search

OWASP / www-project-proactive-controls

OWASP Foundation Web Respository
Creative Commons Attribution Share Alike 4.0 International
129 stars 71 forks source link

[Post-2024/Proposal] Restructure Top 10: disentangle from OWASP Top 10, focus more on security culture, etc. #70

Open andreashappe opened 1 month ago

andreashappe commented 1 month ago

I suggest a slight-reordering and restructuring, based upon initial feedback of our 2024 edition (as well as my experience teaching some of this):

Our current (2024) OWASP Top 10 Proactive Controls are:

  1. Implement Access Control
  2. Use Cryptography to Secure Data
  3. Validate all Input & Handle Excpetions
  4. Address Security from the Start
  5. Secure by Default Configurations
  6. Keep Your Components Secure
  7. Secure Digital Identities
  8. Leverage Browser Security Features
  9. Implement Security Logging and Monitoring
  10. Prevent SSRF

Suggested 2025+ OWASP Top 10 Proactive Controls

  1. Implement Access Control
  2. Secure Digital Identities
  3. [rename] Prevent Injection Attacks
    • was "Validate all Input & Handle Excpetions"
    • part 1: Separate Data from Commands, includes all the escaping and input filtering
    • part 2: Use Sandboxing if you need to execute commands (incorporate the former Top 10: SSRF)
  4. Keep Your Components Secure
  5. [new] Use Established Frameworks and Standards
    • mention, e.g., REST-ful APIs, use standard crypto, etc.
  6. Use Cryptography to Secure Data
  7. [rename/new] Security Culture
    • rename from 'Address Security from the Start'
    • also talk a bit about openess, releasing 'threat models', etc.
      1. [rename/new] Make Doing Secure Things Easy
    • rename of "Secure by Default Configuration" to broaden the scope a bit
      1. Implement Security Logging & Monitoring
      2. Leverage Browser Security Features

This allows us to broaden the scope a bit and add a bit of left-shifting security.

The only problem is, that I want to add Automate Security (containing SAST, writing abuse cases, etc.) somewhere. Not sure, but it could fit into the new broader Security Culture topic.

What are your ideas? I want to redo this during the beginning of 2025

jmanico commented 1 month ago

I think this is a really positive direction that is inline with current trends. REALLY REALY good suggestion here for 2025!

cowsecurity commented 1 month ago

The only problem is, that I want to add Automate Security (containing SAST, writing abuse cases, etc.) somewhere.

I feel this can be added to the - "8. Make Doing Secure Things Easy" section.