Skip to content
/ Owasp.Top10.Proactive.Controls.Personal.Summary Public

This is a personal summary and project implementation of my studies on the OWASP Top 10 Proactive Controls, aimed at helping me easily index and recall key topics. Additionally, I’ve created a project to consolidate my learnings. You can check out the Project Specifications for more details.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lucasATeixeira/Owasp.Top10.Proactive.Controls.Personal.Summary

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
.devcontainer
.devcontainer
 
 
project
project
 
 
.gitignore
.gitignore
 
 
PROJECT_SPECIFICATIONS.md
PROJECT_SPECIFICATIONS.md
 
 
README.md
README.md
 
 

Repository files navigation

This is a personal summary of my studies on the OWASP Top 10 Proactive Controls, aimed at helping me easily index and recall key topics. Additionally, I’ve created a project to consolidate my learnings. You can check out the Project Specifications for more details.

  1. Implement Access Control
    • Role Based Access Control (RBAC)
    • Attribute based access Control (ABAC)
    • Features denied by default
    • Just Enough Access (JEA)
  2. Use Cryptography the proper way
    • Classify data types in your application (public, private, sensitive)
    • Never transmit plain-text data (TLS)
    • Hash or cripto sensitive data (passwords for instance)
    • Use Application SEcrets Management (AWS Secrets Manager) to keys
    • Rotate keys (key rollover)
    • All authorized access to secret key MUST be logged
    • Use TLS
  3. Validate all Input and Handle Exceptions
    • Syntatic validity (type validations like is number, has lenght x)
    • Semantic validity (range validation)
    • Allowlisting and Denylisting
    • Client Side and Server side validation
    • Care for ReDoS
    • Limit input validation (Prevent DDoS)
    • Sanitize input (prevent XSS, SQL Injection, etc)
  4. Address Security from the start
    • Keep it simple (KISS)
    • Identify and minimize exposed components
    • Design for Defense-in-Depth
    • Use well know secure architecture patterns
  5. Secure by default configurations
    • Implement configurations based on Least Privilege principle
    • Access is denied by default
    • Prefer for infrastructure as Code
  6. Keep your Components Secure
    • Update dependencies
    • Check if dependency is ok to use
      • Sources
      • Popularity
      • Activity
      • Maturity
      • Complexity
      • Security
  7. Implement Digital Identity
    • Authentication Assurance Levels
      • Passwords
      • Multi-Factor Authentication
      • Cryptographic Based Authentication
    • Sesion Management
    • Secure password recovery mechanism
    • Secure password storage
    • JWT with signature
    • Cookies with
      • Set right domain
      • secure flag
      • HttpOnly
      • samesite
  8. Leverage Browser Security Features
    • HTTP Strict Transport Security (HSTS)
    • Content Security Policy (CSP)
    • Referrer-Policy
    • Cookie secure flag
    • Host Allowlist CSP
    • Strict CSP
    • Prevent Clickjacking
      • X-Frame-Options (XFO)
      • CSP
    • Prevent CSRF Attacks
      • Same-Origin Cookies
      • Fetch Metadata Request Headers
  9. Implement Security Logging and MOnitoring
    • Log suspicious activity
    • monitor for suspicious data
  10. Stop Server Side Request Forgery

About

This is a personal summary and project implementation of my studies on the OWASP Top 10 Proactive Controls, aimed at helping me easily index and recall key topics. Additionally, I’ve created a project to consolidate my learnings. You can check out the Project Specifications for more details.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages