AWS - OWASP Security Knowledge

The OWASP Security Knowledge Framework is intended to be a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. Education is the first step in the Secure Software Development Lifecycle.

OWASP released the new iteration of the Top 10 for public comment. 

The categories listed in the new proposed Top 10 are many of the same application flaw categories from the 2013 

Top 10 and past versions: 

A1 Injection 

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS) 

A4 Broken Access Control (NEW) 

A5 Security Misconfiguration 

A6 Sensitive Data Exposure

A7 Insufficient Attack Protection (NEW) 

A8 Cross-Site Request Forgery (CSRF) 

A9 Using Components with Known Vulnerabilities 

A10 Underprotected APIs (NEW) The new A4 category consolidates the categories Insecure Direct Object 

The OWASP ASVS contains the following verification criteria:

• • Architecture, design ant threat modeling

  • Authentication

  • Session management

  • Access control

  • Malicious input handling

  • Cryptography at rest

  • Error handling and logging

  • Data protection

  • Communications

  • HTTP security configuration

  • Malicious controls

  • Business logic

  • Files and resources

  • Mobile

  • Web services

  • Configuration

The OWASP SKF contains the following security requirements:

• 1. Third party software

  2. Sub-domains

  3. Access controls or Login systems

  4. User registration

  5. Form

  6. Sessions

  7. Password forget functions

  8. Forward or redirect

  9. GET variables or parameters

  10. XML files

  11. File Download

  12. File upload

  13. Regular expressions

  14. Eval type functions

  15. Private user data

  16. System commands

  17.  SSI commands

  18. XSLT input and output

  19. HTTP headers

  20. LDAP commands

  21. User-input in HTML output

  22. X-Path

  23. File inclusion

  24. Path or Filename

  25. SQL commands