScript
126 | JEA
127 | JEP
128 | JIT
129 | Joubert
130 | JS
131 | JSON
132 | JSR
133 | JWS
134 | JWT
135 | JWTs
136 | keychain
137 | keystore
138 | KeyWhiz
139 | KICS
140 | KMS
141 | Koichiro
142 | Kubernetes
143 | Kubescape
144 | Kuramochi
145 | Kyverno
146 | LDAP
147 | Libsodium
148 | linkedin
149 | localhost
150 | Mair
151 | Manico
152 | Massimiliano
153 | MASVS
154 | Microservices
155 | Miessler
156 | misconfiguration
157 | Misconfiguration
158 | misconfigure
159 | mkdocs
160 | Mohammed
161 | nabla
162 | Nagai
163 | NCSC
164 | NIST
165 | nonces
166 | NoSQL
167 | NVD
168 | OAuth
169 | OKADA
170 | oneconsult's
171 | OPC
172 | OpenSAMM
173 | OpenSSF
174 | OQL
175 | ORM
176 | Osama
177 | OTP
178 | owasp
179 | OWASP
180 | Pagel
181 | parametrization
182 | parametrized
183 | PassKeys
184 | PCI
185 | pdf
186 | PHPNW
187 | PII
188 | plaintext
189 | pptx
190 | precautious
191 | programmatically
192 | py
193 | RBAC
194 | RCE
195 | reactively
196 | realtime
197 | ReDoS
198 | Referer
199 | Riotaro
200 | Ristic
201 | RNG
202 | runtime
203 | Saft
204 | SameSite
205 | SAMM
206 | sandbopxing
207 | sandboxing
208 | Sanitization
209 | SAST
210 | SBOM
211 | SBOMs
212 | SCA
213 | scalability
214 | SecLists
215 | securitypatterns
216 | Shaheed
217 | ShareAlike
218 | Snyk
219 | Soares
220 | SQLi
221 | Sqlmap
222 | src
223 | SSL
224 | SSLLabs
225 | sslyze
226 | SSLyze
227 | SSO
228 | SSRF
229 | SSRFmap
230 | SSTI
231 | Taras
232 | TechBeacon
233 | Teil
234 | Temmar
235 | templating
236 | Terraform
237 | Terrascan
238 | testssl
239 | Tfsec
240 | ThreeHoolagins
241 | ThunderSon
242 | Timo
243 | Tink
244 | TLS
245 | TLSv
246 | Transformative
247 | Trivy
248 | TruffleHog
249 | UCDavies
250 | UI
251 | unencrypted
252 | untrusted
253 | Validator
254 | Vanhilst
255 | venv
256 | verifier
257 | Vries
258 | Watanabe
259 | WebAuthn
260 | WebCams
261 | webhooks
262 | WrongSecrets
263 | www
264 | XEE
265 | XFO
266 | XSS
267 | Zend
268 | Zend
269 | Zudilin
270 | reimplement
271 | StrideGPT
272 | Jaskirat
273 | Kron
274 | Lukas
275 | Weichselbaum
276 | cowsecurity
277 | joonakokkola
278 | untracked


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OWASP Top 10 Proactive Controls
2 | 
3 | The OWASP Top Ten Proactive Controls is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development.
4 | 
5 | The web page can be found at: 
6 | https://owasp.org/www-project-proactive-controls/
7 | 


--------------------------------------------------------------------------------
/docs/CNAME:
--------------------------------------------------------------------------------
1 | top10proactive.owasp.org


--------------------------------------------------------------------------------
/docs/archive/2014/index.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls v1/2014
 2 | 
 3 | - OWASP-2014-C1: Parameterize Queries
 4 | - OWASP-2014-C2: Encode Data
 5 | - OWASP-2014-C3: Validate All Inputs
 6 | - OWASP-2014-C4: Implement Appropriate Access Controls
 7 | - OWASP-2014-C5: Establish Identity and Authentication Controls
 8 | - OWASP-2014-C6: Protect Data and Privacy
 9 | - OWASP-2014-C7: Implement Logging, Error Handling and Intrusion Detection
10 | - OWASP-2014-C8: Leverage Security Features of Frameworks and Security Libraries
11 | - OWASP-2014-C9: Include Security-Specific Requirements
12 | - OWASP-2014-C10: Design and Architect Security In
13 | 


--------------------------------------------------------------------------------
/docs/archive/2016/in-the-news.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls 2016 in the News
 2 | 
 3 | ## 2017
 4 | 
 5 | - \[11 Aug 2017\] Presented at [Northeast PHP Conference](https://northeastphp2017.sched.com/event/B6uo/owasp-top-10-proactive-controls-2016)
 6 | - \[25 July 2017\] Podcast about at [OWASP Top 10 Proactive Controls](https://www.appsecpodcast.org/2017/07/25/the-owasp-top-10-proactive-controls/)
 7 | - \[12 May 2017\] Presented at [AppSec EU'17 -    Belfast](https://appseceurope2017.sched.com/event/A652/the-path-of-secure-software)
 8 | - \[14 Feb 2017\] Featured in [Managing Cloud Infrastructure to Prevent Security    Gaps](http://wwpi.com/2017/02/14/managing-cloud-infrastructure-to-prevent-security-gaps/)
 9 | - \[Feb 2017 \] Featured in "[Application Security Program: Protect    Against Data Breaches](http://assets.unisys.com/Documents/Global/POVPapers/POV_170062_ApplicationSecurityProgramProtectAgainstDataBreaches.pdf)"
10 | 
11 | ## 2016
12 | 
13 | The OWASP Top 10 Proactive Controls 2016 (v2) were released on Jan 14, 2016.
14 | 
15 | - \[1 Oct 2016\] Presented at [PHPNW16](http://conference.phpnw.org.uk/phpnw16/speakers/katy-anton/)
16 | - \[5 July 2016\] Featured in [Incorporating Security Best Practices     into Agile   Teams](https://www.thoughtworks.com/insights/blog/incorporating-security-best-practices-agile-teams)
17 | - \[June 2016 \] Featured in [A Transformative Approach to Secure    Systems    Delivery](http://www.booz-allen.co.in/content/dam/boozallen/documents/Viewpoints/2016/06/transformative-approach-to-secure-systems-delivery.pdf)
18 | - \[2 June 2016\] Featured in [DevOpsSec - Securing Software through    Continuous    Delivery](http://www.oreilly.com/webops-perf/free/devopssec.csp)
19 | 


--------------------------------------------------------------------------------
/docs/archive/2016/index.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls v2 (2016)
 2 | 
 3 | You can download an English version of the OWASP Top 10 Proactive Controls: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASP_Top_10_Proactive_Controls_V2.pdf), [docx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASP_Top_10_Proactive_Controls_-_V2.0.docx), [pptx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASP_Top_Ten_Proactive_Controls_v2.pptx).
 4 | 
 5 | ## OWASP Top 10 Proactive Controls 2016:
 6 | 
 7 | - OWASP-2016-C1: Verify for Security Early and Often
 8 | - OWASP-2016-C2: Parameterize Queries
 9 | - OWASP-2016-C3: Encode Data
10 | - OWASP-2016-C4: Validate All Inputs
11 | - OWASP-2016-C5: Implement Identity and Authentication Controls
12 | - OWASP-2016-C6: Implement Appropriate Access Controls
13 | - OWASP-2016-C7: Protect Data
14 | - OWASP-2016-C8: Implement Logging and Intrusion Detection
15 | - OWASP-2016-C9: Leverage Security Frameworks and Libraries
16 | - OWASP-2016-C10: Error and Exception Handling
17 | 
18 | ## Available Translations
19 | 
20 | In alphabetical order:
21 | 
22 | - Chinese: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASPTop10ProactiveControls2016-Chinese.pdf)
23 | - Hebrew: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASP_Proactive_Controls_2-Hebrew.pdf)
24 | - Japanese: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASPTop10ProactiveControls2016-Japanese.pdf)
25 | - Simplified Chinese: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v2/OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf)
26 | 


--------------------------------------------------------------------------------
/docs/archive/2018/0x01-about-owasp.md:
--------------------------------------------------------------------------------
 1 | # About OWASP
 2 | 
 3 | !!! warning "New Version Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. The current version is the [OWASP Top 10 Proactive Controls 2024](./../2024/introduction/about-owasp.md)!
 6 | 
 7 | The *Open Web Application Security Project* (OWASP) is a 501c3 non for profit educational charity dedicated to enabling organizations to design, develop, acquire, operate, and maintain secure software. All OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We can be found at [www.owasp.org](https://www.owasp.org).
 8 | 
 9 | OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost effective information about application security.
10 | 
11 | OWASP is not affiliated with any technology company. Similar to many open source software projects, OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
12 | 


--------------------------------------------------------------------------------
/docs/archive/2018/0x02-about-project.md:
--------------------------------------------------------------------------------
 1 | # About this Project
 2 | 
 3 | !!! warning "New Version Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. The current version is the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md)!
 6 | 
 7 | Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
 8 | 
 9 | ## Aim & Objective
10 | 
11 | The goal of the **OWASP Top 10 Proactive Controls project** (OPC) is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations. We hope that the OWASP Proactive Controls is useful to your efforts in building secure software.
12 | 
13 | ## Call to Action
14 | 
15 | Please don’t hesitate to contact the OWASP Proactive Control project with your questions, comments, and ideas, either publicly to our email list or privately to [Jim Manico](mailto:jim@owasp.org).
16 | 
17 | ## Copyright and Licence
18 | 
19 | This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make it clear to others the license terms of this work.
20 | 
21 | ## Project Leaders  
22 | 
23 | * Katy Anton
24 | * Jim Bird
25 | * Jim Manico
26 | 
27 | ## Contributors
28 | 
29 | * Chris Romeo    | Dan Anderson    |  David Cybuck
30 | * Dave Ferguson | Josh Grossman | Osama Elnaggar
31 | * Colin Watson   | Rick Mitchell   |  And many more…  
32 | 


--------------------------------------------------------------------------------
/docs/archive/2018/0x03-about-structure.md:
--------------------------------------------------------------------------------
 1 | # Document Structure
 2 | 
 3 | !!! warning "New Version Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. The current version is the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md)!
 6 | 
 7 | This document is structured as a list of security controls. Each control is described as follows:
 8 | 
 9 | ## Cx: Control Name
10 | 
11 | ### Description
12 | 
13 | A detailed description of the control including some best practices to consider.
14 | 
15 | ### Implementation
16 | 
17 | Implementation best practices  and examples to illustrate how to implement each control.
18 | 
19 | ### Vulnerabilities Prevented
20 | 
21 | List of prevented vulnerabilities or risks addressed (OWASP TOP 10 Risk, CWE, etc.)
22 | 
23 | ### References
24 | 
25 | List of references for further study (OWASP Cheat sheet, Security Hardening Guidelines, etc.)
26 | 
27 | ### Tools
28 | 
29 | Set of tools/projects to easily introduce/integrate security controls into your software.
30 | 


--------------------------------------------------------------------------------
/docs/archive/2018/0x04-introduction.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | !!! warning "New Version Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. The current version is the [OWASP Top 10 Proactive Controls 2024](./../2024/the-top-10/index.md)!
 6 | 
 7 | The OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be considered for every software development project. This document is written for developers to assist those new to secure development.
 8 | 
 9 | One of the main goals of this document is to provide concrete practical guidance that helps developers build secure software. These techniques should be applied proactively at the early stages of software development to ensure maximum effectiveness.
10 | 
11 | ## The Top 10 Proactive Controls
12 | 
13 | The list is ordered by importance with list item number 1 being the most important:
14 | 
15 | * OWASP-2018-C1: Define Security Requirements
16 | * OWASP-2018-C2: Leverage Security Frameworks and Libraries
17 | * OWASP-2018-C3: Secure Database Access
18 | * OWASP-2018-C4: Encode and Escape Data
19 | * OWASP-2018-C5: Validate All Inputs
20 | * OWASP-2018-C6: Implement Digital Identity
21 | * OWASP-2018-C7: Enforce Access Controls
22 | * OWASP-2018-C8: Protect Data Everywhere
23 | * OWASP-2018-C9: Implement Security Logging and Monitoring
24 | * OWASP-2018-C10: Handle All Errors and Exceptions
25 | 
26 | ## How this List Was Created
27 | 
28 | This list was originally created by the current project leads with contributions from several volunteers. The document was then shared globally so even anonymous suggestions could be considered. Hundreds of changes were accepted from this open community process.
29 | 
30 | ## Target Audience
31 | 
32 | This document is primarily written for developers. However, development managers, product owners, Q/A professionals, program managers, and anyone involved in building software can also benefit from this document.
33 | 
34 | ## How to Use this Document
35 | 
36 | This document is intended to provide initial awareness around building secure software. This document will also provide a good foundation of topics to help drive introductory software security developer training. These controls should be used consistently and thoroughly throughout all applications. However, this document should be seen as a starting point rather than a comprehensive set of techniques and practices. A full secure development process should include comprehensive requirements from a standard such as the OWASP ASVS in addition to including a range of software development activities described in maturity models such as [OWASP SAMM](https://www.owasp.org/index.php/OWASP_SAMM_Project) and [BSIMM](https://www.bsimm.com/).
37 | 
38 | ## Link to the OWASP Top 10 Project
39 | 
40 | The OWASP Top 10 Proactive Controls is similar to the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) but is focused on defensive techniques and controls as opposed to risks. Each technique or control in this document will map to one or more items in the *risk based* OWASP Top 10. This mapping information is included at the end of each control description.
41 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c1-security-requirements.md:
--------------------------------------------------------------------------------
 1 | # C1: Define Security Requirements
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C4: Address Security from the Start](./../2024/the-top-10/c4-secure-architecture.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | A security requirement is a statement of needed security functionality that ensures one of many different security properties of software is being satisfied. Security requirements are derived from industry standards, applicable laws, and a history of past vulnerabilities. Security requirements define new features or additions to existing features to solve a specific security problem or eliminate a potential vulnerability.
10 | 
11 | Security requirements provide a foundation of vetted security functionality for an application. Instead of creating a custom approach to security for every application, standard security requirements allow developers to reuse the definition of security controls and best practices. Those same vetted security requirements provide solutions for security issues that have occurred in the past. Requirements exist to prevent the repeat of past security failures.
12 | 
13 | ### The OWASP ASVS
14 | 
15 | [The OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) is a catalog of available security requirements and verification criteria. OWASP ASVS  can be a source of detailed security requirements for development teams.
16 | 
17 | Security requirements are categorized into different buckets based on a shared higher order security function. For example, the ASVS contains categories such as authentication, access control, error handling / logging, and web services. Each category contains a collection of requirements that represent the best practices for that category drafted as verifiable statements.
18 | 
19 | ### Augmenting Requirements with User Stories and Misuse Cases
20 | 
21 | The ASVS requirements are basic verifiable statements which can be expanded upon with user stories and misuse cases. The advantage of a user story or misuse case is that it ties the application to exactly what the user or attacker does to the system, versus describing what the system offers to the user.
22 | 
23 | Here is an example of expanding on an ASVS 3.0.1 requirement. From the "Authentication Verification Requirements" section of ASVS 3.0.1, requirement 2.19 focuses on default passwords.
24 | 
25 |     2.19 Verify there are no default passwords in use for the application framework 
26 |         or any components used by the application (such as "admin/password").
27 | 
28 | This requirement contains both an action to verify that no default passwords exist, and also carries with it the guidance that no default passwords should be used within the application.
29 | 
30 | A user story focuses on the perspective of the user, administrator, or attacker of the system, and describes functionality based on what a user wants the system to do for them. A user story takes the form of "As a user, I can do x, y, and z".
31 | 
32 |     As a user, I can enter my username and password to gain access to the application.
33 |     As a user, I can enter a long password that has a maximum of 1023 characters.
34 | 
35 | When the story is focused on the attacker and their actions, it is referred to as a misuse case.
36 | 
37 |     As an attacker, I can enter in a default username and password to gain access.
38 | 
39 | This story contains the same message as the traditional requirement from ASVS, with additional user or attacker details to help make the requirement more testable.
40 | 
41 | ## Implementation
42 | 
43 | Successful use of security requirements involves four steps. The process includes discovering / selecting, documenting, implementing, and then confirming correct implementation of new security features and functionality within an application.
44 | 
45 | ### Discovery and Selection
46 | 
47 | The process begins with discovery and selection of security requirements. In this phase, the developer is understanding security requirements from a standard source such as ASVS and choosing which requirements to include for a given release of an application. The point of discovery and selection is to choose a manageable number of security requirements for this release or sprint, and then continue to iterate for each sprint, adding more security functionality over time.
48 | 
49 | ### Investigation and Documentation
50 | 
51 | During investigation and documentation, the developer reviews the existing application against the new set of security requirements to determine whether the application currently meets the requirement or if some development is required. This investigation culminates in the documentation of the results of the review.
52 | 
53 | ### Implementation Phase
54 | 
55 | After the need is determined for development, the developer must now modify the application in some way to add the new functionality or eliminate an insecure option. In this phase the developer first determines the design required to address the requirement, and then completes the code changes to meet the requirement.
56 | 
57 | ### Test
58 | 
59 | Test cases should be created to confirm the existence of the new functionality or disprove the existence of a previously insecure option.
60 | 
61 | ## Vulnerabilities Prevented
62 | 
63 | Security requirements define the security functionality of an application. Better security built in from the beginning of an applications life cycle results in the prevention of many types of vulnerabilities.
64 | 
65 | ## References
66 | 
67 | * [OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/)
68 | * [OWASP Mobile Application Security Verification Standard (MASVS)](https://owasp.org/www-project-mobile-security-testing-guide/)
69 | * [OWASP Top Ten](https://owasp.org/www-project-top-ten/)
70 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c10-errors-exceptions.md:
--------------------------------------------------------------------------------
 1 | # C10: Handle all Errors and Exceptions
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C3: Validate all Input & Handle Exceptions](./../2024/the-top-10/c3-validate-input-and-handle-exceptions.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | Exception handling is a programming concept that allows an application to respond to different error states (like network down, or database connection failed, etc) in various ways. Handling exceptions and errors correctly is critical to making your code reliable and secure.
10 | 
11 | Error and exception handling occurs in all areas of an application including critical business logic as well as security features and framework code.
12 | 
13 | Error handling is also important from an intrusion detection perspective. Certain attacks against your application may trigger errors which can help detect attacks in progress.
14 | 
15 | ## Error Handling Mistakes
16 | 
17 | Researchers at the University of Toronto have found that even small mistakes in error handling or forgetting to handle errors can lead to [catastrophic failures in distributed systems](https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-yuan.pdf).
18 | 
19 | Mistakes in error handling can lead to different kinds of security vulnerabilities.
20 | 
21 | * **Information leakage**: Leaking sensitive information in error messages can unintentionally help attackers. For example, an error that returns a stack trace or other internal error details can provide an attacker with information about your environment. Even small differences in handling different error conditions (e.g., returning "invalid user" or "invalid password" on authentication errors) can provide valuable clues to attackers. As described above, be sure to log error details for forensics and debugging purposes, but don’t expose this information, especially to an external client.
22 | * **TLS bypass**:  The [Apple goto "fail bug"](https://www.dwheeler.com/essays/apple-goto-fail.html) was a control-flow error in error handling code that lead to a complete compromise of TLS connections on apple systems.
23 | * **DOS**: A lack of basic error handling can lead to system shutdown. This is usually a fairly easy vulnerability for attackers to exploit. Other error handling problems could lead to increased usage of CPU or disk in ways that could degrade the system.
24 | 
25 | ## Positive Advice
26 | 
27 | * Manage exceptions in a [centralized manner](https://www.owasp.org/index.php/Error_Handling#Centralised_exception_handling_.28Struts_Example.29) to avoid duplicated try/catch blocks in the code. Ensure that all unexpected behavior is correctly handled inside the application.
28 | * Ensure that error messages displayed to users do not leak critical data, but are still verbose enough to enable the proper user response.
29 | * Ensure that exceptions are logged in a way that gives enough information for support, QA, forensics or incident response teams to understand the problem.
30 | * Carefully test and verify error handling code.
31 | 
32 | ## References
33 | 
34 | * [OWASP Code Review Guide: Error Handling](https://www.owasp.org/index.php/Error_Handling)
35 | * [OWASP Testing Guide: Testing for Error Handling](https://www.owasp.org/index.php/Testing_for_Error_Handling)
36 | * [OWASP Improper Error Handling](https://www.owasp.org/index.php/Improper_Error_Handling)
37 | * [CWE 209: Information Exposure Through an Error Message](https://cwe.mitre.org/data/definitions/209.html)
38 | * [CWE 391: Unchecked Error Condition](https://cwe.mitre.org/data/definitions/391.html)
39 | 
40 | ## Tools
41 | 
42 | * [Error Prone](http://errorprone.info/)  - A static analysis tool from Google to catch common mistakes in error handling for Java developers
43 | * One of the most famous automated tools for finding errors at runtime is [Netflix's Chaos Monkey](https://github.com/Netflix/SimianArmy), which intentionally disables system instances to ensure that the overall service will recover correctly.
44 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c2-leverage-security-frameworks-libraries.md:
--------------------------------------------------------------------------------
 1 | # C2: Leverage Security Frameworks and Libraries
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C6: Keep your Components Secure](./../2024/the-top-10/c6-use-secure-dependencies.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws. A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks helps accomplish security goals more efficiently and accurately.
10 | 
11 | ## Implementation Best Practices
12 | 
13 | When incorporating third party libraries or frameworks into your software, it is important to consider the following best practices:
14 | 
15 | 1. Use libraries and frameworks from trusted sources that are actively maintained and widely used by many applications.
16 | 2. Create and maintain an inventory catalog of all the third party libraries.
17 | 3. Proactively keep libraries and components up to date. Use a tool like [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) and [Retire.JS](https://retirejs.github.io/retire.js/) to identify project dependencies and check if there are any known, publicly disclosed vulnerabilities for all third party code.
18 | 4. Reduce the attack surface by encapsulating the library and expose only the required behaviour into your software.
19 | 
20 | ## Vulnerabilities Prevented
21 | 
22 | Secure frameworks and libraries can help to prevent a wide range of web application vulnerabilities. It is critical to keep these frameworks and libraries up to date as described in the [using components with known vulnerabilities [Top Ten 2017 risks](https://owasp.org/www-project-top-ten/).
23 | 
24 | ## Tools
25 | 
26 | * [OWASP Dependency Check](https://owasp.org/www-project-dependency-check/) - identifies project dependencies and checks for publicly disclosed vulnerabilities
27 | * [Retire.JS](http://retirejs.github.io/retire.js/) scanner for JavaScript libraries
28 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c3-secure-database.md:
--------------------------------------------------------------------------------
 1 | # C3: Secure Database Access
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C3: Validate all Input & Handle Exceptions](./../2024/the-top-10/c3-validate-input-and-handle-exceptions.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | This section describes secure access to all data stores, including both relational databases and NoSQL databases. Some areas to consider:
10 | 
11 | 1. Secure queries
12 | 2. Secure configuration
13 | 3. Secure authentication
14 | 4. Secure communication
15 | 
16 | ### Secure Queries
17 | 
18 | SQL Injection occurs when untrusted user input is dynamically added to a SQL query in an insecure manner, often via basic string concatenation. SQL Injection is one of the most dangerous application security risks. SQL Injection is easy to exploit and could lead to the entire database being stolen, wiped, or modified. The application can even be used to run dangerous commands against the operating system hosting your database, thereby giving an attacker a foothold on your network.
19 | 
20 | In order to mitigate SQL injection, untrusted input should be prevented from being interpreted as part of a SQL command. The best way to do this is with the programming technique known as 'Query Parametrization'. This defense should be applied to SQL, OQL, as well as stored procedure construction.
21 | 
22 | A good list of query parametrization examples in ASP, ColdFusion, C#, Delphi, .NET, Go, Java, Perl, PHP, PL/SQL, PostgreSQL, Python, R, Ruby and Scheme can be found at [https://bobby-tables.com](https://bobby-tables.com/) and the [OWASP Cheat Sheet on Query Parametrization](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html).
23 | 
24 | #### Caution on Query Parametrization
25 | 
26 | Certain locations in a database query can not be used with parametrization. These locations are different for each database vendor. Be certain to do very careful exact-match validation or manual escaping when confronting database query parameters that cannot be bound to a parametrized query. Also, while the use of parametrized queries largely has a positive impact on performance, certain parametrized queries in specific database implementations will affect performance negatively. Be sure to test queries for performance; especially complex queries with extensive like clause or text searching capabilities.
27 | 
28 | ### Secure Configuration
29 | 
30 | Unfortunately, database management systems do not always ship in a "secure by default" configuration. Care must be taken to ensure that the security controls available from the Database Management System (DBMS) and hosting platform are enabled and properly configured. There are standards, guides, and benchmarks available for most common DBMS.
31 | 
32 | A quick guidance on providing a secure configuration can be found in the [Database Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html#database-configuration-and-hardening).
33 | 
34 | ### Secure Authentication
35 | 
36 | All access to the database should be properly authenticated. Authentication to the DBMS should be accomplished in a secure manner. Authentication should take place only over a secure channel. Credentials must be properly secured and available for use.
37 | 
38 | A quick guidance on providing a secure authentication process can be found in the [Database Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html#authentication).
39 | 
40 | ### Secure Communication
41 | 
42 | Most DBMS support a variety of communications methods (services, APIs, etc) - secure (authenticated, encrypted) and insecure (unauthenticated or unencrypted). It is a good practice to only use the secure communications options per the *Protect Data Everywhere* control.
43 | 
44 | A quick guidance on providing a secure communication mean can be found in the [Database Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html#connecting-to-the-database).
45 | 
46 | ## Vulnerabilities Prevented
47 | 
48 | * [OWASP Top 10 2021-A3: Injection](https://owasp.org/Top10/A03_2021-Injection/)
49 | * [OWASP Mobile Top 10 2014-M1 Weak Server Side Controls](https://www.owasp.org/index.php/Mobile_Top_10_2014-M1)
50 | 
51 | ## References
52 | 
53 | * [OWASP Cheat Sheet: Query Parametrization](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
54 | * [OWASP Cheat Sheet: Database Security](https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Cheat_Sheet.html)
55 | * [Bobby Tables: A guide to preventing SQL injection](http://bobby-tables.com/)
56 | * [CIS Database Hardening Standards](https://www.cisecurity.org/cis-benchmarks/)
57 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c4-encode-escape-data.md:
--------------------------------------------------------------------------------
 1 | # C4: Encode and Escape Data
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C3: Validate all Input & Handle Exceptions](./../2024/the-top-10/c3-validate-input-and-handle-exceptions.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | **Encoding** and escaping are defensive techniques meant to stop injection attacks. Encoding (commonly called "Output Encoding") involves translating special characters into some different but equivalent form that is no longer dangerous in the target interpreter, for example translating the ``<`` character into the ``&lt;`` string when writing to an HTML page. **Escaping** involves adding a special character before the character/string to avoid it being misinterpreted, for example, adding a ``\`` character before a ``"`` (double quote) character so that it is interpreted as text and not as closing a string.
10 | 
11 | Output encoding is best applied **just before** the content is passed to the target interpreter. If this defense is performed too early in the processing of a request then the encoding or escaping may interfere with the use of the content in other parts of the program. For example if you HTML escape content before storing that data in the database and the UI automatically escapes that data a second time then the content will not display properly due to being double escaped.
12 | 
13 | ### Contextual Output Encoding
14 | 
15 | Contextual output encoding is a crucial security programming technique needed to stop XSS. This defense is performed on output, when you're building a user interface, at the last moment before untrusted data is dynamically added to HTML. The type of encoding will depend on the location (or context) in the document where data is being displayed or stored. The different types of encoding that would be used for building secure user interfaces includes HTML Entity Encoding, HTML Attribute Encoding, JavaScript Encoding, and URL Encoding.
16 | 
17 | #### Java Encoding Examples
18 | 
19 | For examples of the OWASP Java Encoder providing contextual output encoding see: [OWASP Java Encoder Project Examples](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Use_the_Java_Encoder_Project).
20 | 
21 | #### .NET Encoding Examples
22 | 
23 | Starting with .NET 4.5 , the Anti-Cross Site Scripting library is part of the framework, but not enabled by default. You can specify to use AntiXssEncoder from this library as the default encoder for your entire application using the `web.conf` settings. When applied is important to contextual encode your output - that means to use the right function from the AntiXSSEncoder library for the appropriate location of data in document.
24 | 
25 | #### PHP Encoding Examples
26 | 
27 | #### Zend Framework 2
28 | 
29 | In Zend Framework 2, ``Zend\Escaper`` can be used for encoding the output. For contextual encoding examples see [Context-specific escaping with Zend-Escaper](https://framework.zend.com/blog/2017-05-16-zend-escaper.html).
30 | 
31 | ### Other Types of Encoding and Injection Defense
32 | 
33 | Encoding/Escaping can be used to neutralize content against other forms of injection. For example, it's possible to neutralize certain special meta-characters when adding input to an operating system command. This is called "OS command escaping", "shell escaping", or similar. This defense can be used to stop "Command Injection" vulnerabilities.
34 | 
35 | There are other forms of escaping that can be used to stop injection such as XML attribute escaping stopping various forms of XML and XML path injection, as well as LDAP distinguished name escaping that can be used to stop various forms of LDAP injection.
36 | 
37 | ### Character Encoding and Canonicalization
38 | 
39 | Unicode Encoding is a method for storing characters with multiple bytes. Wherever input data is allowed, data can be entered using [Unicode](https://www.owasp.org/index.php/Unicode_Encoding) to disguise malicious code and permit a variety of attacks. [RFC 2279](https://tools.ietf.org/html/rfc2279) references many ways that text can be encoded.
40 | 
41 | Canonicalization is a method in which systems convert data into a simple or standard form.  Web applications commonly use character canonicalization to ensure all content is of the same character type when stored or displayed.
42 | 
43 | To be secure against canonicalization related attacks means an application should be safe when malformed Unicode and other malformed character representations are entered.
44 | 
45 | ## Vulnerabilities Prevented
46 | 
47 | * [OWASP Top 10 2017 - A1: Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection)
48 | * [OWASP Top 10 2017 - A7: Cross Site Scripting (XSS)](https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS))
49 | * [OWASP Mobile_Top_10_2014-M7 Client Side Injection](https://www.owasp.org/index.php/Mobile_Top_10_2014-M7)
50 | 
51 | ## References
52 | 
53 | * [XSS](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) - General information
54 | * [OWASP Cheat Sheet: XSS Prevention](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) - Stopping XSS in your web application
55 | * [OWASP Cheat Sheet: DOM based XSS Prevention](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet)
56 | * [OWASP Cheat Sheet: Injection Prevention](https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet)
57 | 
58 | ## Tools
59 | 
60 | * [OWASP Java Encoder Project](https://www.owasp.org/index.php/OWASP_Java_Encoder_Project)
61 | * [AntiXssEncoder](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.antixss.antixssencoder?redirectedfrom=MSDN&view=netframework-4.7.2)
62 | * [Zend\Escaper](https://framework.zend.com/blog/2017-05-16-zend-escaper.html) - examples of contextual encoding
63 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c5-validate-inputs.md:
--------------------------------------------------------------------------------
  1 | # C5: Validate All Inputs
  2 | 
  3 | !!! warning "New Version of the Control Available!"
  4 | 
  5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C3: Validate all Input & Handle Exceptions](./../2024/the-top-10/c3-validate-input-and-handle-exceptions.md)!
  6 | 
  7 | ## Description
  8 | 
  9 | Input validation is a programming technique that ensures only properly formatted data may enter a software system component.
 10 | 
 11 | ### Syntax and Semantic Validity
 12 | 
 13 | An application should check that data is both *syntactically* and *semantically* valid (in that order) before using it in any way (including displaying it back to the user).
 14 | 
 15 | **Syntax validity** means that the data is in the form that is expected. For example, an application may allow a user to select a four-digit "account ID" to perform some kind of operation. The application should assume the user is entering a SQL injection payload, and should check that the data entered by the user is exactly four digits in length, and consists only of numbers (in addition to utilizing proper query parametrization).
 16 | 
 17 | **Semantic validity** includes only accepting input that is within an acceptable range for the given application functionality and context. For example, a start date must be before an end date when choosing date ranges.
 18 | 
 19 | ### Allowlisting vs Denylisting
 20 | 
 21 | There are two general approaches to performing input syntax validation, commonly known as allow and deny lists:
 22 | 
 23 | * **Denylisting** or **denylist validation*** attempts to check that given data does not contain "known bad" content. For example, a web application may block input that contains the exact text ``<SCRIPT>`` in order to help prevent XSS. However, this defense could be evaded with a lower case script tag or a script tag of mixed case.
 24 | * **Allowlisting** or **allowlist** validation attempts to check that a given data matches a set of "known good" rules. For example a allowlist validation rule for a US state would be a 2-letter code that is only one of the valid US states.
 25 | 
 26 | **Important**
 27 | When building secure software, allowlisting is the recommended minimal approach. Denylisting is prone to error and can be bypassed with various evasion techniques and can be dangerous when depended on by itself. Even though denylisting can often be evaded, it can often be useful to help detect obvious attacks. So while **allowlisting** helps limit the attack surface by ensuring data is of the right syntactic and semantic validity, **denylisting** helps detect and potentially stop obvious attacks.
 28 | 
 29 | ### Client side and Server side Validation
 30 | 
 31 | Input validation must always be done on the server-side for security. While client side validation can be useful for both functional and some security purposes, it can often be easily bypassed. This makes server-side validation even more fundamental to security. For example, JavaScript validation may alert the user that a particular field must consist of numbers but the server side application must validate that the submitted data only consists of numbers in the appropriate numerical range for that feature.
 32 | 
 33 | ### Regular Expressions
 34 | 
 35 | Regular expressions offer a way to check whether data matches a specific pattern. Let’s start with a basic example.
 36 | 
 37 | The following regular expression is used to define a allowlist rule to validate usernames.
 38 | 
 39 |     ^[a-z0-9_]{3,16}$
 40 | 
 41 | This regular expression allows only lowercase letters, numbers and the underscore character. The username is also restricted to a length of 3 and 16 characters.
 42 | 
 43 | #### Caution: Potential for Denial of Service
 44 | 
 45 | Care should be exercised when creating regular expressions. Poorly designed expressions may result in potential denial of service conditions (aka [ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) ). Various tools can test to verify that regular expressions are not vulnerable to ReDoS.
 46 | 
 47 | #### Caution: Complexity
 48 | 
 49 | Regular expressions are just one way to accomplish validation. Regular expressions can be difficult to maintain or understand for some developers. Other validation alternatives involve writing validation methods programmatically which can be easier to maintain for some developers.
 50 | 
 51 | ### Limits of Input Validation
 52 | 
 53 | **Input validation does not always make data "safe" since certain forms of complex input may be "valid" but still dangerous. For example, a valid email address may contain a SQL injection attack or a valid URL may contain a Cross Site Scripting attack**. Additional defenses besides input validation should always be applied to data such as query parametrization or escaping.
 54 | 
 55 | ### Challenges of Validating Serialized Data
 56 | 
 57 | Some forms of input are so complex that validation can only minimally protect the application. For example, it's dangerous to deserialize untrusted data or data that can be manipulated by an attacker. The only safe architectural pattern is to not accept serialized objects from untrusted sources or to only deserialize in limited capacity for only simple data types. You should avoid processing serialized data formats and use easier to defend formats such as JSON when possible.
 58 | 
 59 | If that is not possible then consider a series of validation defenses when processing serialized data.
 60 | 
 61 | * Implement integrity checks or encryption of the serialized objects to prevent hostile object creation or data tampering.
 62 | * Enforce strict type constraints during deserialization before object creation; typically code is expecting a definable set of classes. Bypasses to this technique have been demonstrated.
 63 | * Isolate code that deserializes, such that it runs in very low privilege environments, such as temporary containers.
 64 | * Log security deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions.
 65 | * Restrict or monitor incoming and outgoing network connectivity from containers or servers that deserialize.
 66 | * Monitor deserialization, alerting if a user deserializes constantly.
 67 | 
 68 | ### Unexpected User Input (Mass Assignment)
 69 | 
 70 | Some frameworks support automatic binding of HTTP requests parameters to server-side objects used by the application. This auto-binding feature can allow an attacker to update server-side objects that were not meant to be modified. The attacker can possibly modify their access control level or circumvent the intended business logic of the application with this feature.
 71 | 
 72 | This attack has a number of names including: mass assignment, autobinding and object injection.
 73 | 
 74 | As a simple example, if the user object has a field named `privilege` which specifies the user's privilege level in the application, a malicious user can look for pages where user data is modified and add `privilege=admin` to the HTTP parameters sent.  If auto-binding is enabled in an insecure fashion, the server-side object representing the user will be modified accordingly.
 75 | 
 76 | Two approaches can be used to handle this:
 77 | 
 78 | * Avoid binding input directly and use Data Transfer Objects (DTOs) instead.
 79 | * Enable auto-binding but set up allowlist rules for each page or feature to define which fields are allowed to be auto-bound.
 80 | 
 81 | More examples are available in the [OWASP Mass Assignment Cheat Sheet](https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet).
 82 | 
 83 | ### Validating and Sanitizing HTML
 84 | 
 85 | Consider an application that needs to accept HTML from users (via a WYSIWYG editor that represents content as HTML or features that directly accept HTML in input). In this situation validation or escaping will not help.
 86 | 
 87 | * Regular expressions are not expressive enough to understand the complexity of HTML5.
 88 | * Encoding or escaping HTML will not help since it will cause the HTML to not render properly.
 89 | 
 90 | Therefore, you need a library that can parse and clean HTML formatted text. Please see the [XSS Prevention Cheat Sheet on HTML Sanitization](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job) for more information on HTML Sanitization.
 91 | 
 92 | ### Validation Functionality in Libraries and Frameworks
 93 | 
 94 | All languages and most frameworks provide validation libraries or functions which should be leveraged to validate data. Validation libraries typically cover common data types, length requirements, integer ranges, "is null" checks and more. Many validation libraries and frameworks allow you to define your own regular expression or logic for custom validation in a way that allows the programmer to leverage that functionality throughout your application. Examples of validation functionality include PHP’s [filter functions](https://secure.php.net/manual/en/filter.examples.validation.php) or the [Hibernate Validator](http://hibernate.org/validator/) for Java. Examples of HTML Sanitizers include [Ruby on Rails sanitize method](http://edgeapi.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html), [OWASP Java HTML Sanitizer](https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project) or [DOMPurify](https://github.com/cure53/DOMPurify).
 95 | 
 96 | ## Vulnerabilities Prevented
 97 | 
 98 | * Input validation reduces the attack surface of applications and can sometimes make attacks more difficult against an application.
 99 | * Input validation is a technique that provides security to certain forms of data, specific to certain attacks and cannot be reliably applied as a general security rule.
100 | * Input validation should not be used as the primary method of preventing [XSS](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet), [SQL Injection](https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet) and other attacks.
101 | 
102 | ## References
103 | 
104 | * [OWASP Cheat Sheet: Input Validation](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
105 | * [OWASP Testing Guide: Testing for Input Validation](https://www.owasp.org/index.php/Testing_for_Input_Validation)
106 | 
107 | ## Tools
108 | 
109 | * [OWASP Java HTML Sanitizer Project](https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer)
110 | * [Java JSR-303/JSR-349 Bean Validation](http://beanvalidation.org/)
111 | * [Java Hibernate Validator](http://hibernate.org/validator/)
112 | * [JEP-290 Filter Incoming Serialization Data](http://openjdk.java.net/jeps/290)
113 | * [Apache Commons Validator](https://commons.apache.org/proper/commons-validator/)
114 | * PHP’s [filter functions](https://secure.php.net/manual/en/book.filter.php)
115 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c7-enforce-access-controls.md:
--------------------------------------------------------------------------------
 1 | # C7: Enforce Access Controls
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C1: Implement Access Control](./../2024/the-top-10/c1-accesscontrol.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | Access Control (or Authorization) is the process of granting or denying *specific requests* from a user, program, or process. Access control also involves the act of *granting and revoking those privileges*.
10 | 
11 | It should be noted that authorization (verifying access to specific features or resources) is not equivalent to authentication (verifying identity).
12 | 
13 | Access Control functionality often spans many areas of software depending on the complexity of the access control system. For example, managing access control metadata or building caching for scalability purposes are often additional components in an access control system that need to be built or managed.
14 | There are several different types of access control design that should be considered.
15 | 
16 | * Discretionary Access Control (DAC) is a means of restricting access to objects (e.g., files, data entities) based on the identity and need-to-know of subjects (e.g., users, processes) and/or groups to which the object belongs.
17 | * Mandatory Access Control (MAC) is a means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.
18 | * Role Based Access Control (RBAC) is a model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.
19 | * Attribute Based Access Control (ABAC) will grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand.
20 | 
21 | ## Access Control Design Principles
22 | 
23 | The following "positive" access control design requirements should be considered at the initial stages of application development.
24 | 
25 | ### 1) Design Access Control Thoroughly Up Front
26 | 
27 | Once you have chosen a specific access control design pattern, it is often difficult and time consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security design that must be thoroughly designed up front, especially when addressing requirements like multi-tenancy and horizontal (data dependent) access control.
28 | 
29 | Access Control design may start simple but can often grow into a complex and feature-heavy security control. When evaluating access control capability of software frameworks, ensure that your access control functionality will allow for customization for your specific access control feature need.
30 | 
31 | ### 2) Force All Requests to Go Through Access Control Checks
32 | 
33 | Ensure that all request go through some kind of access control verification layer. Technologies like Java filters or other automatic request processing mechanisms are ideal programming artifacts that will help ensure that all requests go through some kind of access control check.
34 | 
35 | ### 3) Deny by Default
36 | 
37 | Deny by default is the principle that if a request is not specifically allowed, it is denied. There are many ways that this rule will manifest in application code. Some examples of these are:
38 | 
39 | 1. Application code may throw an error or exception while processing access control requests. In these cases access control should always be denied.
40 | 2. When an administrator creates a new user or a user registers for a new account, that account should have minimal or no access by default until that access is configured.
41 | 3. When a new feature is added to an application all users should be denied to use that feature until it's properly configured.
42 | 
43 | ### 4) Principle of Least Privilege
44 | 
45 | Ensure that all users, programs, or processes are only given as least or as little necessary access as possible. Be wary of systems that do not provide granular access control configuration capabilities.
46 | 
47 | ### 5) Don't Hard-Code Roles
48 | 
49 | Many application frameworks default to access control that is role based. It is common to find application code that is filled with checks of this nature.
50 | 
51 | ```java
52 |     if (user.hasRole("ADMIN")) || (user.hasRole("MANAGER")) {
53 |         deleteAccount();
54 |     }
55 | ```
56 | 
57 | Be careful about this type of role-based programming in code. It has the following limitations or dangers.
58 | 
59 | * Role based programming of this nature is fragile. It is easy to create incorrect or missing role checks in code.
60 | * Role based programming does not allow for multi-tenancy. Extreme measures like forking the code or added checks for each customer will be required to allow role based systems to have different rules for different customers.
61 | * Role based programming does not allow for data-specific or horizontal access control rules.
62 | * Large code-bases with many access control checks can be difficult to audit or verify the overall application access control policy.
63 | 
64 | Instead, please consider the following access control programming methodology:
65 | 
66 | ```java
67 | 
68 |     if (user.hasAccess("DELETE_ACCOUNT")) {
69 |         deleteAccount();
70 |     }
71 | ```
72 | 
73 | Attribute or feature-based access control checks of this nature are the starting point to building well-designed and feature-rich access control systems. This type of programming also allows for greater access control customization capability over time.
74 | 
75 | ### 6) Log All Access Control Events
76 | 
77 | All access control failures should be logged as these may be indicative of a malicious user probing the application for vulnerabilities.
78 | 
79 | ## Vulnerabilities Prevented
80 | 
81 | * [OWASP Top 10 2017-A5-Broken Access Control](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control)
82 | * [OWASP Mobile Top 10 2014-M5 Poor Authorization and Authentication](https://www.owasp.org/index.php/Mobile_Top_10_2014-M5)
83 | 
84 | ## References
85 | 
86 | * [OWASP Cheat Sheet: Access Control](https://www.owasp.org/index.php/Access_Control_Cheat_Sheet)
87 | * [OWASP Testing Guide: Testing for Authorization](https://www.owasp.org/index.php/Testing_for_Authorization)
88 | 
89 | ## Tools
90 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c8-protect-data-everywhere.md:
--------------------------------------------------------------------------------
 1 | # C8: Protect Data Everywhere
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C2: Use Cryptography to Protect Data](./../2024/the-top-10/c2-crypto.md)!
 6 | 
 7 | 
 8 | ## Description
 9 | 
10 | Sensitive data such as passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws (EU's General Data Protection Regulation GDPR), financial data protection rules such as PCI Data Security Standard (PCI DSS) or other regulations.
11 | 
12 | Attackers can steal data from web and web-service applications in a number of ways. For example, if sensitive information in sent over the internet  without communications security, then an attacker on a shared wireless connection could see and steal another user's data. Also, an attacker could use SQL Injection to steal passwords and other credentials from an applications database and expose that information to the public.
13 | 
14 | ## Data Classification
15 | 
16 | It's critical to classify data in your system and determine which level of sensitivity each piece of data belongs to. Each data category can then be mapped to protection rules necessary for each level of sensitivity. For example, public marketing information that is not sensitive may be categorized as public data which is okay to place on the public website. Credit card numbers may be classified as private user data which may need to be encrypted while stored or in transit.
17 | 
18 | ## Encrypting Data in Transit
19 | 
20 | When transmitting sensitive data over any network, end-to-end communications security (or encryption-in-transit) of some kind should be considered. TLS is by far the most common and widely supported cryptographic protocol for communications security. It is used by many types of applications (web, web service, mobile) to communicate over a network in a secure fashion. TLS must be properly configured in a variety of ways in order to properly defend secure communications.
21 | 
22 | The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components.
23 | 
24 | ## Encrypting Data at Rest
25 | 
26 | The first rule of sensitive data management is to avoid storing sensitive data when at all possible. If you must store sensitive data then make sure it's cryptographically protected in some way to avoid unauthorized disclosure and modification.
27 | 
28 | Cryptography (or crypto) is one of the more advanced topics of information security, and one whose understanding requires the most schooling and experience. It is difficult to get right because there are many approaches to encryption, each with advantages and disadvantages that need to be thoroughly understood by web solution architects and developers. In addition, serious cryptography research is typically based in advanced mathematics and number theory, providing a serious barrier to entry.
29 | 
30 | Instead of building cryptographic capability from scratch, it is strongly recommended that peer reviewed and open solutions be used, such as the [Google Tink](https://github.com/google/tink) project, [Libsodium](https://www.libsodium.org), and secure storage capability built into many software frameworks and cloud services.
31 | 
32 | ### Mobile Application: Secure Local Storage
33 | 
34 | Mobile applications are at particular risk of data leakage because mobile devices are regularly lost or stolen yet contain sensitive data.
35 | 
36 | As a general rule, only the minimum data required should be stored on the mobile device. But if you must store sensitive data on a mobile device, then sensitive data should be stored within each mobile operating systems specific data storage directory. On Android this will be the Android keystore and on iOS this will be the iOS keychain.
37 | 
38 | ### Secret Life Cycle
39 | 
40 | Secret keys can be used in a number of sensitive functions. For example, they can be used to sign JWTs, encrypt credit cards, sign hash, provide various forms of authentication and more. In managing keys, a number of precautious should be adhered including but not limited to the following:
41 | 
42 | * Ensure that any secret key is protected from unauthorized access
43 | * Store keys in a proper secrets vault as described in *Application Secrets Management*
44 | * Use independent keys when multiple keys are required
45 | * Build support for changing algorithms and keys when needed
46 | * Build application features to handle a key rotation
47 | 
48 | ### Secret Datatype
49 | 
50 | When an immutable datatype such as `string` is used to store secrets, secrets can remain plaintext in the memory for a long time.
51 | Even if you try to nullify the string value, it still remains in the memory.
52 | `string` is an immutable type and cannot be changed. When you modify a string (try to overwrite it), a new copy of it is created.
53 | This means another copy of the unprotected secret will remain in the memory.
54 | Furthermore, there is no guarantee when garbage collector is going to clean up the secret.
55 | This increases exposure of plaintext secrets in the memory.
56 | 
57 | If secrets remain unprotected in the memory, they can get disclosed on the disk or external log aggregators
58 | through a number of scenarios: server crash logs, caching, serialisation or memory paging.
59 | 
60 | A safe way to handle secret is by using **Read Once** pattern.
61 | Read once is a defensive design pattern where a value can be only accessed once. After the first read, value is cleared from memory, and subsequent access is not possible.
62 | For an example implementation see [this post](https://discuss.secdim.com/t/do-not-use-string-to-store-secret-it-gets-disclosed/247).
63 | 
64 | ### Application Secrets Management
65 | 
66 | Applications contain numerous "secrets" that are needed for security operations. These include certificates, SQL connection passwords, third party service account credentials, passwords, SSH keys, encryption keys and more. The unauthorized disclosure or modification of these secrets could lead to complete system compromise. In managing application secrets, consider the following.
67 | 
68 | * Don't store secrets in code, config files or pass them through environment variables. Use tools like [GitRob](https://github.com/michenriksen/gitrob) or [TruffleHog](https://github.com/dxa4481/truffleHog) to scan code repositories for secrets.
69 | * Keep keys and your other application-level secrets in a secrets vault like [KeyWhiz](https://github.com/square/keywhiz) or [Hashicorp's Vault project](https://www.vaultproject.io/) or [Amazon KMS](https://aws.amazon.com/kms/) to provide secure storage and access to application-level secrets at run-time.
70 | 
71 | ## Vulnerabilities Prevented
72 | 
73 | * [OWASP Top 10 2017 - A3: Sensitive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure)
74 | * [OWASP Mobile Top 10 2016 -M2: Insecure Data Storage](https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage)
75 | 
76 | ## References
77 | 
78 | * [OWASP Cheat Sheet: Transport Layer Protection](https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet)
79 | * [Ivan Ristic: SSL/TLS Deployment Best Practices](https://www.ssllabs.com/projects/best-practices/index.html)
80 | * [OWASP Cheat Sheet: HSTS](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet)
81 | * [OWASP Cheat Sheet: Cryptographic Storage](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)
82 | * [OWASP Cheat Sheet: Password Storage](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet)
83 | * [OWASP Testing Guide: Testing for TLS](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security)
84 | * [Do not use String to store secret. It gets disclosed](https://discuss.secdim.com/t/do-not-use-string-to-store-secret-it-gets-disclosed/247)
85 | 
86 | ## Tools
87 | 
88 | * [SSLyze](https://github.com/nabla-c0d3/sslyze) - SSL configuration scanning library and CLI tool
89 | * [SSLLabs](https://www.ssllabs.com/ssltest/) - Free service for scanning and checking TLS/SSL configuration
90 | * [OWASP O-Saft TLS Tool](https://www.owasp.org/index.php/O-Saft) - TLS connection testing tool
91 | * [GitRob](https://github.com/michenriksen/gitrob) - Command line tool to find sensitive information in publicly available files on GitHub
92 | * [TruffleHog](https://github.com/dxa4481/truffleHog)  - Searches for secrets accidentally committed
93 | * [KeyWhiz](https://github.com/square/keywhiz) - Secrets manager
94 | * [Hashicorp Vault](https://www.vaultproject.io/) - Secrets manager
95 | * [Amazon KMS](https://aws.amazon.com/kms/) - Manage keys on Amazon AWS
96 | 


--------------------------------------------------------------------------------
/docs/archive/2018/c9-security-logging.md:
--------------------------------------------------------------------------------
 1 | # C9: Implement Security Logging and Monitoring
 2 | 
 3 | !!! warning "New Version of the Control Available!"
 4 | 
 5 |     You are looking at the legacy 2018 version of the OWASP Top 10 Proactive Controls. You can find information about the same control within the [OWASP Top 10 Proactive Controls 2024](./../2024/index.md) within [C9: Implement Security Logging and Monitoring ](./../2024/the-top-10/c9-security-logging-and-monitoring.md)!
 6 | 
 7 | ## Description
 8 | 
 9 | Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application. Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
10 | 
11 | ## Benefits of Security Logging
12 | 
13 | Security logging can be used for:
14 | 
15 | 1. Feeding intrusion detection systems
16 | 2. Forensic analysis and investigations
17 | 3. Satisfying regulatory compliance requirements
18 | 
19 | ## Security Logging Implementation
20 | 
21 | The following is a list of security logging implementation best practices.
22 | 
23 | * Follow a common logging format and approach within the system and across systems of an organization. An example of a common logging framework is the Apache Logging Services which helps provide logging consistency between Java, PHP, .NET,  and C++ applications.
24 | * Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id, but be careful not to log private or confidential data.
25 | * Pay close attention to time syncing across nodes to ensure that timestamps are consistent.
26 | 
27 | ### Logging for Intrusion Detection and Response
28 | 
29 | Use logging to identify activity that indicates that a user is behaving maliciously. Potentially malicious activity to log includes:
30 | 
31 | * Submitted data that is outside of an expected numeric range.
32 | * Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).
33 | * Requests that violate server-side access control rules.
34 | * A more comprehensive list of possible detection points is available [here](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html).
35 | 
36 | When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue.  Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user's account. The response mechanisms allows the software to react in realtime to possible identified attacks.
37 | 
38 | ## Secure Logging Design
39 | 
40 | Logging solutions must be built and managed in a secure way. Secure Logging design may include the following:
41 | 
42 | * Encode and validate any dangerous characters before logging to prevent [log injection](https://www.owasp.org/index.php/Log_Injection) attacks.
43 | * Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
44 | * Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
45 | * Forward logs from distributed systems to a central, secure logging service. This will ensure log data cannot be lost if one node is compromised. This also allows for centralized monitoring.
46 | 
47 | ## References
48 | 
49 | * [OWASP Log injection](https://www.owasp.org/index.php/Log_Injection)
50 | * [OWASP Cheat Sheet: Logging](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) How to properly implement logging in an application
51 | * [OWASP Cheat Sheet: Application Logging Vocabulary](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html) A standard vocabulary for logging security events
52 | 
53 | ## Tools
54 | 
55 | * [Apache Logging Services](https://logging.apache.org/)
56 | 


--------------------------------------------------------------------------------
/docs/archive/2018/final-word.md:
--------------------------------------------------------------------------------
 1 | # Final word
 2 | 
 3 | This document should be seen as a starting point rather than a comprehensive set of techniques and practices. We want to again emphasize that this document is intended to provide initial awareness around building secure software.
 4 | 
 5 | Good next steps to help build an application security program include:
 6 | 
 7 | 1. To understand some of the risks in web application security please review the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) and the [OWASP Mobile Top Ten](https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks).
 8 | 2. Per Proactive Control #1, a secure development program should include a *comprehensive list of security requirements* based on a standard such as the [OWASP (Web) ASVS](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project) and the [OWASP (Mobile) MASVS](https://github.com/OWASP/owasp-masvs).
 9 | 3. To understand the core building blocks of a secure software program from a more macro point of view please review the [OWASP OpenSAMM project](https://www.owasp.org/index.php/OWASP_SAMM_Project).
10 | 
11 | If you have any questions for the project leadership team, please contact with your questions, comments, and ideas at [our GitHub project repository](https://github.com/OWASP/www-project-proactive-controls/issues).
12 | 


--------------------------------------------------------------------------------
/docs/archive/2018/in-the-news.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls in the News
 2 | 
 3 | ## 2024
 4 | 
 5 | - \[6 Feb 2024\] Featured in `gbhackers.` post [OWASP Top 10 Proactive Security Controls For Software Developers to Build Secure Software](https://gbhackers.com/owasp-released-top-10-proactive-controls/)
 6 | 
 7 | ## 2022
 8 | 
 9 | - \[10 Nov 2022\] [Blog Post by Kerr](https://kerr.ventures/2022/11/10/owasp-proactive-controls-the-answer-to-the-owasp-top-ten/)
10 | - \[13 June 2022\] Featured on the [GitHub Blog](https://github.blog/open-source/write-more-secure-code-owasp-top-10-proactive-controls/)
11 | 
12 | ## 2021
13 | 
14 | - \[12 Feb 2021\] Featured in oneconsult's post [OWASP Top 10 Proactive Controls – Teil 1](https://www.oneconsult.com/de/blog/news/owasp-top-10-proactive-controls-teil-1/)
15 | 
16 | ## 2020
17 | 
18 | - \[5 Nov 2020\] Featured by Snyk in [Developing secure software: how to implement the OWASP top 10 Proactive Controls](https://snyk.io/blog/owasp-top-10-proactive-controls-2020/)
19 | 
20 | ## 2019
21 | 
22 | - \[July 2019\] Featured in Coursera course from UCDavies
23 |     [Identifying Security Vulnerabilities](https://www.coursera.org/directory/videos?courseId=V1k0pBtIEemZRAqH7m9oGA)
24 | - \[23 June 2019\] Featured on HackerCombat: [Implement OWASP Proactive Controls to Work](https://hackercombat.com/implement-owasp-proactive-controls-to-work/)
25 | - \[7 June 2019\] Feature on OWASP DevSlop Show [Proactive Controls](https://www.youtube.com/watch?v=Jdb3qweDc_Q)
26 | - \[15 May 2019\] Featured in TechBeacon: [Put OWASP Top 10 Proactive Controls to work](https://techbeacon.com/security/put-owasp-top-10-proactive-controls-work)
27 | - \[2 Mar 2019\] Webinar: [The OWASP Top Ten Proactive Controls with Jim Manico](https://www.youtube.com/watch?v=ldXe8f5yVq8)
28 | 
29 | ## 2018
30 | 
31 | The OWASP Top 10 Proactive Controls 2018 (v3) were released on May 7th, 2018.
32 | 
33 | - \[Dec 2018\] Featured as the resource for Security “Shifting to the Left”\! in the ISC2 course: "DevSecOps: Integrating Security into DevOps”
34 | - \[20 Sep 2018\] Featured in TechBeacon: [OWASP Top 10 Proactive Controls 2018: How it makes your code more secure](https://techbeacon.com/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure)
35 | - \[17 Sep 2018\] Binary Blogger Podcast Episodes: [OWASP Top 10 Proactive Controls Podcast Episodes](https://binaryblogger.com/2018/09/17/owasp-top-10-proactive-controls-podcast-episodes/)
36 | - \[9 May 2018\] Featured in [Developer's security guide: 50 online resources to shift left](https://techbeacon.com/developer-secure-code-starter-kit-resources)
37 | 
38 | ## Older Versions
39 | 
40 | News Posts for older versions of the Proactive Controls can be found here:
41 | 
42 | - [News about the 2016 version](./../2016/in-the-news.md)


--------------------------------------------------------------------------------
/docs/archive/2018/translations.md:
--------------------------------------------------------------------------------
 1 | # Contributed Translations
 2 | 
 3 | We provide an exported PDF English version: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3.pdf), [docx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3.docx), [pptx](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_Ten_Proactive_Controls_v3.pptx). We also provide a [Mapping to the OWASP Top 10 and IEEE Top 10](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP-OPC-IEEEE-OTop10-OTMobTop10-ssdf.pdf).
 4 | 
 5 | ## Available Translations
 6 | 
 7 | In alphabetical order:
 8 | 
 9 | - Arabic: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3-AR.pdf)
10 | - Brazilian Portuguese: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PT-BR.pdf)
11 | - Chinese: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf)
12 | - Italian: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_Top_10_Proactive_Controls_V3-IT.pdf)
13 | - Spanish: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_ES-AR.pdf)
14 | - Polish: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf)
15 | - Russian: [pdf](https://github.com/OWASP/www-project-proactive-controls/blob/master/v3/Owasp-top-10-proactive-controls-2018-russian.pdf)
16 | 


--------------------------------------------------------------------------------
/docs/archive/2024/final-word.md:
--------------------------------------------------------------------------------
 1 | # Final word
 2 | 
 3 | This document should be seen as a starting point rather than a comprehensive set of techniques and practices. We want to again emphasize that this document is intended to provide initial awareness around building secure software.
 4 | 
 5 | Good next steps to help build an application security program include:
 6 | 
 7 | 1. To understand some of the risks in web application security please review the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) .
 8 | 2. A secure development program should include a *comprehensive list of security requirements* .
 9 |  Use [Threat Modeling](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html) to identify potential security threats, derive security requirements, and tailor security controls to prevent those. Use standards such as the [OWASP (Web) ASVS](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project) and the [OWASP (Mobile) MASVS](https://github.com/OWASP/owasp-masvs) which provides a catalog of available security requirements along with the  relevant verification criteria.
10 | 3. To understand the core building blocks of a secure software program from a more macro point of view please review the [OWASP OpenSAMM project](https://www.owasp.org/index.php/OWASP_SAMM_Project).
11 | 


--------------------------------------------------------------------------------
/docs/archive/2024/index.md:
--------------------------------------------------------------------------------
 1 | # About this Project
 2 | 
 3 | Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
 4 | 
 5 | ## Aim & Objective
 6 | 
 7 | The goal of the **OWASP Top 10 Proactive Controls project** is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations. We hope that the OWASP Proactive Controls is useful to your efforts in building secure software.
 8 | 
 9 | ## Target Audience
10 | 
11 | This document is primarily written for developers. However, development managers, product owners, Q/A professionals, program managers, and anyone involved in building software can also benefit from this document.
12 | 
13 | ## How to Use this Document
14 | 
15 | This document’s main purpose is to provide a solid foundation of topics to help drive introductory software security developer training. To be effective, these controls should be used consistently and thoroughly throughout all applications.
16 | 
17 | However, this document is a starting point rather than a comprehensive set of techniques and practices.
18 | 
19 | A fully secure development process should include comprehensive requirements from a standard such as the OWASP ASVS in addition to including a range of software development activities described in maturity models such as [OWASP SAMM](https://www.owasp.org/index.php/OWASP_SAMM_Project) and [BSIMM](https://www.bsimm.com/).
20 | 
21 | ## Project Leaders
22 | 
23 | * [Andreas Happe](mailto:andreas.happe@owasp.org), connect through [linkedin](https://www.linkedin.com/in/andreashappe/), [github](https://github.com/andreashappe), [twitter/x](https://twitter.com/andreashappe)
24 | * [Jim Manico](mailto:jim.manico@owasp.org), connect through [linkedin](https://www.linkedin.com/in/jmanico/), [github](https://github.com/jmanico), [twitter/x](https://twitter.com/manicode)
25 | * [Katy Anton](mailto:katy.anton@owasp.org), connect through [linkedin](https://www.linkedin.com/in/katyanton/), [github](https://github.com/katyanton), [twitter/x](https://twitter.com/katyanton)
26 | 
27 | ## Copyright and Licence
28 | 
29 | This document is released under the Creative Commons Attribution-ShareAlike 4.0 International license. For any reuse or distribution, you must make it clear to others the license terms of this work.
30 | 


--------------------------------------------------------------------------------
/docs/archive/2024/introduction/about-owasp.md:
--------------------------------------------------------------------------------
 1 | # About OWASP
 2 | 
 3 | The *Open Worldwide Application Security Project* (*OWASP*) is an open community
 4 | dedicated to enabling organizations to develop, purchase, and maintain
 5 | applications and APIs that can be trusted.
 6 | 
 7 | All OWASP tools, documents, videos, presentations, and chapters are free and
 8 | open to anyone interested in improving application security.
 9 | 
10 | We advocate approaching application security as a people, process, and
11 | technology problem, because the most effective approaches to application
12 | security require improvements in these areas.
13 | 
14 | OWASP is a new kind of organization. Our freedom from commercial pressures
15 | allows us to provide unbiased, practical, and cost-effective information about
16 | application security.
17 | 
18 | OWASP is not affiliated with any technology company, although we support the
19 | informed use of commercial security technology. OWASP produces many types of
20 | materials in a collaborative, transparent, and open way.
21 | 
22 | The OWASP Foundation is the non-profit entity that ensures the project's
23 | long-term success. Almost everyone associated with OWASP is a volunteer,
24 | including the OWASP board, chapter leaders, project leaders, and project
25 | members. We support innovative security research with grants and infrastructure.
26 | 


--------------------------------------------------------------------------------
/docs/archive/2024/introduction/contributing.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute?
 2 | 
 3 | Please don’t hesitate to contact the OWASP Proactive Control project with your questions, comments, and ideas.
 4 | 
 5 | You can contact maintainers directly, use our [project-top10-proactive-controls OWASP slack channel](https://owasp.slack.com/archives/C07KNHZAN1H) (If you do not have a slack user, you can get a [free invite here](https://owasp.org/slack/invite)), or visit [our github page](https://github.com/OWASP/www-project-proactive-controls).
 6 | 
 7 | You find the source code of the current version of the OWASP Top 10 Proactive Controls in the `docs/` directory within the git repository. Please focus upon contributions for the current version, not archived versions within `docs/archive`.
 8 | 
 9 | When you check [our open issues on github](https://github.com/OWASP/www-project-proactive-controls/issues), you can see that some issues are tagged with `help wanted` or `good first issue`. Choose these if you want to help out the project!
10 | 
11 | ## Translations
12 | 
13 | Starting with version `v4` in 2024, we don't accept inclusion of translations into the OWASP Top 10 Proactive Controls directly and are only providing the English version.
14 | 
15 | We do encourage translators to create translated versions and host them themselves and will link to those external sites/documents if notified about them.
16 | 
17 | ## How to test the OWASP Proactive Control website locally?
18 | 
19 | If you can run python, you can locally run the OWASP Proactive Control website locally. We recommend this to test your changes before pushing them to github.
20 | 
21 | To do this, we will use `venv` to create a local python environment to install the needed `mkdocs` package.
22 | 
23 | ```shell
24 | # creates and activates a new python environment in a new `venv` directory
25 | $ python3 -m venv venv
26 | $ source venv/bin/activate
27 | 
28 | # install the mkdocs package
29 | $ pip install mkdocs-material mkdocs-redirects
30 | 
31 | # switch into your checked-out OWASP Proactive Controls directory
32 | $ cd owasp-proactive-controls
33 | 
34 | # run the local webserver
35 | $ mkdocs serve
36 | 
37 | # now you can point your browser to http://localhost:8000 and check
38 | # how your changes will look like
39 | ```
40 | 
41 | ## A Big Thank you to our Contributors!
42 | 
43 | This document would not have been possible without our contributors for which we are grateful. The 2024 Version makes listing all contributors hard as we were using an untracked google shared doc in the beginning. We hope that we haven't missed someone and are very gracious for:
44 | 
45 | [Andreas Happe](https://github.com/andreashappe), [Jim Manico](https://github.com/jmanico), [Katy Anton](https://github.com/katyanton), Chris Romeo, Jasmin Mair, Abdessamad Temmar, Carl Sampson, Eyal Estrin, [Israel Chorzevski](https://github.com/sro-co-il), [Zoe Braiterman](https://github.com/zbraiterman), [Timo Pagel](https://github.com/wurstbrot), [ThreeHoolagins](https://github.com/ThreeHoolagins), [Wallace Soares](https://github.com/soareswallace), [Aref Shaheed](https://github.com/aref2008), [ThunderSon](https://github.com/ThunderSon), [Marcus Fenstrom](https://github.com/MFernstrom), [Datz](https://github.com/DatzAtWork), [Josh Grossman](https://github.com/tghosth), [Tomas Coiro](https://github.com/CoiroTomas), [Dr. Pi3ch](https://github.com/pi3ch), [Ishaq Mohammed](https://github.com/security-prince), [Richard Tweed](https://github.com/RichardoC), [Derek Gary](https://github.com/DerekGary), [Starr Brown](https://github.com/mamicidal), [Thomas](https://github.com/tthn0), [Christian Capellan](https://github.com/ccapellan), [Adriaan Joubert](https://github.com/adriaanjoubert), [Kenneth Kron](https://github.com/biofool), [Jaskirat Singh](https://github.com/Jassi2004), [Lukas Weichselbaum](https://github.com/lweichselbaum), [joonakokkola](https://github.com/joonakokkola), [cowsecurity](https://github.com/cowsecurity)
46 | 
47 | ### Contributors to previous Top 10 Proactive Control versions
48 | 
49 | Another round of applause to all the contributors of previous OWASP Top 10 Proactive Controls lists:
50 | 
51 | Massimiliano Graziani, [Taras Ivashchenko](mailto:taras.ivaschenko@owasp.org), Jay Zudilin, [Danny Harris](mailto:danny.harris@owasp.org), Hiroaki Kuramochi, Hiroshi Fujimoto, Hidenori Nagai, [Riotaro OKADA](mailto:riotaro@owasp.org), Robert Dracea, Koichiro Watanabe, Tony Hsu Hsiang Chih, [Cyrille Grandval](mailto:cyrille.grandval@owasp.org), [Frédéric Baillon](mailto:fbaillon@darkmira.com), [Danny Harris](mailto:danny.harris@owasp.org), Stephen de Vries, Andrew Van Der Stock, Gaz Heyes, Colin Watson, Jason Coleman, Cassio Goldschmidt, Dan Anderson, David Cybuck, Dave Ferguson, Osama Elnaggar, Rick Mitchell
52 | 


--------------------------------------------------------------------------------
/docs/archive/2024/introduction/in-the-news.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls in the News
 2 | 
 3 | ## 2024
 4 | 
 5 | Introduction of the OWASP Top 10 Proactive Controls v4 and switch to new wiki system.
 6 | 
 7 | - \[25 Nov 2025\] Podcast Series at [Cloud Security Deep Dive](https://cloudsecuritydeepdive.com/), currently contains podcasts about C1, C2, C3, C4, C5, C8.
 8 | - \[9 Sep 2024\] Featured in `SecureIdeas` post [What’s new in the OWASP Proactive Controls for 2024](https://www.secureideas.com/blog/whats-new-in-the-owasp-proactive-controls-for-2024)
 9 | 
10 | ## Older Versions
11 | 
12 | News Posts for older versions of the Proactive Controls can be found here:
13 | 
14 | - [News about the 2018 version](./../../2018/in-the-news.md)
15 | - [News about the 2016 version](./../../2016/in-the-news.md)
16 | 


--------------------------------------------------------------------------------
/docs/archive/2024/introduction/related-owasp-projects.md:
--------------------------------------------------------------------------------
 1 | # Related OWASP Projects
 2 | 
 3 | OWASP is a volunteer-driven organization. Those volunteers contributed many useful documents, and this section points to some related OWASP documents and projects:
 4 | 
 5 | ## OWASP Top 10
 6 | 
 7 | The best-known OWASP document is the [OWASP Top 10](https://owasp.org/Top10/). They detail the most common web application vulnerabilities and are also the base for this document. In contrast, this document is focused on defensive techniques and controls as opposed to risks. Each control in this document will map to one or more items in the risk-based OWASP Top 10. This mapping information is included at the end of each control description.
 8 | 
 9 | ## OWASP ASVS
10 | 
11 | [The OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) is a catalog of available security requirements and verification criteria. OWASP ASVS can be a source of detailed security requirements for development teams. Security requirements are categorized into different buckets based on a shared higher order security function. For example, the ASVS contains categories such as authentication, access control, error handling / logging, and web services. Each category contains a collection of requirements that represent the best practices for that category drafted as verifiable statements.
12 | 
13 | ## OWASP SAMM
14 | 
15 | [Software Assurance Maturity Model (SAMM)](https://www.opensamm.org/) is an open framework to help organizations implement a strategy for maturing the software security tailored to the specific risks of the organization. . [SAMM](https://owaspsamm.org/about/) supports the complete software life cycle and can be used to identify what
16 | 
17 | ## Threat Modeling in General
18 | 
19 | Threat Modeling is an important part of secure application development, which can help identify potential security threats, derive security requirements, and tailor security controls to prevent potential threats. Successful use of security requirements involves four steps: discovery, documentation, implementation, and verification of the correct implementation of the functionality within an application. Threat modelling is one way to derive security requirements. Other sources are: industry standards, applicable laws, history of past vulnerabilities. Modeling tools, like [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) can be used to create threat model diagrams as part of a secure development life cycle.
20 | 
21 | ## Domain-Specific Documents
22 | 
23 | It is important to notice that this document primarily focuses on web applications, but other Top 10s could apply to your application, too. Examples of those are:
24 | 
25 | - OWASP API Top 10
26 | - OWASP Mobile Application Top 10
27 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c1-accesscontrol.md:
--------------------------------------------------------------------------------
  1 | # C1: Implement Access Control
  2 | 
  3 | ## Description
  4 | 
  5 | Access Control (or Authorization) is allowing or denying specific requests from a user, program, or process. With each access control decision, a given subject requests access to a given object. Access control is the process that considers the defined policy and determines if a given subject is allowed to access a given object.
  6 | 
  7 | Access control also involves the act of granting and revoking those privileges.
  8 | 
  9 | Access Control often applies on multiple levels, e.g., given an application with a database backend, it applies both on the business logic level as well as on a database row level. In addition, applications can offer multiple ways of performing operations (e.g., through APIs or the website). All those different levels and access paths must be aligned, i.e., use the same access control checks, to protect against security vulnerabilities.
 10 | 
 11 | Authorization (verifying access to specific features or resources) is not equivalent to authentication (verifying identity).
 12 | 
 13 | ## Threats
 14 | 
 15 | - An attacker could take advantage of a loosely configured access control policy to access data the organization did not intend to make accessible.
 16 | - An attacker could discover multiple access control components within an application and exploit the weakest.
 17 | - An administrator could forget to decommission an old account, and an attacker could discover that account and use it to access data.
 18 | - An attacker could gain access to data that had a policy that dropped into a final step of allowing access. (Lack of default deny)
 19 | 
 20 | ## Implementation
 21 | 
 22 | Below is a minimum set of access control design requirements that should be considered at the initial stages of application development.
 23 | 
 24 | ### 1) Design Access Control Thoroughly Up Front
 25 | 
 26 | Once you have chosen a specific access control design pattern, it is often difficult and time-consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security design that must be thoroughly designed up front, especially when addressing requirements like multi-tenancy and horizontal (data dependent) access control.
 27 | 
 28 | Two core types of access control design should be considered.
 29 | 
 30 | - Role Based Access Control (RBAC) is a model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.
 31 | - Attribute Based Access Control (ABAC) will grant or deny user access based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized, and more relevant to the policies at hand.
 32 | Access Control design may start simple but can often become complex and feature-heavy security control. When evaluating the access control capability of software frameworks, ensure that your access control functionality will allow for customization for your specific access control feature need.
 33 | 
 34 | ### 2) Force Every Access Request to Go Through an Access Control Check
 35 | 
 36 | Ensure that all access requests are forced to go through an access control verification layer. Technologies like Java filters or other automatic request processing mechanisms are ideal programming components that will ensure that all requests go through an access control check. This is referred to as _Policy Enforcement Point_ in [RFC 2904](https://datatracker.ietf.org/doc/html/rfc2904#section-4.3).
 37 | 
 38 | ### 3) Consolidate the access control check
 39 | 
 40 | Use a single access control procedure or routine. This prevents the scenario where you have multiple access control implementations, where most are correct, but some are flawed. By using a centralized approach, you can focus security resources on reviewing and fixing one central library or function that performs the access control check, and then reuse it throughout your code base and organization.
 41 | 
 42 | ### 4) Deny by Default
 43 | 
 44 | Ensure that by default, all the requests are denied, unless they are specifically allowed. This also includes accessing API (REST or webhooks) with missing access controls.
 45 | There are many ways that this rule will manifest in the application code. Some examples are:
 46 | 
 47 | 1. Application code may throw an error or exception while processing access control requests. In these cases, access control should always be denied.
 48 | 
 49 | 2. When an administrator creates a new user or a user registers for a new account, that account should have minimal or no access by default until that access is configured.
 50 | 
 51 | 3. When a new feature is added to an application, all users should be denied to use it until it’s properly configured.
 52 | 
 53 | ### 5) Principle of Least Privilege / Just in Time (JIT), Just Enough Access (JEA)
 54 | 
 55 | An example of implementing that principle is to create dedicated privileged roles and accounts for every organization function that requires highly privileged activities and avoid using an “admin” role/account that is fully privileged daily.
 56 | 
 57 | To further improve the security, you can implement Just-in-Time (JIT) or Just-enough-Access (JEA): ensure that all users, programs, or processes are only given just enough access to achieve their current mission. This access should be provided just in time, when the subject makes the request, and the access should be granted for a short time. Be wary of systems that do not provide granular access control configuration capabilities.
 58 | 
 59 | ### 6) Do not Hard-code Roles
 60 | 
 61 | Many application frameworks default to access control that is role based. It is common to find application code filled with checks of this nature.
 62 | 
 63 | ```java
 64 | if (user.hasRole("ADMIN")) || (user.hasRole("MANAGER")) {
 65 |     deleteAccount();
 66 | }
 67 | ```
 68 | 
 69 | Be careful about this type of role-based programming in code. It has the following limitations or dangers:
 70 | 
 71 | - Role-based programming of this nature is fragile. It is easy to create incorrect or missing role checks in code.
 72 | - Hard-Coded Roles do not allow for multi-tenancy. Extreme measures like forking the code or adding checks for each customer will be required to allow role-based systems to have different rules for different customers.
 73 | - Large code bases with many access control checks can make it difficult to audit or verify the overall application access control policy.
 74 | - Hard coded roles can also be seen as a backdoor when discovered during audits.
 75 | 
 76 | ### 7) ABAC Policy Enforcement Point Example
 77 | 
 78 | Please consider the following access control enforcement points using this following programming methodology:
 79 | 
 80 | ```java
 81 | if (user.hasPermission("DELETE_ACCOUNT")) {
 82 |     deleteAccount();
 83 | }
 84 | ```
 85 | 
 86 | Attribute or feature-based access control checks of this nature are the starting point to building well-designed and feature-rich access control systems. This type of programming also allows for greater access control customization capability over time.
 87 | 
 88 | ## Vulnerabilities Prevented
 89 | 
 90 | - [OWASP Top 10 2021-A01_2021-Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
 91 | - [CWE Top 25 - 11:CWE-862 Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
 92 | - [CWE Top 25 - 24:CWE-863 Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)
 93 | 
 94 | ## References
 95 | 
 96 | - [OWASP Cheat Sheet: Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
 97 | - [OWASP Cheat Sheet: Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
 98 | - [OWASP Cheat Sheet: Insecure Direct Object Reference Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
 99 | - [OWASP ASVS V4 Access Control](https://owasp.org/www-project-application-security-verification-standard/)
100 | - [OWASP Testing Guide: Authorization Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/)
101 | - [OAuth2.0](https://oauth.net/2/) protocol for authorization
102 | - [Draft OAuth2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10)
103 | - [Policy Enforcement in RFC 2904](https://datatracker.ietf.org/doc/html/rfc2904#section-4.3)
104 | 
105 | ## Tools
106 | 
107 | - [ZAP](https://www.zaproxy.org/) with the optional [Access Control Testing](https://www.zaproxy.org/docs/desktop/addons/access-control-testing/) add-on
108 | - [Open Policy Agent](https://www.openpolicyagent.org/)
109 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c10-stop-server-side-request-forgery.md:
--------------------------------------------------------------------------------
 1 | # C10: Stop Server Side Request Forgery
 2 | 
 3 | ## Description
 4 | 
 5 | While Injection Attacks typically target the victim server itself, Server-Side Request Forgery (SSRF) attacks try to coerce the server to perform a request on behalf of the attacker. SSRF occurs when an attacker can trick a server into making unintended requests to internal or external services, potentially bypassing security controls.
 6 | 
 7 | Why is this beneficial for the attacker? The outgoing request will be performed with the identity of the victim server and thus the attacker might execute operations with elevated operations.
 8 | 
 9 | ## Threats
10 | 
11 | Examples of this contain:
12 | 
13 | - If an SSRF attack is possible on an server within the DMZ, an attacker might be able to access other servers within the DMZ without passing a perimeter firewall
14 | - Many servers have local services running on localhost, often without any authentication/authorization as localhost. This can be abused by SSRF attacks.
15 | - If SSO is used, SSRF can be used to extract tokens/tickets/hashes from servers etc.
16 | 
17 | ## Implementation
18 | 
19 | There multiple ways of preventing SSRF:
20 | 
21 | - Input validation
22 | - If outgoing requests have to be made, check the target against an allow-list
23 | - If using XML, configure parser securely to prevent XEE
24 | 
25 | Be aware of [Unicode and other Character transformations](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf) when performing input validation.
26 | 
27 | ## Vulnerabilities Prevented
28 | 
29 | - [A10:2021 – Server-Side Request Forgery (SSRF)](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)
30 | 
31 | ## References
32 | 
33 | - [Server-Side Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
34 | - [A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf)
35 | 
36 | ## Tools
37 | 
38 | - [SSRFmap](https://github.com/swisskyrepo/SSRFmap)
39 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c4-secure-architecture.md:
--------------------------------------------------------------------------------
  1 | # C4: Address Security from the Start
  2 | 
  3 | ## Description
  4 | 
  5 | When designing a new application, creating a secure architecture prevents vulnerabilities before they even become part of the application. This prevents costly repairs and repudiation problems.
  6 | 
  7 | There are design principles that lead to secure architectures:
  8 | 
  9 | - **keep it simple, stupid** (KISS): the easier an application is to understand, the easier it is to reason about its components and their interactions. This allows to reason about the application's security behavior.
 10 | - **Make it easy to do the right thing**: don't expect the user to read documentation or invest time to "do things the right way". By default the application should behave in a secure manner. To make it insecure, an explicit action by the user has to take place.
 11 | - **don't rely on obscurity**: if the only security is due to the intransparency of the application or its source code, the application is not secure at all.
 12 | - **Identify and minimize your exposed components** ("attack surface"): attackers cannot attack what's not there.
 13 | - **Design for Defense-in-Depth**: think about what happens, if a component is breached and about the potential blast radius of an attack.
 14 | 
 15 | ### Usage of Third-Party Components such as Libraries and Frameworks
 16 | 
 17 | While it might be possible to implement all requirements manually, it is highly recommended to base one's architecture upon established and well-maintained third-party components. This has multiple benefits:
 18 | 
 19 | - **Don't reimplement the wheel** and learn from (security) failures of others. Often, existing libraries and frameworks have undergone a security audit and security issues have been identified and eventually remediated. Benefit from the security works of others!
 20 | - **Secure Defaults**: more and more frameworks offer defensive and secure defaults. To enable risky behavior, manual developer interaction is needed.
 21 | - **But keep them up to date**. While you gain benefits from using maintained frameworks, you know have the maintenance burden of tracking their new releases for security notes.
 22 | - **Don't fight the framework**. If using a framework feels like you are fighting it each and every step, then maybe this concrete framework is not a good match for your development style or architecture (or vice versa).
 23 | 
 24 | ## Threats
 25 | 
 26 | - If the application is only protected by security-by-obscurity, an attacker that reverse-engineers the application has full permissions as soon the obfuscation is cleared-up. In addition, an attacker is able to monitor network traffic: while the obfuscation might be performed on the code-level, the operations on the network level can easily be analyzed.
 27 | - A web-application with a complex authorization scheme is deployed. A new software developer is tasked with extending one of the components. Due to the complexity, they misconfigure the authorization scheme and an attacker is able to exploit IDOR.
 28 | - A web-application with a complex authorization scheme is deployed. A new software developer adds a new plugin to the system. The system makes it hard to do the right thing, and all security configuration must be manually added to the plugin, by-default no security measures are taken. The new developer is not configuring anything thus the new plugin introduces an IDOR into the system.
 29 | - A web-application has many components, all of which are exposed to the public internet. The resulting attack surface is massive. For example, a database management tool (e.g., `phpmyadmin`) is deployed. After a 0day was found in `mysqladmin`, the whole database was extracted. During normal use, nobody uses `phpmyadmin`.
 30 | 
 31 | ## Implementation
 32 | 
 33 | The mantra "Complexity is the enemy of security" can be seen throughout this implementation guidance.
 34 | 
 35 | ### Design for Clarity and Transparency
 36 | 
 37 | Architecture should focus upon simplicity: the designed software should be only as complex as the intended user's requirements warrant. Focusing upon simplicity brings multiple benefits for the created software:
 38 | 
 39 | - It is easier to reason about a simple system. This allows to reason about potential security impacts of changes.
 40 | - Long-term maintenance is aided through the simpler design.
 41 | - The design should focus upon transparency, i.e., the security should not depend upon security-by-obscurity.
 42 | 
 43 | ### Make it easy to do the right thing
 44 | 
 45 | Two terms often heard are "security by design" and "security by default". The former implies, that the software system should be usable in a secure manner while the latter means that the initial configuration of the software system is secure.
 46 | 
 47 | This implies, that an system administrator has to make an explicit choice to introduce insecure configuration into the system. In contrast, the path of least resistance should always result in a secure system.
 48 | 
 49 | When focusing upon end-user interactions, this aspect is important for designing user interfaces and flows. When focusing upon developer interactions, developer-facing facilities such as framework, APIs, network APIs should be designed that when using them with default values, only secure operations should occur. Think about this when designing your configuration files too
 50 | 
 51 | ### Clearly articulate what's trusted to do what, and ensure those relationships are enforced
 52 | 
 53 | Clearly articulate what's trusted to do what, and ensure those relationships are enforced, e.g., trust boundaries delineate blast radius and are enforced by controls, such as firewalls or gateways.
 54 | 
 55 | Attenuate what's allowed by careful validation at each step. Go deeper with threat modeling mnemonics like stride or methodologies like stride per element.
 56 | 
 57 | ### Identify and minimize your exposed components ("attack surface")
 58 | 
 59 | Identify all areas that an attacker can access, review them and try to minimize them: attackers cannot attack what's not there.
 60 | 
 61 | In addition, exposing only a minimal set of operations makes long-term maintenance easier.
 62 | 
 63 | ### Use well-known Architecture Patterns
 64 | 
 65 | Experts have shared their wisdom about best practices in an easily digestible format called secure architecture patterns. Architecture patterns are reusable and can be applied across multiple applications.
 66 | 
 67 | For a solution to be considered a pattern, it must have these characteristics:
 68 | 
 69 | - First, a secure architecture pattern must solve a security problem.
 70 | - Second, a secure architecture pattern must not be tied to a specific vendor or technology.
 71 | - Third, a secure architecture pattern must demonstrate how it mitigates threats.
 72 | - Fourth, a [secure architecture pattern](https://securitypatterns.io/what-is-a-security-pattern/) must use standardized terms for threats and controls for easy reuse.
 73 | 
 74 | An architecture pattern is a way to solve a problem using a standard solution versus creating a custom solution. A secure architecture pattern is a standard solution that has been reviewed and hardened against known security threats.
 75 | 
 76 | Implementation:
 77 | 
 78 | 1. Identify the problem that requires solving.
 79 | 2. Consider the catalog of available secure architecture patterns.
 80 | 3. Choose a secure architecture pattern for the design.
 81 | 4. Implement the secure architecture pattern.
 82 | 
 83 | ## Vulnerabilities Prevented
 84 | 
 85 | - Business Logic Flaws: These patterns can help in structuring the application to avoid complex and often overlooked business logic vulnerabilities.
 86 | - OWASP Top 10 2021-A04 (Insecure Design): Secure architecture patterns directly target the mitigation of risks associated with insecure design, a key concern highlighted by OWASP.
 87 | 
 88 | ## References
 89 | 
 90 | - <https://securitypatterns.io/what-is-a-security-pattern/>
 91 | - <https://owasp.org/www-pdf-archive/Vanhilst_owasp_140319.pdf>
 92 | - [OWASP Cheat Sheet Series: Attack Surface Analysis](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html)
 93 | - [OWASP Cheat Sheet Series: Microservices-based Security Arch Doc](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.html)
 94 | - [OWASP Cheat Sheet: Secure Product Design](https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html)
 95 | - [OWASP Cheat Sheet: Threat Modeling](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html)
 96 | 
 97 | ## Tools
 98 | 
 99 | - [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/)
100 | - [Amazon AWS Threat-Composer](https://github.com/awslabs/threat-composer)
101 | - [StrideGPT](https://github.com/mrwadams/stride-gpt)
102 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c5-secure-by-default.md:
--------------------------------------------------------------------------------
 1 | # C5: Secure By Default Configurations
 2 | 
 3 | ## Description
 4 | 
 5 | “Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. Software should start in a secure state without requiring extensive user configuration, ensuring the default settings are always the most secure option.
 6 | 
 7 | The benefit of having an application secure from the start is that it removes the burden away from developers on how to lock a system down, providing them with an already secure product. It reduces the effort required to deploy products in a secure manner and gives greater confidence that they will remain secure over time.
 8 | 
 9 | ## Threats
10 | 
11 | - An attacker could gain unauthorized access by exploiting default, weak, or well-known credentials that haven't been changed from their out-of-the-box state.
12 | - An attacker could take advantage of overly permissive default settings to access sensitive resources or perform unauthorized actions.
13 | - An attacker could gather sensitive information by probing unnecessarily enabled features or services that are active by default.
14 | - An attacker could conduct cross-site scripting (XSS) attacks by exploiting lenient default security headers that don't provide adequate protection against such threats.
15 | 
16 | ## Implementation
17 | 
18 | In modern cloud applications, when developers build applications, they are also building the infrastructure for their applications, making infrastructure decisions, including security-critical configurations, while writing their code.
19 | These are deployed on infrastructure created and configured via code, Infrastructure-as-code (IaC), using configurations applied at the application level ( including web server and database), at container, Function as a Service, or infrastructure level. For example, in the case of web applications, folder permissions need to follow the principle of least privilege to limit resource access rights. When web and mobile applications are deployed in production, the debugging should be disabled.
20 | 
21 | Is it important that when developers put together their infrastructure components, they:
22 | 
23 | 1. Implement configurations based on the Least privilege principle - for example: ensure that your cloud storage (S3 or other) is configured to be private and accessed by the minimum amount of time
24 | 2. Access is denied by default and allowed via an allowed list
25 | 3. Use container images that have been scanned for package and component vulnerabilities and pulled from a private container registry
26 | 4. Prefer declarative infrastructure configuration over manual configuration activities. On a low-level, utilize Infrastructure-as-Code templates for automated provisioning and configuration of your cloud and on-premises infrastructure. On a high-level utilize Policy-as-Code to enforce policies including privilege assignments.  
27 | Using a declarative format allows those policies to be managed similar to source code: checked-in into a source code management system, versioned, access-controlled, subject to change management, etc.
28 | 5. Traffic encryption - by default or do not implement unencrypted communication channels in the first place
29 | 
30 | ### Continuous Configurations Verification
31 | 
32 | As part of software development, a developer needs to ensure that software is configured securely by default at the application level. For example,
33 | 
34 | - The code which defines the infrastructure should follow the principle of least privilege.
35 | - Configurations and features that aren’t required such as accounts, software, and demo capabilities should be disabled.
36 | 
37 | ## Vulnerabilities Prevented
38 | 
39 | - [OWASP Top 10 2021 A05 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
40 | 
41 | ## References
42 | 
43 | - OWASP Cheat Sheet: [Infrastructure as Code Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.html)
44 | - OWASP ASVS: [Application Security Verification Standard V14 Configuration](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md)
45 | - [Cloud security guidance - NCSC.GOV.UK](https://www.ncsc.gov.uk/collection/cloud-security)
46 | 
47 | ## Tools
48 | 
49 | - [Tfsec](https://github.com/aquasecurity/tfsec) - open source static analysis for your Terraform templates
50 | - [Terrascan](https://github.com/accurics/terrascan) - scan for Infrastructure-as-Code vulnerabilities
51 | - [Checkov](https://github.com/bridgecrewio/checkov) - Scan for open-source and Infrastructure-as-Code vulnerabilities
52 | - [Scout Suite](https://github.com/nccgroup/ScoutSuite) is an open source multi-cloud security-auditing tool which currently supports: Amazon Web Services, Microsoft Azure, Google Cloud Platform
53 | - [prowler](https://github.com/toniblyx/prowler)
54 | - [Cloudmapper](https://github.com/duo-labs/cloudmapper)
55 | - [Snyk](https://github.com/snyk/cli) - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities
56 | - [Trivy](https://github.com/aquasecurity/trivy) - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities
57 | - [KICS](https://github.com/Checkmarx/kics) - Scan for Infrastructure-as-Code vulnerabilities
58 | - [Kubescape](https://github.com/kubescape/kubescape) - Scan for Kubernetes vulnerabilities
59 | - [Kyverno](https://kyverno.io/docs/security/) - Securing Kubernetes using Policies
60 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c6-use-secure-dependencies.md:
--------------------------------------------------------------------------------
 1 | # C6: Keep your Components Secure
 2 | 
 3 | ## Description
 4 | 
 5 | It is a common practice in software development to leverage libraries and frameworks. Secure libraries and software frameworks with embedded security help software developers prevent security-related design and implementation flaws.
 6 | 
 7 | A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks (both open source and vendor) help accomplish security goals more efficiently and accurately.
 8 | 
 9 | When possible, the emphasis should be on using the existing secure features of frameworks rather than importing yet another third party libraries, which requires regular updates and maintenance. It is preferable to have developers take advantage of what they're already using instead of forcing yet another library on them.
10 | 
11 | When incorporating third party libraries or frameworks into your software, it is important to consider the following two categories of best practices:
12 | 
13 | 1. Identify trusted libraries and frameworks to bring into your software.
14 | 2. Monitor and update packages to ensure that your software is not vulnerable to the possible security vulnerabilities introduced by the third party components.
15 | 
16 | ## Threats
17 | 
18 | - An attacker could exploit known vulnerabilities in outdated third-party components to gain unauthorized access or execute malicious code.
19 | - An attacker could conduct supply chain attacks by compromising libraries or frameworks used in the development process, potentially inserting malicious code into the final product.
20 | - An attacker could extract sensitive information by exploiting insecure configurations in third-party components that haven't been properly hardened.
21 | - An attacker could launch denial of service attacks by targeting known vulnerabilities in external libraries, potentially disrupting the availability of services.
22 | 
23 | ## Implementation
24 | 
25 | Below each of these categories are further detailed to help secure your software.
26 | 
27 | ### Best Practices to Identify Trusted libraries
28 | 
29 | Below are listed a few criteria you can use to select the next library or framework for your software. This is not an exhaustive list, but is a good start.
30 | 
31 | 1. **Sources**: Download recommended security libraries from official sources over secure links and prefer signed packages to reduce the chance of including a modified, malicious component (See A08:2021-Software and Data Integrity Failures).
32 | 
33 | 2. **Popularity**: Leverage libraries and frameworks used by many applications which have around large communities. Consider data points such as the number of GitHub stars a package’s source code repository has received, and number of downloads from within a package manager.
34 | 
35 | 3. **Activity:** Ensure that the library/ framework is actively maintained and issues are resolved in a timely fashion.
36 | 
37 | 4. **Maturity**: Use stable versions . Projects in early stages of development area higher risk to your software .
38 | 
39 | 5. **Complexity**: A large, complex library with lots of dependencies, is more difficult to incorporate into your software. Also, a high number of dependencies indicates a higher number of future upgrades to ensure all those dependencies are up-to-date and secured.
40 | 
41 | 6. **Security**: If the package is open source, you can use static application security testing (SAST) or [Software Composition Analysis](https://en.everybodywiki.com/Software_Composition_Analysis#:~:text=Software%20Composition%20Analysis%20%28SCA%29%20comprises,been%20integrated%20into%20your%20applications.) (SCA) to help identify malicious code or security weaknesses, before first including them.
42 | 
43 | ### Best Practices to Keep them Secure
44 | 
45 | New security vulnerabilities are disclosed every day and are published in public databases like the NIST National Vulnerability Database ([NVD](https://nvd.nist.gov/)) which identifies publicly known vulnerabilities using Common Vulnerabilities and Exposures (CVE). Furthermore, exploits made available in public databases allow attackers to automate their attacks. As a result of this, it is important to ensure on a regular basis that your software is free of well-known security vulnerabilities.
46 | 
47 | 1. **Maintain an inventory catalog** of all the third party components. It is recommended to automatically create SBOMs ([Software-Bill-Of-Materials](https://cyclonedx.org/)) from within the build pipeline. A SBOM contains all used third-party dependencies and their versions and can be automatically monitored by a variety of supply chain management tools.
48 | 
49 | 2. **Perform continuous checks.** Use your SBOMs together with periodic or continuous monitoring tools such as OWASP dependency-track to automatically detect well-known publicly disclosed vulnerabilities.
50 | 
51 | 3. **Verify for security early and often** - integrate SCA tools in early stages of software development, to gain visibility in the number and criticality of security vulnerabilities of the software and its dependencies from every stage of the software development life cycle.
52 | 
53 | 4. **Proactively** update libraries and components. Updating software must be a recurring task that occurs throughout the life cycle of the application or product, from ideation to retirement.
54 | 
55 | ## Vulnerabilities Prevented
56 | 
57 | Secure frameworks and libraries can help to prevent a wide range of web application vulnerabilities. It is critical to keep these frameworks and libraries up to date as described in using [vulnerable and outdated components with known vulnerabilities Top 10 2021](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/).
58 | 
59 | ## References
60 | 
61 | - OWASP Cheat Sheet: [Third Party JavaScript Management](https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#sandboxing-content)
62 | - [OpenSSF Scorecard - Security health metrics for Open Source](https://github.com/ossf/scorecard)
63 | 
64 | ## Tools
65 | 
66 | - [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/) ­- to identify project dependencies and check for publicly disclosed vulnerabilities
67 | - [OWASP Dependency-Track](https://owasp.org/www-project-dependency-track/) - periodically monitor SBOM files for new vulnerabilities
68 | - Retire.JS scanner for JavaScript libraries
69 | - [Renovate for automated dependencies updates](https://github.com/renovatebot/renovate)
70 | - [Harbor](https://goharbor.io/) : an open source registry that secures artifacts with policies and role-based access control
71 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c8-leverage-browser-security-features.md:
--------------------------------------------------------------------------------
  1 | # C8: Leverage Browser Security Features
  2 | 
  3 | ## Description
  4 | 
  5 | Browsers are the gateway to the web for most users. As such, it's critical to employ robust security measures to protect the user from various threats. This section outlines the techniques and policies that can be implemented to bolster browser security.
  6 | 
  7 | While we are currently focusing upon traditional web browsers, please note that there is a diverse world of other client programs out there, ranging from mobile apps, API clients to smart-TVs. We encourage to verify what client-side security features are supported by your client and use the respective HTTP headers to configure them.
  8 | 
  9 | ### Opportunistic Security and Browser-Support
 10 | 
 11 | Instructing the web browser to enforce security measures is always opportunistic: the web application cannot verify that the browser heeds the guidance given and thus these security measures should always be seen as additional (and optional) **Hardening Measures** that further complicate an attacker’s life.
 12 | 
 13 | In addition, web browsers must actually support the security guidance offered by web applications. The level of support differs between different browsers and their versions. Web sites such as <https://caniuse.com> can be used to check which web browser (versions) support which features. The supported security features can change over time, e.g., the X-XSS-Protection header has been removed from all major browsers; the browsers’ default behavior can change over time as seen with Referrer-Policy; and even the semantics of existing headers can change over time as seen with X-Content-Type-Options.
 14 | 
 15 | While the changing browser feature set can be problematic, typically newer browser provide more security features. They sometimes even enable them by default. Explicitly setting those security headers can unify the different browsers’ behaviors and thus reduces maintenance effort.
 16 | 
 17 | A fully compromised browser might not heed security guidance but if an adversary was able to take full control of a browser, they already have far more damaging attack paths than just ignoring security guidance.
 18 | 
 19 | ## Threats
 20 | 
 21 | - An attacker could execute cross-site scripting (XSS) attacks by exploiting inadequate Content Security Policy settings, potentially injecting malicious scripts into web pages.
 22 | - An attacker could perform clickjacking attacks by taking advantage of missing X-Frame-Options headers, potentially tricking users into unintended interactions with disguised web elements.
 23 | - An attacker could gather sensitive information through `Referer` HTTP headers when proper Referrer-Policy is not set, potentially exposing private data or user activities.
 24 | - An attacker could exploit MIME type confusion vulnerabilities in the absence of X-Content-Type-Options headers, potentially executing malicious scripts disguised as benign file types.
 25 | - An attacker could hijack user sessions by exploiting insecure cookie settings, potentially gaining unauthorized access to user accounts.
 26 | - An attacker could perform DNS rebinding attacks in the absence of proper DNS pinning, potentially bypassing same-origin policy restrictions.
 27 | - An attacker could exploit a cross-origin resource sharing (CORS) misconfiguration to gain unauthorized access to resources, potentially compromising data confidentiality and integrity.
 28 | 
 29 | ## Implementation
 30 | 
 31 | Typically, there are two (Security Header specific) ways that web applications can use to instruct web browsers about security: HTTP headers and HTML tags.
 32 | 
 33 | The behavior taken if a security directive is given more than one time is security header specific. For example, a duplicate X-Frame-Options header will disable its protection while a duplicate Content-Security-Policy header will lead to a stricter policy thus tightening its security.
 34 | The following is a non-exhaustive list of potential Hardening mechanisms:
 35 | 
 36 | ### Configure the Browser to prevent Information Disclosure
 37 | 
 38 | Information disclosure occurs if the browser transmits information over unencrypted channels (HTTP instead of HTTPS) or sends our too much information in the first place (e.g., through the Referer-Header). The following mechanisms reduce the possibility of information disclosure:
 39 | 
 40 | - **HTTP Strict Transport Security (HSTS)**: Ensures that browsers only connect to your website over HTTPS, preventing SSL stripping attacks.
 41 | - **Content Security Policy (CSP)**: CSP policies can instruct the browser to automatically upgrade HTTP connections to HTTPS. In addition directives such as the 'form-src' directive can be used to prevent forms from transmitting data to external sites.
 42 | - **Referrer-Policy**: when navigating between pages, the browser’s HTTP request includes the current URL within the outgoing request. This URL can include sensitive information. Using Referrer-Policy, a web-site can unify the browser’s behavior and select which information should be transmitted between web sites.
 43 | - The cookie’s **secure** flag: while not a HTTP header, this security flag is related to information disclosure. If set, the web browser will not transmit a cookie over unencrypted HTTP transports.
 44 | 
 45 | ### Reduce the potential Impact of XSS
 46 | 
 47 | JavaScript based XSS attacks have been very common for decades. To reduce the potential impact of vulnerabilities, browsers offer rich defensive mechanisms that should reduce the potential impact of XSS attacks:
 48 | 
 49 | - **Content Security Policy (CSP)**: CSP is a powerful tool that helps prevent a wide range of attacks including Cross-Site Scripting (XSS) and data injection. Strict CSP policies can effectively disable inline JavaScript and style, making it much harder for attackers to inject malicious content.  
 50 |     **Host Allowlist CSP**: Blocking all third-party JavaScript can significantly reduce the attack surface and prevent the exploitation of vulnerabilities in third-party libraries.  
 51 |     **Strict CSP**: A CSP utilizing nonces or hashes in the 'script-src' directive (often referred to as "strict CSP") provides a robust mitigation against XSS vulnerabilities. Optionally, the use of the CSP 'strict-dynamic' keyword can help to streamline the implementation of a strict CSP and to ensure compatibility with third-party JavaScript libraries when required.
 52 |     **Trusted Types**: This is a browser API that helps prevent DOM-based cross-site scripting vulnerabilities by ensuring only secure data types can be inserted into the DOM.
 53 | - The cookie’s **httpOnly** flag: while not a HTTP header, setting this flag prevents JavaScript from accessing this cookie and should be done esp. For Session cookies.
 54 | 
 55 | ### Prevent Clickjacking
 56 | 
 57 | Clickjacking, also known as UI-redress attacks, try to confuse users by overlaying a malicious site on top of a benign one. The user believes to interact with the benign one while in reality they are interacting with the malicious one.
 58 | 
 59 | - **X-Frame-Options (XFO)**: Prevents clickjacking attacks by ensuring your content is not embedded into other sites. This header is finicky to use, e.g., when used twice it is disabled.
 60 | - **Content Security Policy (CSP)**: the different frame-\* directives allow for fine-grained control of which sites are allowed to include the current website as well as which other sites can be included within the current website.
 61 | 
 62 | ### Control the Browser’s Advanced Capabilities
 63 | 
 64 | Modern browsers do not only display HTML code but are used to interface with multiple system components such as WebCams, Microphones, USB Devices, etc. While many websites do not utilize those features, attackers can abuse those.
 65 | 
 66 | - **Permission Policy**: through a permission policy a web-site can instruct the browser that the defined features will not be used by the web-site. For example, a web-site can state that it will never capture user audio. Even if an attacker is able to inject malicious code, they can thus not instruct the web-browser to capture audio.
 67 | 
 68 | ### Prevent CSRF Attacks
 69 | 
 70 | CSRF attacks abuse an existing trust relationship between the web browser and web sites.
 71 | 
 72 | - Same-Origin Cookies: Marking cookies as SameSite can mitigate the risk of cross-origin information leakage, as well as provide some protection against cross-site request forgery attacks.
 73 | - Fetch Metadata Request Headers: Checking Fetch Metadata request headers on the server-side allows deploying a strong defense-in-depth mechanism—a Resource Isolation Policy—to protect your application against common cross-origin attacks like CSRF.
 74 | 
 75 | ## Vulnerabilities Prevented
 76 | 
 77 | Implementing these browser defenses can help mitigate a range of vulnerabilities, including but not limited to:
 78 | 
 79 | - Cross-Site Scripting (XSS)
 80 | - Cross-Site Request Forgery (CSRF)
 81 | - Clickjacking
 82 | - Data Theft through insecure transmission
 83 | - Session Hijacking
 84 | - Abusing unintended browser hardware access (microphone, cameras, etc.)
 85 | 
 86 | ## Tools
 87 | 
 88 | - [Web Check](https://github.com/Lissy93/web-check)
 89 | - [Security Headers](https://securityheaders.com/)
 90 | - [Mozilla Observatory](https://observatory.mozilla.org/)
 91 | - [CSP Evaluator](https://csp-evaluator.withgoogle.com/)
 92 | 
 93 | ## References
 94 | 
 95 | - [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
 96 | - [Strict Content Security Policy](https://web.dev/articles/strict-csp)
 97 | - [Trusted Types](https://web.dev/articles/trusted-types)
 98 | - [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
 99 | - [Security Headers Quick Reference](https://web.dev/articles/security-headers)
100 | - [Fetch Metadata Request Headers](https://www.w3.org/TR/fetch-metadata/)
101 | - [Fetch Metadata Resource Isolation Policy](https://web.dev/articles/fetch-metadata)
102 | - [Caniuse.com](https://caniuse.com/)
103 | - [OWASP Cheat Sheet Series: Clickjacking Defense](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
104 | - [OWASP Cheat Sheet Series: Content Security Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)
105 | - [OWASP Cheat Sheet Series: CSRF Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
106 | - [OWASP Cheat Sheet Series: HTTP Security Response Headers Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html)
107 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/c9-security-logging-and-monitoring.md:
--------------------------------------------------------------------------------
 1 | # C9: Implement Security Logging and Monitoring
 2 | 
 3 | ## Description
 4 | 
 5 | Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application.
 6 | 
 7 | Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
 8 | 
 9 | The goal of security logging is to detect and respond to potential security incidents.
10 | 
11 | ### Benefits of Security Logging
12 | 
13 | Security logging can be used for:
14 | 
15 | 1. Feeding intrusion detection systems
16 | 2. Forensic analysis and investigations
17 | 3. Satisfying regulatory compliance requirements
18 | 
19 | ### Logging for Intrusion Detection and Response
20 | 
21 | Use logging to identify activity that indicates that a user is behaving maliciously. Potentially malicious activity to log includes:
22 | 
23 | - Submitted data that is outside of an expected numeric range.
24 | - Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).
25 | - Requests that violate server-side access control rules.
26 | - A more comprehensive list of possible detection points is available [here](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html).
27 | 
28 | When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue. Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user’s account. The response mechanisms allow the software to react in realtime to possible identified attacks.
29 | 
30 | ### Secure Logging Design
31 | 
32 | Logging solutions must be built and managed in a secure way. Secure Logging design may include the following:
33 | 
34 | - Allow expected characters only and/or encode the input based on the target to prevent [log injection](https://www.owasp.org/index.php/Log_Injection) attacks. The preferred approach would be that the logging solution performs input escaping instead of dropping data: otherwise the logging solution might discard data which would be needed for a later analysis.
35 | - Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
36 | - Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
37 | - Forward logs from distributed systems to a central, secure logging service. This will ensure log data cannot be lost if one node is compromised. This also allows for centralized or even automated monitoring.
38 | 
39 | ## Threats
40 | 
41 | - An attacker could perform log injection attacks by manipulating log entries, potentially inserting malicious data or commands into log files.
42 | - An attacker could gain unauthorized access to sensitive information through overly verbose logging practices that inadvertently capture and store confidential data.
43 | - An attacker could engage in log tampering to cover tracks of malicious activities, potentially erasing or modifying evidence of their intrusion.
44 | - An attacker could launch denial of service attacks by overwhelming logging systems with a flood of data, potentially disrupting normal system operations or obscuring other malicious actions.
45 | - An attacker could gain unauthorized access to log files due to improper access controls, potentially exposing sensitive system information or user data.
46 | - An attacker could engage in log forging to create false audit trails, potentially misleading investigators or framing innocent parties for malicious activities.
47 | - An attacker could take advantage of insufficient logging practices to conduct malicious activities without detection, potentially prolonging their unauthorized access to systems.
48 | - An attacker could exploit log file race conditions in multi-threaded applications, potentially corrupting log data or gaining unauthorized access to sensitive information.
49 | - An attacker could perform replay attacks using information gleaned from logs, potentially reusing captured data to impersonate legitimate users or repeat authenticated actions.
50 | 
51 | ## Implementation
52 | 
53 | The following is a list of security logging implementation best practices.
54 | 
55 | - Follow a common logging format and approach within the system and across systems of an organization. An example of a common logging framework is the Apache Logging Services which helps provide logging consistency between Java, PHP, .NET, and C++ applications.
56 | - Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id, but be careful not to log private (such as username) or confidential data (such as business data) unless extra care is taken.
57 | - Pay close attention to time syncing across nodes to ensure that timestamps are consistent.
58 | 
59 | ## Vulnerabilities Prevented
60 | 
61 | - Brute-Force Attacks against Login-Mechanisms
62 | 
63 | ## References
64 | 
65 | - [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
66 | - [OWASP Logging Guide](https://owasp.org/www-pdf-archive/OWASP_Logging_Guide.pdf)
67 | 
68 | ## Tools
69 | 


--------------------------------------------------------------------------------
/docs/archive/2024/the-top-10/index.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | For years, developers have suffered through introducing the same security issues into the things they build. The most common issues, which have existed for decades, have been documented by the OWASP Top Ten. Many of the issues in the earliest version still exist in some form today. A mechanism is needed to counter these challenges, and that mechanism is proactive controls.
 4 | 
 5 | Proactive controls are a catalog of better practices, a set of items developers can embrace and implement in their code bases to avoid many common security issues. Proactive controls provide positive patterns to implement solutions considered secure by design.
 6 | 
 7 | Imagine working on a web-based software, releasing a new version, and then getting reports that it contained a security vulnerability that is now being exploited in the wild. You are now forced to act reactively: analyzing the vulnerability, fixing it, creating a new software release, and getting it to your users. All this is tedious and a bit awkward, esp. When the security vulnerability was critical.
 8 | 
 9 | Proactive controls prevent this by focusing on the development itself. Their idea is to prevent common vulnerabilities during an application's inception so that those tedious and embarrassing bug fixes can be avoided altogether. Common knowledge is that a proactive approach will save resources and money in the long run.
10 | 
11 | The OWASP Top 10 Proactive Controls 2024 is a list of security techniques every software architect and developer should know and heed. The main goal of this document is to provide concrete, practical guidance that helps developers build secure software. These techniques should be applied proactively at the early stages of software development to ensure maximum effectiveness.
12 | 
13 | Please note that while complying with best proactive practices will reduce the chance of a vulnerability being in your code, there is no guarantee that code is security-bug free. And that’s okay: You have to break an egg to make an omelet — the only way of not introducing any security bugs is not to code at all. We accept that while striving to prevent as many security issues as possible.
14 | 
15 | ## How this List Was Created
16 | 
17 | This list was originally created by the current project leads with contributions from several volunteers. The document was then shared globally so even anonymous suggestions could be considered. Hundreds of changes were accepted from this open community process.
18 | 
19 | ## Security Controls
20 | 
21 | The description of each control has the same structure. The control itself has an unique name preceded by the control number: **Cx: Control Name**, e.g., *C1: Implement Access Control*.
22 | 
23 | Each control has the same sections:
24 | 
25 | - **Description**: A detailed description of the control including some best practices to consider.
26 | - **Threat(s):** A threat or threats that this control counters.
27 | - **Implementation**: Best practices and examples to illustrate how to implement each control.
28 | - **Vulnerabilities Prevented**: List of prevented vulnerabilities or risks addressed (OWASP TOP 10 Risk, CWE, etc.)
29 | - **References**: List of references for further study (OWASP Cheat sheet, Security Hardening Guidelines, etc.)
30 | - **Tools**: Set of tools/projects to easily introduce/integrate security controls into your software.
31 | 


--------------------------------------------------------------------------------
/docs/final-word.md:
--------------------------------------------------------------------------------
 1 | # Final word
 2 | 
 3 | This document should be seen as a starting point rather than a comprehensive set of techniques and practices. We want to again emphasize that this document is intended to provide initial awareness around building secure software.
 4 | 
 5 | Good next steps to help build an application security program include:
 6 | 
 7 | 1. To understand some of the risks in web application security please review the [OWASP Top Ten](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) .
 8 | 2. A secure development program should include a *comprehensive list of security requirements* .
 9 |  Use [Threat Modeling](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html) to identify potential security threats, derive security requirements, and tailor security controls to prevent those. Use standards such as the [OWASP (Web) ASVS](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project) and the [OWASP (Mobile) MASVS](https://github.com/OWASP/owasp-masvs) which provides a catalog of available security requirements along with the  relevant verification criteria.
10 | 3. To understand the core building blocks of a secure software program from a more macro point of view please review the [OWASP OpenSAMM project](https://www.owasp.org/index.php/OWASP_SAMM_Project).
11 | 


--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
 1 | # About this Project
 2 | 
 3 | Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
 4 | 
 5 | ## Aim & Objective
 6 | 
 7 | The goal of the **OWASP Top 10 Proactive Controls project** is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations. We hope that the OWASP Proactive Controls is useful to your efforts in building secure software.
 8 | 
 9 | ## Target Audience
10 | 
11 | This document is primarily written for developers. However, development managers, product owners, Q/A professionals, program managers, and anyone involved in building software can also benefit from this document.
12 | 
13 | ## How to Use this Document
14 | 
15 | This document’s main purpose is to provide a solid foundation of topics to help drive introductory software security developer training. To be effective, these controls should be used consistently and thoroughly throughout all applications.
16 | 
17 | However, this document is a starting point rather than a comprehensive set of techniques and practices.
18 | 
19 | A fully secure development process should include comprehensive requirements from a standard such as the OWASP ASVS in addition to including a range of software development activities described in maturity models such as [OWASP SAMM](https://www.owasp.org/index.php/OWASP_SAMM_Project) and [BSIMM](https://www.bsimm.com/).
20 | 
21 | ## Project Leaders
22 | 
23 | * [Andreas Happe](mailto:andreas.happe@owasp.org), connect through [linkedin](https://www.linkedin.com/in/andreashappe/), [github](https://github.com/andreashappe), [twitter/x](https://twitter.com/andreashappe)
24 | * [Jim Manico](mailto:jim.manico@owasp.org), connect through [linkedin](https://www.linkedin.com/in/jmanico/), [github](https://github.com/jmanico), [twitter/x](https://twitter.com/manicode)
25 | * [Katy Anton](mailto:katy.anton@owasp.org), connect through [linkedin](https://www.linkedin.com/in/katyanton/), [github](https://github.com/katyanton), [twitter/x](https://twitter.com/katyanton)
26 | 
27 | ## Copyright and Licence
28 | 
29 | This document is released under the Creative Commons Attribution-ShareAlike 4.0 International license. For any reuse or distribution, you must make it clear to others the license terms of this work.
30 | 


--------------------------------------------------------------------------------
/docs/introduction/about-owasp.md:
--------------------------------------------------------------------------------
 1 | # About OWASP
 2 | 
 3 | The *Open Worldwide Application Security Project* (*OWASP*) is an open community
 4 | dedicated to enabling organizations to develop, purchase, and maintain
 5 | applications and APIs that can be trusted.
 6 | 
 7 | All OWASP tools, documents, videos, presentations, and chapters are free and
 8 | open to anyone interested in improving application security.
 9 | 
10 | We advocate approaching application security as a people, process, and
11 | technology problem, because the most effective approaches to application
12 | security require improvements in these areas.
13 | 
14 | OWASP is a new kind of organization. Our freedom from commercial pressures
15 | allows us to provide unbiased, practical, and cost-effective information about
16 | application security.
17 | 
18 | OWASP is not affiliated with any technology company, although we support the
19 | informed use of commercial security technology. OWASP produces many types of
20 | materials in a collaborative, transparent, and open way.
21 | 
22 | The OWASP Foundation is the non-profit entity that ensures the project's
23 | long-term success. Almost everyone associated with OWASP is a volunteer,
24 | including the OWASP board, chapter leaders, project leaders, and project
25 | members. We support innovative security research with grants and infrastructure.
26 | 


--------------------------------------------------------------------------------
/docs/introduction/contributing.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute?
 2 | 
 3 | Please don’t hesitate to contact the OWASP Proactive Control project with your questions, comments, and ideas.
 4 | 
 5 | You can contact maintainers directly, use our [project-top10-proactive-controls OWASP slack channel](https://owasp.slack.com/archives/C07KNHZAN1H), or visit [our github page](https://github.com/OWASP/www-project-proactive-controls).
 6 | 
 7 | You find the source code of the current version of the OWASP Top 10 Proactive Controls in the `docs/` directory within the git repository. Please focus upon contributions for the current version, not archived versions within `docs/archive`.
 8 | 
 9 | When you check [our open issues on github](https://github.com/OWASP/www-project-proactive-controls/issues), you can see that some issues are tagged with `help wanted` or `good first issue`. Choose these if you want to help out the project!
10 | 
11 | ## Translations
12 | 
13 | Starting with version `v4` in 2024, we don't accept inclusion of translations into the OWASP Top 10 Proactive Controls directly and are only providing the English version.
14 | 
15 | We do encourage translators to create translated versions and host them themselves and will link to those external sites/documents if notified about them.
16 | 
17 | ## How to test the OWASP Proactive Control website locally?
18 | 
19 | If you can run python, you can locally run the OWASP Proactive Control website locally. We recommend this to test your changes before pushing them to github.
20 | 
21 | To do this, we will use `venv` to create a local python environment to install the needed `mkdocs` package.
22 | 
23 | ```shell
24 | # creates and activates a new python environment in a new `venv` directory
25 | $ python3 -m venv venv
26 | $ source venv/bin/activate
27 | 
28 | # install the mkdocs package
29 | $ pip install mkdocs-material mkdocs-redirects
30 | 
31 | # switch into your checked-out OWASP Proactive Controls directory
32 | $ cd owasp-proactive-controls
33 | 
34 | # run the local webserver
35 | $ mkdocs serve
36 | 
37 | # now you can point your browser to http://localhost:8000 and check
38 | # how your changes will look like
39 | ```
40 | 
41 | ## A Big Thank you to our Contributors!
42 | 
43 | This document would not have been possible without our contributors for which we are grateful. The 2024 Version makes listing all contributors hard as we were using an untracked google shared doc in the beginning. We hope that we haven't missed someone and are very gracious for:
44 | 
45 | [Andreas Happe](https://github.com/andreashappe), [Jim Manico](https://github.com/jmanico), [Katy Anton](https://github.com/katyanton), Chris Romeo, Jasmin Mair, Abdessamad Temmar, Carl Sampson, Eyal Estrin, [Israel Chorzevski](https://github.com/sro-co-il), [Zoe Braiterman](https://github.com/zbraiterman), [Timo Pagel](https://github.com/wurstbrot), [ThreeHoolagins](https://github.com/ThreeHoolagins), [Wallace Soares](https://github.com/soareswallace), [Aref Shaheed](https://github.com/aref2008), [ThunderSon](https://github.com/ThunderSon), [Marcus Fenstrom](https://github.com/MFernstrom), [Datz](https://github.com/DatzAtWork), [Josh Grossman](https://github.com/tghosth), [Tomas Coiro](https://github.com/CoiroTomas), [Dr. Pi3ch](https://github.com/pi3ch), [Ishaq Mohammed](https://github.com/security-prince), [Richard Tweed](https://github.com/RichardoC), [Derek Gary](https://github.com/DerekGary), [Starr Brown](https://github.com/mamicidal), [Thomas](https://github.com/tthn0), [Christian Capellan](https://github.com/ccapellan), [Adriaan Joubert](https://github.com/adriaanjoubert), [Kenneth Kron](https://github.com/biofool), [Jaskirat Singh](https://github.com/Jassi2004), [Lukas Weichselbaum](https://github.com/lweichselbaum), [joonakokkola](https://github.com/joonakokkola), [cowsecurity](https://github.com/cowsecurity)
46 | 
47 | ### Contributors to previous Top 10 Proactive Control versions
48 | 
49 | Another round of applause to all the contributors of previous OWASP Top 10 Proactive Controls lists:
50 | 
51 | Massimiliano Graziani, [Taras Ivashchenko](mailto:taras.ivaschenko@owasp.org), Jay Zudilin, [Danny Harris](mailto:danny.harris@owasp.org), Hiroaki Kuramochi, Hiroshi Fujimoto, Hidenori Nagai, [Riotaro OKADA](mailto:riotaro@owasp.org), Robert Dracea, Koichiro Watanabe, Tony Hsu Hsiang Chih, [Cyrille Grandval](mailto:cyrille.grandval@owasp.org), [Frédéric Baillon](mailto:fbaillon@darkmira.com), [Danny Harris](mailto:danny.harris@owasp.org), Stephen de Vries, Andrew Van Der Stock, Gaz Heyes, Colin Watson, Jason Coleman, Cassio Goldschmidt, Dan Anderson, David Cybuck, Dave Ferguson, Osama Elnaggar, Rick Mitchell
52 | 


--------------------------------------------------------------------------------
/docs/introduction/in-the-news.md:
--------------------------------------------------------------------------------
 1 | # OWASP Top 10 Proactive Controls in the News
 2 | 
 3 | ## 2024
 4 | 
 5 | Introduction of the OWASP Top 10 Proactive Controls v4 and switch to new wiki system.
 6 | 
 7 | - \[25 Nov 2025\] Podcast Series at [Cloud Security Deep Dive](https://cloudsecuritydeepdive.com/), currently contains podcasts about C1, C2, C3, C4, C5, C8.
 8 | - \[9 Sep 2024\] Featured in `SecureIdeas` post [What’s new in the OWASP Proactive Controls for 2024](https://www.secureideas.com/blog/whats-new-in-the-owasp-proactive-controls-for-2024)
 9 | - \[6 Feb 2024\] Featured in `gbhackers.` post [OWASP Top 10 Proactive Security Controls For Software Developers to Build Secure Software](https://gbhackers.com/owasp-released-top-10-proactive-controls/)
10 | 
11 | ## 2022
12 | 
13 | - \[10 Nov 2022\] [Blog Post by Kerr](https://kerr.ventures/2022/11/10/owasp-proactive-controls-the-answer-to-the-owasp-top-ten/)
14 | - \[13 June 2022\] Featured on the [GitHub Blog](https://github.blog/open-source/write-more-secure-code-owasp-top-10-proactive-controls/)
15 | 
16 | ## 2021
17 | 
18 | - \[12 Feb 2021\] Featured in oneconsult's post [OWASP Top 10 Proactive Controls – Teil 1](https://www.oneconsult.com/de/blog/news/owasp-top-10-proactive-controls-teil-1/)
19 | 
20 | ## 2020
21 | 
22 | - \[5 Nov 2020\] Featured by Snyk in [Developing secure software: how to implement the OWASP top 10 Proactive Controls](https://snyk.io/blog/owasp-top-10-proactive-controls-2020/)
23 | 
24 | ## 2019
25 | 
26 | - \[July 2019\] Featured in Coursera course from UCDavies
27 |     [Identifying Security Vulnerabilities](https://www.coursera.org/directory/videos?courseId=V1k0pBtIEemZRAqH7m9oGA)
28 | - \[23 June 2019\] Featured on HackerCombat: [Implement OWASP Proactive Controls to Work](https://hackercombat.com/implement-owasp-proactive-controls-to-work/)
29 | - \[7 June 2019\] Feature on OWASP DevSlop Show [Proactive Controls](https://www.youtube.com/watch?v=Jdb3qweDc_Q)
30 | - \[15 May 2019\] Featured in TechBeacon: [Put OWASP Top 10 Proactive Controls to work](https://techbeacon.com/security/put-owasp-top-10-proactive-controls-work)
31 | - \[2 Mar 2019\] Webinar: [The OWASP Top Ten Proactive Controls with Jim Manico](https://www.youtube.com/watch?v=ldXe8f5yVq8)
32 | 
33 | ## 2018
34 | 
35 | The OWASP Top 10 Proactive Controls 2018 (v3) were released.
36 | 
37 | - \[Dec 2018\] Featured as the resource for Security “Shifting to the Left”\! in the ISC2 course: "DevSecOps: Integrating Security into DevOps”
38 | - \[20 Sep 2018\] Featured in TechBeacon: [OWASP Top 10 Proactive Controls 2018: How it makes your code more secure](https://techbeacon.com/owasp-top-10-proactive-controls-2018-how-it-makes-your-code-more-secure)
39 | - \[17 Sep 2018\] Binary Blogger Podcast Episodes: [OWASP Top 10 Proactive Controls Podcast Episodes](https://binaryblogger.com/2018/09/17/owasp-top-10-proactive-controls-podcast-episodes/)
40 | - \[9 May 2018\] Featured in [Developer's security guide: 50 online resources to shift left](https://techbeacon.com/developer-secure-code-starter-kit-resources)
41 | - \[7 May 2018\] 3.0 released\!
42 | 
43 | ## Older Versions
44 | 
45 | News Posts for older versions of the Proactive Controls can be found here:
46 | 
47 | - [News about the 2016 version](./../archive/2016/in-the-news.md)
48 | 


--------------------------------------------------------------------------------
/docs/introduction/related-owasp-projects.md:
--------------------------------------------------------------------------------
 1 | # Related OWASP Projects
 2 | 
 3 | OWASP is a volunteer-driven organization. Those volunteers contributed many useful documents, and this section points to some related OWASP documents and projects:
 4 | 
 5 | ## OWASP Top 10
 6 | 
 7 | The best-known OWASP document is the [OWASP Top 10](https://owasp.org/Top10/). They detail the most common web application vulnerabilities and are also the base for this document. In contrast, this document is focused on defensive techniques and controls as opposed to risks. Each control in this document will map to one or more items in the risk-based OWASP Top 10. This mapping information is included at the end of each control description.
 8 | 
 9 | ## OWASP ASVS
10 | 
11 | [The OWASP Application Security Verification Standard (ASVS)](https://owasp.org/www-project-application-security-verification-standard/) is a catalog of available security requirements and verification criteria. OWASP ASVS can be a source of detailed security requirements for development teams. Security requirements are categorized into different buckets based on a shared higher order security function. For example, the ASVS contains categories such as authentication, access control, error handling / logging, and web services. Each category contains a collection of requirements that represent the best practices for that category drafted as verifiable statements.
12 | 
13 | ## OWASP SAMM
14 | 
15 | [Software Assurance Maturity Model (SAMM)](https://www.opensamm.org/) is an open framework to help organizations implement a strategy for maturing the software security tailored to the specific risks of the organization. . [SAMM](https://owaspsamm.org/about/) supports the complete software life cycle and can be used to identify what
16 | 
17 | ## Threat Modeling in General
18 | 
19 | Threat Modeling is an important part of secure application development, which can help identify potential security threats, derive security requirements, and tailor security controls to prevent potential threats. Successful use of security requirements involves four steps: discovery, documentation, implementation, and verification of the correct implementation of the functionality within an application. Threat modelling is one way to derive security requirements. Other sources are: industry standards, applicable laws, history of past vulnerabilities. Modeling tools, like [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/) can be used to create threat model diagrams as part of a secure development life cycle.
20 | 
21 | ## Domain-Specific Documents
22 | 
23 | It is important to notice that this document primarily focuses on web applications, but other Top 10s could apply to your application, too. Examples of those are:
24 | 
25 | - OWASP API Top 10
26 | - OWASP Mobile Application Top 10
27 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c1-accesscontrol.md:
--------------------------------------------------------------------------------
  1 | # C1: Implement Access Control
  2 | 
  3 | ## Description
  4 | 
  5 | Access Control (or Authorization) is allowing or denying specific requests from a user, program, or process. With each access control decision, a given subject requests access to a given object. Access control is the process that considers the defined policy and determines if a given subject is allowed to access a given object.
  6 | 
  7 | Access control also involves the act of granting and revoking those privileges.
  8 | 
  9 | Access Control often applies on multiple levels, e.g., given an application with a database backend, it applies both on the business logic level as well as on a database row level. In addition, applications can offer multiple ways of performing operations (e.g., through APIs or the website). All those different levels and access paths must be aligned, i.e., use the same access control checks, to protect against security vulnerabilities.
 10 | 
 11 | Authorization (verifying access to specific features or resources) is not equivalent to authentication (verifying identity).
 12 | 
 13 | ## Threats
 14 | 
 15 | - An attacker could take advantage of a loosely configured access control policy to access data the organization did not intend to make accessible.
 16 | - An attacker could discover multiple access control components within an application and exploit the weakest.
 17 | - An administrator could forget to decommission an old account, and an attacker could discover that account and use it to access data.
 18 | - An attacker could gain access to data that had a policy that dropped into a final step of allowing access. (Lack of default deny)
 19 | 
 20 | ## Implementation
 21 | 
 22 | Below is a minimum set of access control design requirements that should be considered at the initial stages of application development.
 23 | 
 24 | ### 1) Design Access Control Thoroughly Up Front
 25 | 
 26 | Once you have chosen a specific access control design pattern, it is often difficult and time-consuming to re-engineer access control in your application with a new pattern. Access Control is one of the main areas of application security design that must be thoroughly designed up front, especially when addressing requirements like multi-tenancy and horizontal (data dependent) access control.
 27 | 
 28 | Two core types of access control design should be considered.
 29 | 
 30 | - Role Based Access Control (RBAC) is a model for controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities.
 31 | - Attribute Based Access Control (ABAC) will grant or deny user access based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized, and more relevant to the policies at hand.
 32 | Access Control design may start simple but can often become complex and feature-heavy security control. When evaluating the access control capability of software frameworks, ensure that your access control functionality will allow for customization for your specific access control feature need.
 33 | 
 34 | ### 2) Force Every Access Request to Go Through an Access Control Check
 35 | 
 36 | Ensure that all access requests are forced to go through an access control verification layer. Technologies like Java filters or other automatic request processing mechanisms are ideal programming components that will ensure that all requests go through an access control check. This is referred to as _Policy Enforcement Point_ in [RFC 2904](https://datatracker.ietf.org/doc/html/rfc2904#section-4.3).
 37 | 
 38 | ### 3) Consolidate the access control check
 39 | 
 40 | Use a single access control procedure or routine. This prevents the scenario where you have multiple access control implementations, where most are correct, but some are flawed. By using a centralized approach, you can focus security resources on reviewing and fixing one central library or function that performs the access control check, and then reuse it throughout your code base and organization.
 41 | 
 42 | ### 4) Deny by Default
 43 | 
 44 | Ensure that by default, all the requests are denied, unless they are specifically allowed. This also includes accessing API (REST or webhooks) with missing access controls.
 45 | There are many ways that this rule will manifest in the application code. Some examples are:
 46 | 
 47 | 1. Application code may throw an error or exception while processing access control requests. In these cases, access control should always be denied.
 48 | 
 49 | 2. When an administrator creates a new user or a user registers for a new account, that account should have minimal or no access by default until that access is configured.
 50 | 
 51 | 3. When a new feature is added to an application, all users should be denied to use it until it’s properly configured.
 52 | 
 53 | ### 5) Principle of Least Privilege / Just in Time (JIT), Just Enough Access (JEA)
 54 | 
 55 | An example of implementing that principle is to create dedicated privileged roles and accounts for every organization function that requires highly privileged activities and avoid using an “admin” role/account that is fully privileged daily.
 56 | 
 57 | To further improve the security, you can implement Just-in-Time (JIT) or Just-enough-Access (JEA): ensure that all users, programs, or processes are only given just enough access to achieve their current mission. This access should be provided just in time, when the subject makes the request, and the access should be granted for a short time. Be wary of systems that do not provide granular access control configuration capabilities.
 58 | 
 59 | ### 6) Do not Hard-code Roles
 60 | 
 61 | Many application frameworks default to access control that is role based. It is common to find application code filled with checks of this nature.
 62 | 
 63 | ```java
 64 | if (user.hasRole("ADMIN")) || (user.hasRole("MANAGER")) {
 65 |     deleteAccount();
 66 | }
 67 | ```
 68 | 
 69 | Be careful about this type of role-based programming in code. It has the following limitations or dangers:
 70 | 
 71 | - Role-based programming of this nature is fragile. It is easy to create incorrect or missing role checks in code.
 72 | - Hard-Coded Roles do not allow for multi-tenancy. Extreme measures like forking the code or adding checks for each customer will be required to allow role-based systems to have different rules for different customers.
 73 | - Large code bases with many access control checks can make it difficult to audit or verify the overall application access control policy.
 74 | - Hard coded roles can also be seen as a backdoor when discovered during audits.
 75 | 
 76 | ### 7) ABAC Policy Enforcement Point Example
 77 | 
 78 | Please consider the following access control enforcement points using this following programming methodology:
 79 | 
 80 | ```java
 81 | if (user.hasPermission("DELETE_ACCOUNT")) {
 82 |     deleteAccount();
 83 | }
 84 | ```
 85 | 
 86 | Attribute or feature-based access control checks of this nature are the starting point to building well-designed and feature-rich access control systems. This type of programming also allows for greater access control customization capability over time.
 87 | 
 88 | ## Vulnerabilities Prevented
 89 | 
 90 | - [OWASP Top 10 2021-A01_2021-Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
 91 | - [CWE Top 25 - 11:CWE-862 Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
 92 | - [CWE Top 25 - 24:CWE-863 Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)
 93 | 
 94 | ## References
 95 | 
 96 | - [OWASP Cheat Sheet: Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
 97 | - [OWASP Cheat Sheet: Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
 98 | - [OWASP Cheat Sheet: Insecure Direct Object Reference Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
 99 | - [OWASP ASVS V4 Access Control](https://owasp.org/www-project-application-security-verification-standard/)
100 | - [OWASP Testing Guide: Authorization Testing](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/05-Authorization_Testing/)
101 | - [OAuth2.0](https://oauth.net/2/) protocol for authorization
102 | - [Draft OAuth2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-10)
103 | - [Policy Enforcement in RFC 2904](https://datatracker.ietf.org/doc/html/rfc2904#section-4.3)
104 | 
105 | ## Tools
106 | 
107 | - [ZAP](https://www.zaproxy.org/) with the optional [Access Control Testing](https://www.zaproxy.org/docs/desktop/addons/access-control-testing/) add-on
108 | - [Open Policy Agent](https://www.openpolicyagent.org/)
109 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c10-stop-server-side-request-forgery.md:
--------------------------------------------------------------------------------
 1 | # C10: Stop Server Side Request Forgery
 2 | 
 3 | ## Description
 4 | 
 5 | While Injection Attacks typically target the victim server itself, Server-Side Request Forgery (SSRF) attacks try to coerce the server to perform a request on behalf of the attacker. SSRF occurs when an attacker can trick a server into making unintended requests to internal or external services, potentially bypassing security controls.
 6 | 
 7 | Why is this beneficial for the attacker? The outgoing request will be performed with the identity of the victim server and thus the attacker might execute operations with elevated operations.
 8 | 
 9 | ## Threats
10 | 
11 | Examples of this contain:
12 | 
13 | - If an SSRF attack is possible on an server within the DMZ, an attacker might be able to access other servers within the DMZ without passing a perimeter firewall
14 | - Many servers have local services running on localhost, often without any authentication/authorization as localhost. This can be abused by SSRF attacks.
15 | - If SSO is used, SSRF can be used to extract tokens/tickets/hashes from servers etc.
16 | 
17 | ## Implementation
18 | 
19 | There multiple ways of preventing SSRF:
20 | 
21 | - Input validation
22 | - If outgoing requests have to be made, check the target against an allow-list
23 | - If using XML, configure parser securely to prevent XEE
24 | 
25 | Be aware of [Unicode and other Character transformations](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf) when performing input validation.
26 | 
27 | ## Vulnerabilities Prevented
28 | 
29 | - [A10:2021 – Server-Side Request Forgery (SSRF)](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)
30 | 
31 | ## References
32 | 
33 | - [Server-Side Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)
34 | - [A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!](https://cheatsheetseries.owasp.org/assets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet_Orange_Tsai_Talk.pdf)
35 | 
36 | ## Tools
37 | 
38 | - [SSRFmap](https://github.com/swisskyrepo/SSRFmap)
39 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c4-secure-architecture.md:
--------------------------------------------------------------------------------
  1 | # C4: Address Security from the Start
  2 | 
  3 | ## Description
  4 | 
  5 | When designing a new application, creating a secure architecture prevents vulnerabilities before they even become part of the application. This prevents costly repairs and repudiation problems.
  6 | 
  7 | There are design principles that lead to secure architectures:
  8 | 
  9 | - **keep it simple, stupid** (KISS): the easier an application is to understand, the easier it is to reason about its components and their interactions. This allows to reason about the application's security behavior.
 10 | - **Make it easy to do the right thing**: don't expect the user to read documentation or invest time to "do things the right way". By default the application should behave in a secure manner. To make it insecure, an explicit action by the user has to take place.
 11 | - **don't rely on obscurity**: if the only security is due to the intransparency of the application or its source code, the application is not secure at all.
 12 | - **Identify and minimize your exposed components** ("attack surface"): attackers cannot attack what's not there.
 13 | - **Design for Defense-in-Depth**: think about what happens, if a component is breached and about the potential blast radius of an attack.
 14 | 
 15 | ### Usage of Third-Party Components such as Libraries and Frameworks
 16 | 
 17 | While it might be possible to implement all requirements manually, it is highly recommended to base one's architecture upon established and well-maintained third-party components. This has multiple benefits:
 18 | 
 19 | - **Don't reimplement the wheel** and learn from (security) failures of others. Often, existing libraries and frameworks have undergone a security audit and security issues have been identified and eventually remediated. Benefit from the security works of others!
 20 | - **Secure Defaults**: more and more frameworks offer defensive and secure defaults. To enable risky behavior, manual developer interaction is needed.
 21 | - **But keep them up to date**. While you gain benefits from using maintained frameworks, you know have the maintenance burden of tracking their new releases for security notes.
 22 | - **Don't fight the framework**. If using a framework feels like you are fighting it each and every step, then maybe this concrete framework is not a good match for your development style or architecture (or vice versa).
 23 | 
 24 | ## Threats
 25 | 
 26 | - If the application is only protected by security-by-obscurity, an attacker that reverse-engineers the application has full permissions as soon the obfuscation is cleared-up. In addition, an attacker is able to monitor network traffic: while the obfuscation might be performed on the code-level, the operations on the network level can easily be analyzed.
 27 | - A web-application with a complex authorization scheme is deployed. A new software developer is tasked with extending one of the components. Due to the complexity, they misconfigure the authorization scheme and an attacker is able to exploit IDOR.
 28 | - A web-application with a complex authorization scheme is deployed. A new software developer adds a new plugin to the system. The system makes it hard to do the right thing, and all security configuration must be manually added to the plugin, by-default no security measures are taken. The new developer is not configuring anything thus the new plugin introduces an IDOR into the system.
 29 | - A web-application has many components, all of which are exposed to the public internet. The resulting attack surface is massive. For example, a database management tool (e.g., `phpmyadmin`) is deployed. After a 0day was found in `mysqladmin`, the whole database was extracted. During normal use, nobody uses `phpmyadmin`.
 30 | 
 31 | ## Implementation
 32 | 
 33 | The mantra "Complexity is the enemy of security" can be seen throughout this implementation guidance.
 34 | 
 35 | ### Design for Clarity and Transparency
 36 | 
 37 | Architecture should focus upon simplicity: the designed software should be only as complex as the intended user's requirements warrant. Focusing upon simplicity brings multiple benefits for the created software:
 38 | 
 39 | - It is easier to reason about a simple system. This allows to reason about potential security impacts of changes.
 40 | - Long-term maintenance is aided through the simpler design.
 41 | - The design should focus upon transparency, i.e., the security should not depend upon security-by-obscurity.
 42 | 
 43 | ### Make it easy to do the right thing
 44 | 
 45 | Two terms often heard are "security by design" and "security by default". The former implies, that the software system should be usable in a secure manner while the latter means that the initial configuration of the software system is secure.
 46 | 
 47 | This implies, that an system administrator has to make an explicit choice to introduce insecure configuration into the system. In contrast, the path of least resistance should always result in a secure system.
 48 | 
 49 | When focusing upon end-user interactions, this aspect is important for designing user interfaces and flows. When focusing upon developer interactions, developer-facing facilities such as framework, APIs, network APIs should be designed that when using them with default values, only secure operations should occur. Think about this when designing your configuration files too
 50 | 
 51 | ### Clearly articulate what's trusted to do what, and ensure those relationships are enforced
 52 | 
 53 | Clearly articulate what's trusted to do what, and ensure those relationships are enforced, e.g., trust boundaries delineate blast radius and are enforced by controls, such as firewalls or gateways.
 54 | 
 55 | Attenuate what's allowed by careful validation at each step. Go deeper with threat modeling mnemonics like stride or methodologies like stride per element.
 56 | 
 57 | ### Identify and minimize your exposed components ("attack surface")
 58 | 
 59 | Identify all areas that an attacker can access, review them and try to minimize them: attackers cannot attack what's not there.
 60 | 
 61 | In addition, exposing only a minimal set of operations makes long-term maintenance easier.
 62 | 
 63 | ### Use well-known Architecture Patterns
 64 | 
 65 | Experts have shared their wisdom about best practices in an easily digestible format called secure architecture patterns. Architecture patterns are reusable and can be applied across multiple applications.
 66 | 
 67 | For a solution to be considered a pattern, it must have these characteristics:
 68 | 
 69 | - First, a secure architecture pattern must solve a security problem.
 70 | - Second, a secure architecture pattern must not be tied to a specific vendor or technology.
 71 | - Third, a secure architecture pattern must demonstrate how it mitigates threats.
 72 | - Fourth, a [secure architecture pattern](https://securitypatterns.io/what-is-a-security-pattern/) must use standardized terms for threats and controls for easy reuse.
 73 | 
 74 | An architecture pattern is a way to solve a problem using a standard solution versus creating a custom solution. A secure architecture pattern is a standard solution that has been reviewed and hardened against known security threats.
 75 | 
 76 | Implementation:
 77 | 
 78 | 1. Identify the problem that requires solving.
 79 | 2. Consider the catalog of available secure architecture patterns.
 80 | 3. Choose a secure architecture pattern for the design.
 81 | 4. Implement the secure architecture pattern.
 82 | 
 83 | ## Vulnerabilities Prevented
 84 | 
 85 | - Business Logic Flaws: These patterns can help in structuring the application to avoid complex and often overlooked business logic vulnerabilities.
 86 | - OWASP Top 10 2021-A04 (Insecure Design): Secure architecture patterns directly target the mitigation of risks associated with insecure design, a key concern highlighted by OWASP.
 87 | 
 88 | ## References
 89 | 
 90 | - <https://securitypatterns.io/what-is-a-security-pattern/>
 91 | - <https://owasp.org/www-pdf-archive/Vanhilst_owasp_140319.pdf>
 92 | - [OWASP Cheat Sheet Series: Attack Surface Analysis](https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html)
 93 | - [OWASP Cheat Sheet Series: Microservices-based Security Arch Doc](https://cheatsheetseries.owasp.org/cheatsheets/Microservices_based_Security_Arch_Doc_Cheat_Sheet.html)
 94 | - [OWASP Cheat Sheet: Secure Product Design](https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html)
 95 | - [OWASP Cheat Sheet: Threat Modeling](https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html)
 96 | 
 97 | ## Tools
 98 | 
 99 | - [OWASP Threat Dragon](https://owasp.org/www-project-threat-dragon/)
100 | - [Amazon AWS Threat-Composer](https://github.com/awslabs/threat-composer)
101 | - [StrideGPT](https://github.com/mrwadams/stride-gpt)
102 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c5-secure-by-default.md:
--------------------------------------------------------------------------------
 1 | # C5: Secure By Default Configurations
 2 | 
 3 | ## Description
 4 | 
 5 | “Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. Software should start in a secure state without requiring extensive user configuration, ensuring the default settings are always the most secure option.
 6 | 
 7 | The benefit of having an application secure from the start is that it removes the burden away from developers on how to lock a system down, providing them with an already secure product. It reduces the effort required to deploy products in a secure manner and gives greater confidence that they will remain secure over time.
 8 | 
 9 | ## Threats
10 | 
11 | - An attacker could gain unauthorized access by exploiting default, weak, or well-known credentials that haven't been changed from their out-of-the-box state.
12 | - An attacker could take advantage of overly permissive default settings to access sensitive resources or perform unauthorized actions.
13 | - An attacker could gather sensitive information by probing unnecessarily enabled features or services that are active by default.
14 | - An attacker could conduct cross-site scripting (XSS) attacks by exploiting lenient default security headers that don't provide adequate protection against such threats.
15 | 
16 | ## Implementation
17 | 
18 | In modern cloud applications, when developers build applications, they are also building the infrastructure for their applications, making infrastructure decisions, including security-critical configurations, while writing their code.
19 | These are deployed on infrastructure created and configured via code, Infrastructure-as-code (IaC), using configurations applied at the application level ( including web server and database), at container, Function as a Service, or infrastructure level. For example, in the case of web applications, folder permissions need to follow the principle of least privilege to limit resource access rights. When web and mobile applications are deployed in production, the debugging should be disabled.
20 | 
21 | Is it important that when developers put together their infrastructure components, they:
22 | 
23 | 1. Implement configurations based on the Least privilege principle - for example: ensure that your cloud storage (S3 or other) is configured to be private and accessed by the minimum amount of time
24 | 2. Access is denied by default and allowed via an allowed list
25 | 3. Use container images that have been scanned for package and component vulnerabilities and pulled from a private container registry
26 | 4. Prefer declarative infrastructure configuration over manual configuration activities. On a low-level, utilize Infrastructure-as-Code templates for automated provisioning and configuration of your cloud and on-premises infrastructure. On a high-level utilize Policy-as-Code to enforce policies including privilege assignments.  
27 | Using a declarative format allows those policies to be managed similar to source code: checked-in into a source code management system, versioned, access-controlled, subject to change management, etc.
28 | 5. Traffic encryption - by default or do not implement unencrypted communication channels in the first place
29 | 
30 | ### Continuous Configurations Verification
31 | 
32 | As part of software development, a developer needs to ensure that software is configured securely by default at the application level. For example,
33 | 
34 | - The code which defines the infrastructure should follow the principle of least privilege.
35 | - Configurations and features that aren’t required such as accounts, software, and demo capabilities should be disabled.
36 | 
37 | ## Vulnerabilities Prevented
38 | 
39 | - [OWASP Top 10 2021 A05 – Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
40 | 
41 | ## References
42 | 
43 | - OWASP Cheat Sheet: [Infrastructure as Code Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.html)
44 | - OWASP ASVS: [Application Security Verification Standard V14 Configuration](https://github.com/OWASP/ASVS/blob/master/5.0/en/0x22-V14-Config.md)
45 | - [Cloud security guidance - NCSC.GOV.UK](https://www.ncsc.gov.uk/collection/cloud-security)
46 | 
47 | ## Tools
48 | 
49 | - [Tfsec](https://github.com/aquasecurity/tfsec) - open source static analysis for your Terraform templates
50 | - [Terrascan](https://github.com/accurics/terrascan) - scan for Infrastructure-as-Code vulnerabilities
51 | - [Checkov](https://github.com/bridgecrewio/checkov) - Scan for open-source and Infrastructure-as-Code vulnerabilities
52 | - [Scout Suite](https://github.com/nccgroup/ScoutSuite) is an open source multi-cloud security-auditing tool which currently supports: Amazon Web Services, Microsoft Azure, Google Cloud Platform
53 | - [prowler](https://github.com/toniblyx/prowler)
54 | - [Cloudmapper](https://github.com/duo-labs/cloudmapper)
55 | - [Snyk](https://github.com/snyk/cli) - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities
56 | - [Trivy](https://github.com/aquasecurity/trivy) - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities
57 | - [KICS](https://github.com/Checkmarx/kics) - Scan for Infrastructure-as-Code vulnerabilities
58 | - [Kubescape](https://github.com/kubescape/kubescape) - Scan for Kubernetes vulnerabilities
59 | - [Kyverno](https://kyverno.io/docs/security/) - Securing Kubernetes using Policies
60 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c6-use-secure-dependencies.md:
--------------------------------------------------------------------------------
 1 | # C6: Keep your Components Secure
 2 | 
 3 | ## Description
 4 | 
 5 | It is a common practice in software development to leverage libraries and frameworks. Secure libraries and software frameworks with embedded security help software developers prevent security-related design and implementation flaws.
 6 | 
 7 | A developer writing an application from scratch might not have sufficient knowledge, time, or budget to properly implement or maintain security features. Leveraging security frameworks (both open source and vendor) help accomplish security goals more efficiently and accurately.
 8 | 
 9 | When possible, the emphasis should be on using the existing secure features of frameworks rather than importing yet another third party libraries, which requires regular updates and maintenance. It is preferable to have developers take advantage of what they're already using instead of forcing yet another library on them.
10 | 
11 | When incorporating third party libraries or frameworks into your software, it is important to consider the following two categories of best practices:
12 | 
13 | 1. Identify trusted libraries and frameworks to bring into your software.
14 | 2. Monitor and update packages to ensure that your software is not vulnerable to the possible security vulnerabilities introduced by the third party components.
15 | 
16 | ## Threats
17 | 
18 | - An attacker could exploit known vulnerabilities in outdated third-party components to gain unauthorized access or execute malicious code.
19 | - An attacker could conduct supply chain attacks by compromising libraries or frameworks used in the development process, potentially inserting malicious code into the final product.
20 | - An attacker could extract sensitive information by exploiting insecure configurations in third-party components that haven't been properly hardened.
21 | - An attacker could launch denial of service attacks by targeting known vulnerabilities in external libraries, potentially disrupting the availability of services.
22 | 
23 | ## Implementation
24 | 
25 | Below each of these categories are further detailed to help secure your software.
26 | 
27 | ### Best Practices to Identify Trusted libraries
28 | 
29 | Below are listed a few criteria you can use to select the next library or framework for your software. This is not an exhaustive list, but is a good start.
30 | 
31 | 1. **Sources**: Download recommended security libraries from official sources over secure links and prefer signed packages to reduce the chance of including a modified, malicious component (See A08:2021-Software and Data Integrity Failures).
32 | 
33 | 2. **Popularity**: Leverage libraries and frameworks used by many applications which have around large communities. Consider data points such as the number of GitHub stars a package’s source code repository has received, and number of downloads from within a package manager.
34 | 
35 | 3. **Activity:** Ensure that the library/ framework is actively maintained and issues are resolved in a timely fashion.
36 | 
37 | 4. **Maturity**: Use stable versions . Projects in early stages of development area higher risk to your software .
38 | 
39 | 5. **Complexity**: A large, complex library with lots of dependencies, is more difficult to incorporate into your software. Also, a high number of dependencies indicates a higher number of future upgrades to ensure all those dependencies are up-to-date and secured.
40 | 
41 | 6. **Security**: If the package is open source, you can use static application security testing (SAST) or [Software Composition Analysis](https://en.everybodywiki.com/Software_Composition_Analysis#:~:text=Software%20Composition%20Analysis%20%28SCA%29%20comprises,been%20integrated%20into%20your%20applications.) (SCA) to help identify malicious code or security weaknesses, before first including them.
42 | 
43 | ### Best Practices to Keep them Secure
44 | 
45 | New security vulnerabilities are disclosed every day and are published in public databases like the NIST National Vulnerability Database ([NVD](https://nvd.nist.gov/)) which identifies publicly known vulnerabilities using Common Vulnerabilities and Exposures (CVE). Furthermore, exploits made available in public databases allow attackers to automate their attacks. As a result of this, it is important to ensure on a regular basis that your software is free of well-known security vulnerabilities.
46 | 
47 | 1. **Maintain an inventory catalog** of all the third party components. It is recommended to automatically create SBOMs ([Software-Bill-Of-Materials](https://cyclonedx.org/)) from within the build pipeline. A SBOM contains all used third-party dependencies and their versions and can be automatically monitored by a variety of supply chain management tools.
48 | 
49 | 2. **Perform continuous checks.** Use your SBOMs together with periodic or continuous monitoring tools such as OWASP dependency-track to automatically detect well-known publicly disclosed vulnerabilities.
50 | 
51 | 3. **Verify for security early and often** - integrate SCA tools in early stages of software development, to gain visibility in the number and criticality of security vulnerabilities of the software and its dependencies from every stage of the software development life cycle.
52 | 
53 | 4. **Proactively** update libraries and components. Updating software must be a recurring task that occurs throughout the life cycle of the application or product, from ideation to retirement.
54 | 
55 | ## Vulnerabilities Prevented
56 | 
57 | Secure frameworks and libraries can help to prevent a wide range of web application vulnerabilities. It is critical to keep these frameworks and libraries up to date as described in using [vulnerable and outdated components with known vulnerabilities Top 10 2021](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/).
58 | 
59 | ## References
60 | 
61 | - OWASP Cheat Sheet: [Third Party JavaScript Management](https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html#sandboxing-content)
62 | - [OpenSSF Scorecard - Security health metrics for Open Source](https://github.com/ossf/scorecard)
63 | 
64 | ## Tools
65 | 
66 | - [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/) ­- to identify project dependencies and check for publicly disclosed vulnerabilities
67 | - [OWASP Dependency-Track](https://owasp.org/www-project-dependency-track/) - periodically monitor SBOM files for new vulnerabilities
68 | - Retire.JS scanner for JavaScript libraries
69 | - [Renovate for automated dependencies updates](https://github.com/renovatebot/renovate)
70 | - [Harbor](https://goharbor.io/) : an open source registry that secures artifacts with policies and role-based access control
71 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c8-leverage-browser-security-features.md:
--------------------------------------------------------------------------------
  1 | # C8: Leverage Browser Security Features
  2 | 
  3 | ## Description
  4 | 
  5 | Browsers are the gateway to the web for most users. As such, it's critical to employ robust security measures to protect the user from various threats. This section outlines the techniques and policies that can be implemented to bolster browser security.
  6 | 
  7 | While we are currently focusing upon traditional web browsers, please note that there is a diverse world of other client programs out there, ranging from mobile apps, API clients to smart-TVs. We encourage to verify what client-side security features are supported by your client and use the respective HTTP headers to configure them.
  8 | 
  9 | ### Opportunistic Security and Browser-Support
 10 | 
 11 | Instructing the web browser to enforce security measures is always opportunistic: the web application cannot verify that the browser heeds the guidance given and thus these security measures should always be seen as additional (and optional) **Hardening Measures** that further complicate an attacker’s life.
 12 | 
 13 | In addition, web browsers must actually support the security guidance offered by web applications. The level of support differs between different browsers and their versions. Web sites such as <https://caniuse.com> can be used to check which web browser (versions) support which features. The supported security features can change over time, e.g., the X-XSS-Protection header has been removed from all major browsers; the browsers’ default behavior can change over time as seen with Referrer-Policy; and even the semantics of existing headers can change over time as seen with X-Content-Type-Options.
 14 | 
 15 | While the changing browser feature set can be problematic, typically newer browser provide more security features. They sometimes even enable them by default. Explicitly setting those security headers can unify the different browsers’ behaviors and thus reduces maintenance effort.
 16 | 
 17 | A fully compromised browser might not heed security guidance but if an adversary was able to take full control of a browser, they already have far more damaging attack paths than just ignoring security guidance.
 18 | 
 19 | ## Threats
 20 | 
 21 | - An attacker could execute cross-site scripting (XSS) attacks by exploiting inadequate Content Security Policy settings, potentially injecting malicious scripts into web pages.
 22 | - An attacker could perform clickjacking attacks by taking advantage of missing X-Frame-Options headers, potentially tricking users into unintended interactions with disguised web elements.
 23 | - An attacker could gather sensitive information through `Referer` HTTP headers when proper Referrer-Policy is not set, potentially exposing private data or user activities.
 24 | - An attacker could exploit MIME type confusion vulnerabilities in the absence of X-Content-Type-Options headers, potentially executing malicious scripts disguised as benign file types.
 25 | - An attacker could hijack user sessions by exploiting insecure cookie settings, potentially gaining unauthorized access to user accounts.
 26 | - An attacker could perform DNS rebinding attacks in the absence of proper DNS pinning, potentially bypassing same-origin policy restrictions.
 27 | - An attacker could exploit a cross-origin resource sharing (CORS) misconfiguration to gain unauthorized access to resources, potentially compromising data confidentiality and integrity.
 28 | 
 29 | ## Implementation
 30 | 
 31 | Typically, there are two (Security Header specific) ways that web applications can use to instruct web browsers about security: HTTP headers and HTML tags.
 32 | 
 33 | The behavior taken if a security directive is given more than one time is security header specific. For example, a duplicate X-Frame-Options header will disable its protection while a duplicate Content-Security-Policy header will lead to a stricter policy thus tightening its security.
 34 | The following is a non-exhaustive list of potential Hardening mechanisms:
 35 | 
 36 | ### Configure the Browser to prevent Information Disclosure
 37 | 
 38 | Information disclosure occurs if the browser transmits information over unencrypted channels (HTTP instead of HTTPS) or sends our too much information in the first place (e.g., through the Referer-Header). The following mechanisms reduce the possibility of information disclosure:
 39 | 
 40 | - **HTTP Strict Transport Security (HSTS)**: Ensures that browsers only connect to your website over HTTPS, preventing SSL stripping attacks.
 41 | - **Content Security Policy (CSP)**: CSP policies can instruct the browser to automatically upgrade HTTP connections to HTTPS. In addition directives such as the 'form-src' directive can be used to prevent forms from transmitting data to external sites.
 42 | - **Referrer-Policy**: when navigating between pages, the browser’s HTTP request includes the current URL within the outgoing request. This URL can include sensitive information. Using Referrer-Policy, a web-site can unify the browser’s behavior and select which information should be transmitted between web sites.
 43 | - The cookie’s **secure** flag: while not a HTTP header, this security flag is related to information disclosure. If set, the web browser will not transmit a cookie over unencrypted HTTP transports.
 44 | 
 45 | ### Reduce the potential Impact of XSS
 46 | 
 47 | JavaScript based XSS attacks have been very common for decades. To reduce the potential impact of vulnerabilities, browsers offer rich defensive mechanisms that should reduce the potential impact of XSS attacks:
 48 | 
 49 | - **Content Security Policy (CSP)**: CSP is a powerful tool that helps prevent a wide range of attacks including Cross-Site Scripting (XSS) and data injection. Strict CSP policies can effectively disable inline JavaScript and style, making it much harder for attackers to inject malicious content.  
 50 |     **Host Allowlist CSP**: Blocking all third-party JavaScript can significantly reduce the attack surface and prevent the exploitation of vulnerabilities in third-party libraries.  
 51 |     **Strict CSP**: A CSP utilizing nonces or hashes in the 'script-src' directive (often referred to as "strict CSP") provides a robust mitigation against XSS vulnerabilities. Optionally, the use of the CSP 'strict-dynamic' keyword can help to streamline the implementation of a strict CSP and to ensure compatibility with third-party JavaScript libraries when required.
 52 |     **Trusted Types**: This is a browser API that helps prevent DOM-based cross-site scripting vulnerabilities by ensuring only secure data types can be inserted into the DOM.
 53 | - The cookie’s **httpOnly** flag: while not a HTTP header, setting this flag prevents JavaScript from accessing this cookie and should be done esp. For Session cookies.
 54 | 
 55 | ### Prevent Clickjacking
 56 | 
 57 | Clickjacking, also known as UI-redress attacks, try to confuse users by overlaying a malicious site on top of a benign one. The user believes to interact with the benign one while in reality they are interacting with the malicious one.
 58 | 
 59 | - **X-Frame-Options (XFO)**: Prevents clickjacking attacks by ensuring your content is not embedded into other sites. This header is finicky to use, e.g., when used twice it is disabled.
 60 | - **Content Security Policy (CSP)**: the different frame-\* directives allow for fine-grained control of which sites are allowed to include the current website as well as which other sites can be included within the current website.
 61 | 
 62 | ### Control the Browser’s Advanced Capabilities
 63 | 
 64 | Modern browsers do not only display HTML code but are used to interface with multiple system components such as WebCams, Microphones, USB Devices, etc. While many websites do not utilize those features, attackers can abuse those.
 65 | 
 66 | - **Permission Policy**: through a permission policy a web-site can instruct the browser that the defined features will not be used by the web-site. For example, a web-site can state that it will never capture user audio. Even if an attacker is able to inject malicious code, they can thus not instruct the web-browser to capture audio.
 67 | 
 68 | ### Prevent CSRF Attacks
 69 | 
 70 | CSRF attacks abuse an existing trust relationship between the web browser and web sites.
 71 | 
 72 | - Same-Origin Cookies: Marking cookies as SameSite can mitigate the risk of cross-origin information leakage, as well as provide some protection against cross-site request forgery attacks.
 73 | - Fetch Metadata Request Headers: Checking Fetch Metadata request headers on the server-side allows deploying a strong defense-in-depth mechanism—a Resource Isolation Policy—to protect your application against common cross-origin attacks like CSRF.
 74 | 
 75 | ## Vulnerabilities Prevented
 76 | 
 77 | Implementing these browser defenses can help mitigate a range of vulnerabilities, including but not limited to:
 78 | 
 79 | - Cross-Site Scripting (XSS)
 80 | - Cross-Site Request Forgery (CSRF)
 81 | - Clickjacking
 82 | - Data Theft through insecure transmission
 83 | - Session Hijacking
 84 | - Abusing unintended browser hardware access (microphone, cameras, etc.)
 85 | 
 86 | ## Tools
 87 | 
 88 | - [Web Check](https://github.com/Lissy93/web-check)
 89 | - [Security Headers](https://securityheaders.com/)
 90 | - [Mozilla Observatory](https://observatory.mozilla.org/)
 91 | - [CSP Evaluator](https://csp-evaluator.withgoogle.com/)
 92 | 
 93 | ## References
 94 | 
 95 | - [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
 96 | - [Strict Content Security Policy](https://web.dev/articles/strict-csp)
 97 | - [Trusted Types](https://web.dev/articles/trusted-types)
 98 | - [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
 99 | - [Security Headers Quick Reference](https://web.dev/articles/security-headers)
100 | - [Fetch Metadata Request Headers](https://www.w3.org/TR/fetch-metadata/)
101 | - [Fetch Metadata Resource Isolation Policy](https://web.dev/articles/fetch-metadata)
102 | - [Caniuse.com](https://caniuse.com/)
103 | - [OWASP Cheat Sheet Series: Clickjacking Defense](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
104 | - [OWASP Cheat Sheet Series: Content Security Policy](https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html)
105 | - [OWASP Cheat Sheet Series: CSRF Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
106 | - [OWASP Cheat Sheet Series: HTTP Security Response Headers Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html)
107 | 


--------------------------------------------------------------------------------
/docs/the-top-10/c9-security-logging-and-monitoring.md:
--------------------------------------------------------------------------------
 1 | # C9: Implement Security Logging and Monitoring
 2 | 
 3 | ## Description
 4 | 
 5 | Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application.
 6 | 
 7 | Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.
 8 | 
 9 | The goal of security logging is to detect and respond to potential security incidents.
10 | 
11 | ### Benefits of Security Logging
12 | 
13 | Security logging can be used for:
14 | 
15 | 1. Feeding intrusion detection systems
16 | 2. Forensic analysis and investigations
17 | 3. Satisfying regulatory compliance requirements
18 | 
19 | ### Logging for Intrusion Detection and Response
20 | 
21 | Use logging to identify activity that indicates that a user is behaving maliciously. Potentially malicious activity to log includes:
22 | 
23 | - Submitted data that is outside of an expected numeric range.
24 | - Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).
25 | - Requests that violate server-side access control rules.
26 | - A more comprehensive list of possible detection points is available [here](https://cheatsheetseries.owasp.org/cheatsheets/Application_Logging_Vocabulary_Cheat_Sheet.html).
27 | 
28 | When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue. Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user’s account. The response mechanisms allow the software to react in realtime to possible identified attacks.
29 | 
30 | ### Secure Logging Design
31 | 
32 | Logging solutions must be built and managed in a secure way. Secure Logging design may include the following:
33 | 
34 | - Allow expected characters only and/or encode the input based on the target to prevent [log injection](https://www.owasp.org/index.php/Log_Injection) attacks. The preferred approach would be that the logging solution performs input escaping instead of dropping data: otherwise the logging solution might discard data which would be needed for a later analysis.
35 | - Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
36 | - Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
37 | - Forward logs from distributed systems to a central, secure logging service. This will ensure log data cannot be lost if one node is compromised. This also allows for centralized or even automated monitoring.
38 | 
39 | ## Threats
40 | 
41 | - An attacker could perform log injection attacks by manipulating log entries, potentially inserting malicious data or commands into log files.
42 | - An attacker could gain unauthorized access to sensitive information through overly verbose logging practices that inadvertently capture and store confidential data.
43 | - An attacker could engage in log tampering to cover tracks of malicious activities, potentially erasing or modifying evidence of their intrusion.
44 | - An attacker could launch denial of service attacks by overwhelming logging systems with a flood of data, potentially disrupting normal system operations or obscuring other malicious actions.
45 | - An attacker could gain unauthorized access to log files due to improper access controls, potentially exposing sensitive system information or user data.
46 | - An attacker could engage in log forging to create false audit trails, potentially misleading investigators or framing innocent parties for malicious activities.
47 | - An attacker could take advantage of insufficient logging practices to conduct malicious activities without detection, potentially prolonging their unauthorized access to systems.
48 | - An attacker could exploit log file race conditions in multi-threaded applications, potentially corrupting log data or gaining unauthorized access to sensitive information.
49 | - An attacker could perform replay attacks using information gleaned from logs, potentially reusing captured data to impersonate legitimate users or repeat authenticated actions.
50 | 
51 | ## Implementation
52 | 
53 | The following is a list of security logging implementation best practices.
54 | 
55 | - Follow a common logging format and approach within the system and across systems of an organization. An example of a common logging framework is the Apache Logging Services which helps provide logging consistency between Java, PHP, .NET, and C++ applications.
56 | - Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id, but be careful not to log private (such as username) or confidential data (such as business data) unless extra care is taken.
57 | - Pay close attention to time syncing across nodes to ensure that timestamps are consistent.
58 | 
59 | ## Vulnerabilities Prevented
60 | 
61 | - Brute-Force Attacks against Login-Mechanisms
62 | 
63 | ## References
64 | 
65 | - [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
66 | - [OWASP Logging Guide](https://owasp.org/www-pdf-archive/OWASP_Logging_Guide.pdf)
67 | 
68 | ## Tools
69 | 


--------------------------------------------------------------------------------
/docs/the-top-10/index.md:
--------------------------------------------------------------------------------
 1 | # Introduction
 2 | 
 3 | For years, developers have suffered through introducing the same security issues into the things they build. The most common issues, which have existed for decades, have been documented by the OWASP Top Ten. Many of the issues in the earliest version still exist in some form today. A mechanism is needed to counter these challenges, and that mechanism is proactive controls.
 4 | 
 5 | Proactive controls are a catalog of better practices, a set of items developers can embrace and implement in their code bases to avoid many common security issues. Proactive controls provide positive patterns to implement solutions considered secure by design.
 6 | 
 7 | Imagine working on a web-based software, releasing a new version, and then getting reports that it contained a security vulnerability that is now being exploited in the wild. You are now forced to act reactively: analyzing the vulnerability, fixing it, creating a new software release, and getting it to your users. All this is tedious and a bit awkward, esp. When the security vulnerability was critical.
 8 | 
 9 | Proactive controls prevent this by focusing on the development itself. Their idea is to prevent common vulnerabilities during an application's inception so that those tedious and embarrassing bug fixes can be avoided altogether. Common knowledge is that a proactive approach will save resources and money in the long run.
10 | 
11 | The OWASP Top 10 Proactive Controls 2024 is a list of security techniques every software architect and developer should know and heed. The main goal of this document is to provide concrete, practical guidance that helps developers build secure software. These techniques should be applied proactively at the early stages of software development to ensure maximum effectiveness.
12 | 
13 | Please note that while complying with best proactive practices will reduce the chance of a vulnerability being in your code, there is no guarantee that code is security-bug free. And that’s okay: You have to break an egg to make an omelet — the only way of not introducing any security bugs is not to code at all. We accept that while striving to prevent as many security issues as possible.
14 | 
15 | ## How this List Was Created
16 | 
17 | This list was originally created by the current project leads with contributions from several volunteers. The document was then shared globally so even anonymous suggestions could be considered. Hundreds of changes were accepted from this open community process.
18 | 
19 | ## Security Controls
20 | 
21 | The description of each control has the same structure. The control itself has an unique name preceded by the control number: **Cx: Control Name**, e.g., *C1: Implement Access Control*.
22 | 
23 | Each control has the same sections:
24 | 
25 | - **Description**: A detailed description of the control including some best practices to consider.
26 | - **Threat(s):** A threat or threats that this control counters.
27 | - **Implementation**: Best practices and examples to illustrate how to implement each control.
28 | - **Vulnerabilities Prevented**: List of prevented vulnerabilities or risks addressed (OWASP TOP 10 Risk, CWE, etc.)
29 | - **References**: List of references for further study (OWASP Cheat sheet, Security Hardening Guidelines, etc.)
30 | - **Tools**: Set of tools/projects to easily introduce/integrate security controls into your software.
31 | 


--------------------------------------------------------------------------------
/leaders.md:
--------------------------------------------------------------------------------
1 | ### Leaders
2 | 
3 | * [Andreas Happe](mailto:andreas.happe@owasp.org)
4 | * [Jim Manico](mailto:jim.manico@owasp.org)
5 | * [Katy Anton](mailto:katy.anton@owasp.org)
6 | 


--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
  1 | site_name: "OWASP Top 10 Proactive Controls"
  2 | site_url: https://top10proactive.owasp.org
  3 | repo_url: https://github.com/OWASP/www-project-proactive-controls/
  4 | theme:
  5 |   name: material
  6 |   custom_dir: overrides
  7 |   static_templates:
  8 |     - 404.html
  9 |     - google6fbf6cc04efaa5b5.html
 10 |   features:
 11 |     - navigation.indexes
 12 |     - navigation.sections
 13 |     - navigation.tracking
 14 |     - navigation.path
 15 |     - navigation.tabs
 16 |     - navigation.top
 17 |     - search.suggest
 18 |     - search.highlight
 19 |     - content.tabs.link
 20 |     - content.code.annotation
 21 |     - content.code.copy
 22 |   language: en
 23 |   palette:
 24 |     - scheme: default
 25 |       toggle:
 26 |         icon: material/toggle-switch-off-outline
 27 |         name: Switch to dark mode
 28 |       primary: teal
 29 |       accent: purple
 30 |     - scheme: slate
 31 |       toggle:
 32 |         icon: material/toggle-switch
 33 |         name: Switch to light mode
 34 |       primary: teal
 35 |       accent: lime
 36 | 
 37 | markdown_extensions:
 38 |   - admonition
 39 |   - pymdownx.details
 40 |   - pymdownx.highlight:
 41 |       anchor_linenums: true
 42 |       line_spans: __span
 43 |       pygments_lang_class: true
 44 |   - pymdownx.inlinehilite
 45 |   - pymdownx.snippets
 46 |   - pymdownx.superfences
 47 | 
 48 | extra:
 49 |   social:
 50 |     - icon: fontawesome/brands/github-alt
 51 |       link: https://github.com/OWASP/www-project-proactive-controls
 52 |   analytics:
 53 |     provider: google
 54 |     property: G-7YFX9CCX5E
 55 | 
 56 | copyright: |
 57 |   <div style="float: left; padding-right: 1em;">
 58 |     <a href="https://www.owasp.org"><img src="https://github.com/OWASP/owasp-mastg/blob/master/Document/Images/OWASP_logo_white.png?raw=true" width="100px" /></a>
 59 |   </div>
 60 |   <span style="font-size: smaller">
 61 |     &#169; OWASP Foundation 2024. This work is licensed under 
 62 |     <a href="https://creativecommons.org/licenses/by/4.0">CC-BY-4.0</a>. For any reuse or distribution, you must make clear to others the license terms of this work.
 63 |   </span><br><span style="font-size: smaller">OWASP &#174; is a registered trademark of the OWASP Foundation, Inc.</span> <span>This website uses cookies to analyze our traffic and only share that information with our analytics partners. <a href="https://github.com/OWASP/owasp-mastg/blob/master/about_cookies.md">Learn more</a>.</span>
 64 | 
 65 | nav:
 66 |   - 'Future Top 10 (WIP)':
 67 |     - index.md
 68 |     - 'In the News': introduction/in-the-news.md
 69 |     - 'How to contribute?': introduction/contributing.md
 70 |     - 'About OWASP': introduction/about-owasp.md
 71 |     - 'Related OWASP Projects': introduction/related-owasp-projects.md
 72 |     - 'Top 10 Proactive Controls:':
 73 |       - the-top-10/index.md
 74 |       - "C1: Implement Access Control": the-top-10/c1-accesscontrol.md
 75 |       - "C2: Use Cryptography to Protect Data": the-top-10/c2-crypto.md
 76 |       - "C3: Validate all Input & Handle Exceptions": the-top-10/c3-validate-input-and-handle-exceptions.md
 77 |       - "C4: Address Security from the Start": the-top-10/c4-secure-architecture.md
 78 |       - "C5: Secure By Default Configurations": the-top-10/c5-secure-by-default.md
 79 |       - "C6: Keep your Components Secure": the-top-10/c6-use-secure-dependencies.md
 80 |       - "C7: Secure Digital Identities": the-top-10/c7-secure-digital-identities.md
 81 |       - "C8: Leverage Browser Security Features": the-top-10/c8-leverage-browser-security-features.md
 82 |       - "C9: Implement Security Logging and Monitoring": the-top-10/c9-security-logging-and-monitoring.md
 83 |       - "C10: Stop Server Side Request Forgery": the-top-10/c10-stop-server-side-request-forgery.md
 84 |     - 'Final Word': final-word.md
 85 |   - 'Top 10 2024':
 86 |     - archive/2024/index.md
 87 |     - 'In the News': archive/2024/introduction/in-the-news.md
 88 |     - 'How to contribute?': archive/2024/introduction/contributing.md
 89 |     - 'About OWASP': archive/2024/introduction/about-owasp.md
 90 |     - 'Related OWASP Projects': archive/2024/introduction/related-owasp-projects.md
 91 |     - 'Top 10 Proactive Controls:':
 92 |       - archive/2024/the-top-10/index.md
 93 |       - "C1: Implement Access Control": archive/2024/the-top-10/c1-accesscontrol.md
 94 |       - "C2: Use Cryptography to Protect Data": archive/2024/the-top-10/c2-crypto.md
 95 |       - "C3: Validate all Input & Handle Exceptions": archive/2024/the-top-10/c3-validate-input-and-handle-exceptions.md
 96 |       - "C4: Address Security from the Start": archive/2024/the-top-10/c4-secure-architecture.md
 97 |       - "C5: Secure By Default Configurations": archive/2024/the-top-10/c5-secure-by-default.md
 98 |       - "C6: Keep your Components Secure": archive/2024/the-top-10/c6-use-secure-dependencies.md
 99 |       - "C7: Secure Digital Identities": archive/2024/the-top-10/c7-secure-digital-identities.md
100 |       - "C8: Leverage Browser Security Features": archive/2024/the-top-10/c8-leverage-browser-security-features.md
101 |       - "C9: Implement Security Logging and Monitoring": archive/2024/the-top-10/c9-security-logging-and-monitoring.md
102 |       - "C10: Stop Server Side Request Forgery": archive/2024/the-top-10/c10-stop-server-side-request-forgery.md
103 |     - 'Final Word': archive/2024/final-word.md
104 |   - 'Top 10 2018':
105 |     - 'About Project': archive/2018/0x02-about-project.md
106 |     - 'In the News': archive/2018/in-the-news.md
107 |     - 'Translations': archive/2018/translations.md
108 |     - 'About OWASP': archive/2018/0x01-about-owasp.md
109 |     - 'About Structure': archive/2018/0x03-about-structure.md
110 |     - 'Introduction': archive/2018/0x04-introduction.md
111 |     - 'C1: Define Security Requirements': archive/2018/c1-security-requirements.md
112 |     - 'C2: Leverage Security Frameworks and Libraries': archive/2018/c2-leverage-security-frameworks-libraries.md
113 |     - 'C3: Secure Database Access': archive/2018/c3-secure-database.md
114 |     - 'C4: Encode and Escape Data': archive/2018/c4-encode-escape-data.md
115 |     - 'C5: Validate All Inputs': archive/2018/c5-validate-inputs.md
116 |     - 'C6: Implement Digital Identity': archive/2018/c6-digital-identity.md
117 |     - 'C7: Enforce Access Controls': archive/2018/c7-enforce-access-controls.md
118 |     - 'C8: Protect Data Everywhere': archive/2018/c8-protect-data-everywhere.md
119 |     - 'C9: Implement Security Logging and Monitoring': archive/2018/c9-security-logging.md
120 |     - 'C10: Handle All Errors and Exceptions': archive/2018/c10-errors-exceptions.md
121 |     - 'Final Word': archive/2018/final-word.md
122 |   - 'Top 10 2016':
123 |     - archive/2016/index.md
124 |     - 'In the News': archive/2016/in-the-news.md
125 |   - 'Top 10 2014': archive/2014/index.md
126 | 
127 | plugins:
128 |   - search
129 |   - redirects:
130 |       redirect_maps:
131 |         'v4/en/introduction.md': 'index.md'
132 |         'v4/en/0x02-about-project.md': 'index.md'
133 |         'v4/en/0x03-about-structure.md': 'the-top-10/index.md'
134 |         'v4/en/c1-accesscontrol.md': 'the-top-10/c1-accesscontrol.md'
135 |         'v4/en/c2-crypto.md': 'the-top-10/c2-crypto.md'
136 |         'v4/en/c3-validate-input-and-handle-exceptions.md': 'the-top-10/c3-validate-input-and-handle-exceptions.md'
137 |         'v4/en/c4-secure-architecture.md': 'the-top-10/c4-secure-architecture.md'
138 |         'v4/en/c5-secure-by-default.md': 'the-top-10/c5-secure-by-default.md'
139 |         'v4/en/c6-use-secure-dependencies.md': 'the-top-10/c6-use-secure-dependencies.md'
140 |         'v4/en/c7-implement-digital-identity.md': 'the-top-10/c7-secure-digital-identities.md'
141 |         'v4/en/c8-help-the-browser-defend-the-user.md': 'the-top-10/c8-leverage-browser-security-features.md'
142 |         'v4/en/c9-security-logging-and-monitoring.md': 'the-top-10/c9-security-logging-and-monitoring.md'
143 |         'v4/en/c10-stop-server-side-request-forgery.md': 'the-top-10/c10-stop-server-side-request-forgery.md'
144 |         'v3/en/0x04-introduction.md': 'archive/2018/0x04-introduction.md'
145 |         'v3/en/c1-security-requirements.md': 'archive/2018/c1-security-requirements.md'
146 |         'v3/en/c2-leverage-security-frameworks-libraries.md': 'archive/2018/c2-leverage-security-frameworks-libraries.md'
147 |         'v3/en/c3-secure-database.md': 'archive/2018/c3-secure-database.md'
148 |         'v3/en/c5-validate-inputs.md': 'archive/2018/c5-validate-inputs.md'
149 |         'v3/en/c6-digital-identity.md': 'archive/2018/c6-digital-identity.md'
150 |         'v3/en/c7-enforce-access-controls.md': 'archive/2018/c7-enforce-access-controls.md'
151 |         'v3/en/c8-protect-data-everywhere.md': 'archive/2018/c8-protect-data-everywhere.md'
152 |         'v3/en/c9-security-logging.md': 'archive/2018/c9-security-logging.md'
153 |         'v3/en/c10-errors-exceptions.md': 'archive/2018/c10-errors-exceptions.md'
154 |         'the-top-10/c8-help-the-browser-defend-the-user.md': 'the-top-10/c8-leverage-browser-security-features.md'
155 | 


--------------------------------------------------------------------------------
/overrides/404.html:
--------------------------------------------------------------------------------
 1 | {% extends "main.html" %} 
 2 | 
 3 | <!-- Content --> 
 4 | {% block content %} 
 5 |   <h1>404 - Page not found!</h1> 
 6 | 
 7 | <p>Sadly we don't know the page you were looking for anymore!</p>
 8 | 
 9 | <p>Maybe the following links can help you:</p>
10 | 
11 | <ol>
12 |   <li>The <a href="/">OWASP Top 10 Proactive Controls start page</a></li>
13 |   <li>There are also the <a href="/introduction/old-versions-and-translations">2016/20128 versions of the OWASP Top 10 Proactive Controls</a></li>
14 |   <li>Or maybe you're looking for <a href="/introduction/old-versions-and-translations">translated versions of the OWASP Top 10 Proactive Controls</a></li>
15 | </ol>
16 | 
17 | {% endblock %} 
18 | 


--------------------------------------------------------------------------------
/overrides/google6fbf6cc04efaa5b5.html:
--------------------------------------------------------------------------------
1 | google-site-verification: google6fbf6cc04efaa5b5.html


--------------------------------------------------------------------------------
/v2/OWASPTop10ProactiveControls2016-Chinese.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASPTop10ProactiveControls2016-Chinese.pdf


--------------------------------------------------------------------------------
/v2/OWASPTop10ProactiveControls2016-Japanese.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASPTop10ProactiveControls2016-Japanese.pdf


--------------------------------------------------------------------------------
/v2/OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASPTop10ProactiveControls2016-SimplifiedChinese.pdf


--------------------------------------------------------------------------------
/v2/OWASP_Proactive_Controls_2-Hebrew.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASP_Proactive_Controls_2-Hebrew.pdf


--------------------------------------------------------------------------------
/v2/OWASP_Top_10_Proactive_Controls_-_V2.0.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASP_Top_10_Proactive_Controls_-_V2.0.docx


--------------------------------------------------------------------------------
/v2/OWASP_Top_10_Proactive_Controls_V2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASP_Top_10_Proactive_Controls_V2.pdf


--------------------------------------------------------------------------------
/v2/OWASP_Top_Ten_Proactive_Controls_v2.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v2/OWASP_Top_Ten_Proactive_Controls_v2.pptx


--------------------------------------------------------------------------------
/v3/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/.DS_Store


--------------------------------------------------------------------------------
/v3/OWASP-OPC-IEEEE-OTop10-OTMobTop10-ssdf.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP-OPC-IEEEE-OTop10-OTMobTop10-ssdf.pdf


--------------------------------------------------------------------------------
/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_ES-AR.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_ES-AR.pdf


--------------------------------------------------------------------------------
/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PL.pdf


--------------------------------------------------------------------------------
/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PT-BR.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_TOP_10_Proactive_Controls_2018_V3_PT-BR.pdf


--------------------------------------------------------------------------------
/v3/OWASP_Top_10_Proactive_Controls_V3-AR.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_10_Proactive_Controls_V3-AR.pdf


--------------------------------------------------------------------------------
/v3/OWASP_Top_10_Proactive_Controls_V3-IT.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_10_Proactive_Controls_V3-IT.pdf


--------------------------------------------------------------------------------
/v3/OWASP_Top_10_Proactive_Controls_V3.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_10_Proactive_Controls_V3.docx


--------------------------------------------------------------------------------
/v3/OWASP_Top_10_Proactive_Controls_V3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_10_Proactive_Controls_V3.pdf


--------------------------------------------------------------------------------
/v3/OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_10_Proactive_Controls_V3_Chinese.pdf


--------------------------------------------------------------------------------
/v3/OWASP_Top_Ten_Proactive_Controls_v3.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/OWASP_Top_Ten_Proactive_Controls_v3.pptx


--------------------------------------------------------------------------------
/v3/Owasp-top-10-proactive-controls-2018-russian.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/Owasp-top-10-proactive-controls-2018-russian.pdf


--------------------------------------------------------------------------------
/v3/generate-doc.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo "OWASP Top 10 Proactive Controls Markdown Conversion Tool"
 4 | 
 5 | function command_exists () {
 6 |     command -v $1 >/dev/null 2>&1;
 7 | }
 8 | 
 9 | if ! command_exists pandoc; then
10 |     echo "
11 |     Error: Please install pandoc. Cannot continue"
12 |     exit;
13 | fi
14 | 
15 | 
16 | 
17 | 
18 | generate_docx() {
19 |    # define pages; ensure info.md is not included in doc generation  
20 |   #local pages=$( ls "0x0*.md c*.md f*.md " | sort -V );
21 |  local pages=$(ls | sort -V | grep '0x0\|c\|f'.*.md);
22 |    sed '/^---$/,/^---$/d' $pages | pandoc  --from markdown  --reference-doc="../templates/template.docx" --columns 10000 --toc --toc-depth=1 -V toc-title="TOC" -t docx  -o "../OWASP-Top10-Proactive-Controls-V3-$1.docx"  
23 | }
24 | 
25 | 
26 | 
27 | generate_html() {
28 |     local pages="0x*.md c*.md f*.md "
29 |     sed '/^---$/,/^---$/d' $pages | pandoc --standalone -f gfm -t html5 --toc --toc-depth=1  --metadata=title:"OWASP Top 10 Proactive Controls 2018 " -o "../OWASP-Top10-Proactive-Controls-V3-$1.html" 
30 | }
31 | 
32 | generate() {
33 |     echo -n "Generating ($1) version ..."
34 |     if [ -d "$1" ]; 
35 |     then
36 |         cd "$1"
37 |        
38 |         generate_docx $1
39 |         generate_html $1
40 |         cd ..
41 |         echo " done."
42 |     else
43 |         echo " No OWASP PC found in directory $1"
44 |     fi
45 | }
46 | 
47 | # English
48 | generate "en"
49 | 
50 |  
51 | echo "Finished generating documents for OWASP Top 10 Proactive Control"
52 | 
53 | 


--------------------------------------------------------------------------------
/v3/images/controls-logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/images/controls-logo.png


--------------------------------------------------------------------------------
/v3/images/proactive-header.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/images/proactive-header.jpg


--------------------------------------------------------------------------------
/v3/templates/2-cols.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/templates/2-cols.docx


--------------------------------------------------------------------------------
/v3/templates/template.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-proactive-controls/60254cf54b2ca2c9d211f6807223f7efd754931a/v3/templates/template.docx


--------------------------------------------------------------------------------
/v3/templates/~$mplate.docx:
--------------------------------------------------------------------------------
1 | Microsoft Office UserMicrosoft Office User/projects/www-project-proactive


--------------------------------------------------------------------------------