[OWASP-wiki-editors] Control section

Paco Hope paco at owasp.org
Thu Jul 28 18:17:14 UTC 2016

When I look at that page, I think some can probably be pointed to some other page on the OWASP Wiki.

Plenty of them, however, should be unceremoniously deleted, as they simply contain a few brainstorm items. For example: "Safe Libraries" is literally no more than those 2 words, followed by some boilerplate template. It could be deleted with impunity, since there is no actual content. Other pages, like "Canonicalization" simply point to another page. Those two should be coalesced.

For pages that are so minimal, isn't it better to just delete them? It's not like there's any harm in doing so—we're not losing any content. If it's an important concept, someone will write it. But it doesn't hurt us to delete these stubs.

I took a look at all the pages one by one, and here are my specific recommendations on each. I couldn't figure out how (maybe I don't have rights?) to delete a page entirely. So I'm just recommending deletion of a lot of pages.

It wouldn't hurt to perhaps leave a bunch of links in this page that suggest people to write about these concepts. But having the empty pages out there doesn't do us any favours.

Subcategories: delete all of them. They add no value and most are totally empty.

* Blocking Brute Force Attacks: reasonable page, keep it.

* Bounds Checking: empty page: delete it

* Business Justification for Application Security Assessment:

 This isn't a security control. Application security assessment might be, but
 the business justification for one is not a security control. This is old, out-
 dated content. It should either be removed, or it should be removed from the
 Controls category. There's a little value in having such a thing around, but
 not much.

* Bytecode obfuscation

This doesn't talk about bytecode obfuscation at all. It talks about bytecode
decompilation. Again, not a security control. Should be renamed to Bytecode
decompilation and removed from this category. Not sure where to put it, though.

* Canonicalization

Simply points to https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode

Quick and dirty: make Canonicalization a pointer to that page, not a stub.
TheRightWay™: Make all our canonicalization content show up on the page "Canonicalization". (i.e., copy/paste it over from the locale_and_unicode page). Then make the locale_and_unicode page a pointer to the newly-created Canonicalization page.

* Certificate and Public Key Pinning
Great: leave as is.

* HTTP Strict Transport Security Cheat Sheet
Leave as is.

* Cryptography
Empty page listing only a link to "guide to cryptography". Delete this stub page.

* Detect profiling phase into web application
This is something that should have been on a person's personal blog. It's an idea. It's not OWASP content and it's not particularly good. Recommend delete.

* Encoding
This is an empty page linking to Category:Encoding. Delete it.

* Encryption
Another link to the guide to cryptography. Delete it.

* Executable space protection
Empty draft. Delete.

* History Isn't Always Pretty

WTF? This is also like some random blog post from 2009. Delete.

* Identity Management
Empty Stub. Delete.

* Input Validation

Non-empty stub. But terrible. Delete.

* Intrusion Detection
Reasonable. Leave it.

* Intrusion Prevention
Empty stub. Delete.

* Logging
Empty stub pointing to "Error_Handling,_Auditing_and_Logging". Delete.

* Memory Management
Empty stub. Delete.

* Parameterized Command Interface
Empty stub. Delete.

* PDF Attack Filter for Apache mod rewrite
Out-of-date. Tagged as out of date.

* PDF Attack Filter for Java EE
Out-of-date. Tagged as out of date.

* Query Parameterization
This is an OK start, but it's incomplete. This is the kind of incomplete page worth saving.

* Quotas
Empty stub. Delete.

* Randomization
Empty stub. Delete.

* Resource Locking
Empty Stub. Delete.

* Safe Libraries
Empty Stub. Delete.

* SecureFlag
A bit out of date. Flagged it.

I cleaned this up to basically say "SSL is bad, don't use it" and then linked
it to the TLS page. https://www.owasp.org/index.php/SSL_TLS_Knowledge_Center
The only reason I'm keeping it around is because if you google "owasp" and "ssl"
you'll probably get this page.

* Stack-smashing Protection (SSP)
Empty Stub. Delete.

* Static Code Analysis
Fairly reasonable.

* Tokenizing
Empty Stub. Delete.

My $0.02.

> On 28 Jul 2016, at 13:57, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> The pages reviewed are 
> Home page >>controls , https://www.owasp.org/index.php/Category:Control <https://www.owasp.org/index.php/Category:Control>>>
> All under category:Control:
> B
> Blocking Brute Force Attacks <https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks>
> Bounds Checking <https://www.owasp.org/index.php/Bounds_Checking>
> Business Justification for Application Security Assessment <https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment>
> Bytecode obfuscation <https://www.owasp.org/index.php/Bytecode_obfuscation>
> C
> Canonicalization <https://www.owasp.org/index.php/Canonicalization>
> Certificate and Public Key Pinning <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>
> HTTP Strict Transport Security Cheat Sheet <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>
> Controls <https://www.owasp.org/index.php/Controls>
> Cryptography <https://www.owasp.org/index.php/Cryptography>
> D
> Detect profiling phase into web application <https://www.owasp.org/index.php/Detect_profiling_phase_into_web_application>
> E
> Encoding <https://www.owasp.org/index.php/Encoding>	
> E cont.
> Encryption <https://www.owasp.org/index.php/Encryption>
> Executable space protection <https://www.owasp.org/index.php/Executable_space_protection>
> H
> History Isnt Always Pretty <https://www.owasp.org/index.php/History_Isnt_Always_Pretty>
> I
> Identity Management <https://www.owasp.org/index.php/Identity_Management>
> Input Validation <https://www.owasp.org/index.php/Input_Validation>
> Intrusion Detection <https://www.owasp.org/index.php/Intrusion_Detection>
> Intrusion Prevention <https://www.owasp.org/index.php/Intrusion_Prevention>
> L
> Logging <https://www.owasp.org/index.php/Logging>
> M
> Memory Management <https://www.owasp.org/index.php/Memory_Management>
> P
> Parameterized Command Interface <https://www.owasp.org/index.php/Parameterized_Command_Interface>
> PDF Attack Filter for Apache mod rewrite <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite>	
> P cont.
> PDF Attack Filter for Java EE <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>
> Q
> Query Parameterization <https://www.owasp.org/index.php/Query_Parameterization>
> Quotas <https://www.owasp.org/index.php/Quotas>
> R
> Randomization <https://www.owasp.org/index.php/Randomization>
> Resource Locking <https://www.owasp.org/index.php/Resource_Locking>
> S
> Safe Libraries <https://www.owasp.org/index.php/Safe_Libraries>
> SecureFlag <https://www.owasp.org/index.php/SecureFlag>
> SSL <https://www.owasp.org/index.php/SSL>
> Stack-smashing Protection (SSP) <https://www.owasp.org/index.php/Stack-smashing_Protection_(SSP)>
> Static Code Analysis <https://www.owasp.org/index.php/Static_Code_Analysis>
> T
> Tokenizing <https://www.owasp.org/index.php/Tokenizing>
> On Thu, Jul 28, 2016 at 7:16 AM, Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
> Duly noted, thanks Johanna. I'll take care of this next week.
> PS: Can you send us a link just to make sure we're on the same page?
> - Jim
> On 7/27/16 10:15 PM, johanna curiel curiel wrote:
>> Hello wiki editors
>> I checked all the pages under category 'control'
>> Many of these pages are empty or incomplete.
>> I tagged them. 
>> Any plans for the future regarding what to do with these pages?
>> -- 
>> Johanna Curiel 
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-wiki-editors mailing list
>> OWASP-wiki-editors at lists.owasp.org <mailto:OWASP-wiki-editors at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors <https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors>
> -- 
> Johanna Curiel 
> OWASP Volunteer
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160728/1b9645a5/attachment-0001.html>

More information about the OWASP-wiki-editors mailing list