The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.
OWASP released the new iteration of the Top 10 for public comment.
The categories listed in the new proposed Top 10 are many of the same application flaw categories from the 2013
Top 10 and past versions:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Broken Access Control (NEW)
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Insufficient Attack Protection (NEW)
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Underprotected APIs (NEW) The new A4 category consolidates the categories Insecure Direct Object
The OWASP ASVS contains the following verification criteria:
Architecture, design ant threat modeling
Authentication
Session management
Access control
Malicious input handling
Cryptography at rest
Error handling and logging
Data protection
Communications
HTTP security configuration
Malicious controls
Business logic
Files and resources
Mobile
Web services
Configuration
The OWASP SKF contains the following security requirements:
Third party software
Sub-domains
Access controls or Login systems
User registration
Form
Sessions
Password forget functions
Forward or redirect
GET variables or parameters
XML files
File Download
File upload
Regular expressions
Eval type functions
Private user data
System commands
SSI commands
XSLT input and output
HTTP headers
LDAP commands
User-input in HTML output
X-Path
File inclusion
Path or Filename
SQL commands