[OWASP-wiki-editors] Control section

johanna curiel curiel johanna.curiel at owasp.org
Thu Jul 28 18:21:33 UTC 2016


+Paco

On Thu, Jul 28, 2016 at 2:17 PM, Paco Hope <paco at owasp.org> wrote:

> When I look at that page, I think some can probably be pointed to some
> other page on the OWASP Wiki.
>
> Plenty of them, however, should be unceremoniously deleted, as they simply
> contain a few brainstorm items. For example: "Safe Libraries" is literally
> no more than those 2 words, followed by some boilerplate template. It could
> be deleted with impunity, since there is no actual content. Other pages,
> like "Canonicalization" simply point to another page. Those two should be
> coalesced.
>
> For pages that are so minimal, isn't it better to just delete them? It's
> not like there's any harm in doing so—we're not losing any content. If it's
> an important concept, someone will write it. But it doesn't hurt us to
> delete these stubs.
>
> I took a look at all the pages one by one, and here are my specific
> recommendations on each. I couldn't figure out how (maybe I don't have
> rights?) to delete a page entirely. So I'm just recommending deletion of a
> lot of pages.
>
> It wouldn't hurt to perhaps leave a bunch of links in this page that
> suggest people to write about these concepts. But having the empty pages
> out there doesn't do us any favours.
>
> Subcategories: delete all of them. They add no value and most are totally
> empty.
>
> Pages:
> * Blocking Brute Force Attacks: reasonable page, keep it.
>
> * Bounds Checking: empty page: delete it
>
> * Business Justification for Application Security Assessment:
>
>  This isn't a security control. Application security assessment might be,
> but
>  the business justification for one is not a security control. This is
> old, out-
>  dated content. It should either be removed, or it should be removed from
> the
>  Controls category. There's a little value in having such a thing around,
> but
>  not much.
>
> * Bytecode obfuscation
>
> This doesn't talk about bytecode obfuscation at all. It talks about
> bytecode
> decompilation. Again, not a security control. Should be renamed to Bytecode
> decompilation and removed from this category. Not sure where to put it,
> though.
>
> * Canonicalization
>
> Simply points to
> https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
>
> Quick and dirty: make Canonicalization a pointer to that page, not a stub.
> TheRightWay™: Make all our canonicalization content show up on the page
> "Canonicalization". (i.e., copy/paste it over from the locale_and_unicode
> page). Then make the locale_and_unicode page a pointer to the newly-created
> Canonicalization page.
>
> * Certificate and Public Key Pinning
> Great: leave as is.
>
> * HTTP Strict Transport Security Cheat Sheet
> Leave as is.
>
> * Cryptography
> Empty page listing only a link to "guide to cryptography". Delete this
> stub page.
>
> * Detect profiling phase into web application
> This is something that should have been on a person's personal blog. It's
> an idea. It's not OWASP content and it's not particularly good. Recommend
> delete.
>
> * Encoding
> This is an empty page linking to Category:Encoding. Delete it.
>
> * Encryption
> Another link to the guide to cryptography. Delete it.
>
> * Executable space protection
> Empty draft. Delete.
>
> * History Isn't Always Pretty
>
> WTF? This is also like some random blog post from 2009. Delete.
>
> * Identity Management
> Empty Stub. Delete.
>
> * Input Validation
>
> Non-empty stub. But terrible. Delete.
>
> * Intrusion Detection
> Reasonable. Leave it.
>
> * Intrusion Prevention
> Empty stub. Delete.
>
> * Logging
> Empty stub pointing to "Error_Handling,_Auditing_and_Logging". Delete.
>
> * Memory Management
> Empty stub. Delete.
>
> * Parameterized Command Interface
> Empty stub. Delete.
>
> * PDF Attack Filter for Apache mod rewrite
> Out-of-date. Tagged as out of date.
>
> * PDF Attack Filter for Java EE
> Out-of-date. Tagged as out of date.
>
> * Query Parameterization
> This is an OK start, but it's incomplete. This is the kind of incomplete
> page worth saving.
>
> * Quotas
> Empty stub. Delete.
>
> * Randomization
> Empty stub. Delete.
>
> * Resource Locking
> Empty Stub. Delete.
>
> * Safe Libraries
> Empty Stub. Delete.
>
> * SecureFlag
> A bit out of date. Flagged it.
>
> * SSL
> I cleaned this up to basically say "SSL is bad, don't use it" and then
> linked
> it to the TLS page.
> https://www.owasp.org/index.php/SSL_TLS_Knowledge_Center
> The only reason I'm keeping it around is because if you google "owasp" and
> "ssl"
> you'll probably get this page.
>
> * Stack-smashing Protection (SSP)
> Empty Stub. Delete.
>
> * Static Code Analysis
> Fairly reasonable.
>
> * Tokenizing
> Empty Stub. Delete.
>
>
> My $0.02.
> Paco
>
>
> On 28 Jul 2016, at 13:57, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>
> The pages reviewed are
> Home page >>controls , https://www.owasp.org/index.php/Category:Control>>
> All under category:Control:
>
> B
>
>    - Blocking Brute Force Attacks
>    <https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks>
>    - Bounds Checking <https://www.owasp.org/index.php/Bounds_Checking>
>    - Business Justification for Application Security Assessment
>    <https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment>
>    - Bytecode obfuscation
>    <https://www.owasp.org/index.php/Bytecode_obfuscation>
>
> C
>
>    - Canonicalization <https://www.owasp.org/index.php/Canonicalization>
>    - Certificate and Public Key Pinning
>    <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>
>    - HTTP Strict Transport Security Cheat Sheet
>    <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>
>    - Controls <https://www.owasp.org/index.php/Controls>
>    - Cryptography <https://www.owasp.org/index.php/Cryptography>
>
> D
>
>    - Detect profiling phase into web application
>    <https://www.owasp.org/index.php/Detect_profiling_phase_into_web_application>
>
> E
>
>    - Encoding <https://www.owasp.org/index.php/Encoding>
>
> E cont.
>
>    - Encryption <https://www.owasp.org/index.php/Encryption>
>    - Executable space protection
>    <https://www.owasp.org/index.php/Executable_space_protection>
>
> H
>
>    - History Isnt Always Pretty
>    <https://www.owasp.org/index.php/History_Isnt_Always_Pretty>
>
> I
>
>    - Identity Management
>    <https://www.owasp.org/index.php/Identity_Management>
>    - Input Validation <https://www.owasp.org/index.php/Input_Validation>
>    - Intrusion Detection
>    <https://www.owasp.org/index.php/Intrusion_Detection>
>    - Intrusion Prevention
>    <https://www.owasp.org/index.php/Intrusion_Prevention>
>
> L
>
>    - Logging <https://www.owasp.org/index.php/Logging>
>
> M
>
>    - Memory Management <https://www.owasp.org/index.php/Memory_Management>
>
> P
>
>    - Parameterized Command Interface
>    <https://www.owasp.org/index.php/Parameterized_Command_Interface>
>    - PDF Attack Filter for Apache mod rewrite
>    <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite>
>
> P cont.
>
>    - PDF Attack Filter for Java EE
>    <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>
>
> Q
>
>    - Query Parameterization
>    <https://www.owasp.org/index.php/Query_Parameterization>
>    - Quotas <https://www.owasp.org/index.php/Quotas>
>
> R
>
>    - Randomization <https://www.owasp.org/index.php/Randomization>
>    - Resource Locking <https://www.owasp.org/index.php/Resource_Locking>
>
> S
>
>    - Safe Libraries <https://www.owasp.org/index.php/Safe_Libraries>
>    - SecureFlag <https://www.owasp.org/index.php/SecureFlag>
>    - SSL <https://www.owasp.org/index.php/SSL>
>    - Stack-smashing Protection (SSP)
>    <https://www.owasp.org/index.php/Stack-smashing_Protection_(SSP)>
>    - Static Code Analysis
>    <https://www.owasp.org/index.php/Static_Code_Analysis>
>
> T
>
>    - Tokenizing <https://www.owasp.org/index.php/Tokenizing>
>
>
> On Thu, Jul 28, 2016 at 7:16 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Duly noted, thanks Johanna. I'll take care of this next week.
>>
>> PS: Can you send us a link just to make sure we're on the same page?
>>
>> - Jim
>>
>> On 7/27/16 10:15 PM, johanna curiel curiel wrote:
>>
>> Hello wiki editors
>>
>> I checked all the pages under category 'control'
>>
>> Many of these pages are empty or incomplete.
>>
>> I tagged them.
>>
>> Any plans for the future regarding what to do with these pages?
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>> _______________________________________________
>> OWASP-wiki-editors mailing listOWASP-wiki-editors at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160728/2e3a8286/attachment-0001.html>


More information about the OWASP-wiki-editors mailing list