[OWASP-wiki-editors] Control section

Jim Manico jim.manico at owasp.org
Thu Jul 28 21:10:15 UTC 2016


Paco,

Thank you for your feedback, I'll send you email once these have been
addresses.

- Jim


On 7/28/16 2:17 PM, Paco Hope wrote:
> When I look at that page, I think some can probably be pointed to some
> other page on the OWASP Wiki.
>
> Plenty of them, however, should be unceremoniously deleted, as they
> simply contain a few brainstorm items. For example: "Safe Libraries"
> is literally no more than those 2 words, followed by some boilerplate
> template. It could be deleted with impunity, since there is no actual
> content. Other pages, like "Canonicalization" simply point to another
> page. Those two should be coalesced.
>
> For pages that are so minimal, isn't it better to just delete them?
> It's not like there's any harm in doing so—we're not losing any
> content. If it's an important concept, someone will write it. But it
> doesn't hurt us to delete these stubs.
>
> I took a look at all the pages one by one, and here are my specific
> recommendations on each. I couldn't figure out how (maybe I don't have
> rights?) to delete a page entirely. So I'm just recommending deletion
> of a lot of pages.
>
> It wouldn't hurt to perhaps leave a bunch of links in this page that
> suggest people to write about these concepts. But having the empty
> pages out there doesn't do us any favours.
>
> Subcategories: delete all of them. They add no value and most are
> totally empty.
>
> Pages:
> * Blocking Brute Force Attacks: reasonable page, keep it.
>
> * Bounds Checking: empty page: delete it
>
> * Business Justification for Application Security Assessment:
>
>  This isn't a security control. Application security assessment might
> be, but
>  the business justification for one is not a security control. This is
> old, out-
>  dated content. It should either be removed, or it should be removed
> from the
>  Controls category. There's a little value in having such a thing
> around, but
>  not much.
>
> * Bytecode obfuscation
>
> This doesn't talk about bytecode obfuscation at all. It talks about
> bytecode
> decompilation. Again, not a security control. Should be renamed to
> Bytecode
> decompilation and removed from this category. Not sure where to put
> it, though.
>
> * Canonicalization
>
> Simply points to
> https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
>
> Quick and dirty: make Canonicalization a pointer to that page, not a stub.
> TheRightWay™: Make all our canonicalization content show up on the
> page "Canonicalization". (i.e., copy/paste it over from the
> locale_and_unicode page). Then make the locale_and_unicode page a
> pointer to the newly-created Canonicalization page.
>
> * Certificate and Public Key Pinning
> Great: leave as is.
>
> * HTTP Strict Transport Security Cheat Sheet
> Leave as is.
>
> * Cryptography
> Empty page listing only a link to "guide to cryptography". Delete this
> stub page.
>
> * Detect profiling phase into web application
> This is something that should have been on a person's personal blog.
> It's an idea. It's not OWASP content and it's not particularly good.
> Recommend delete.
>
> * Encoding
> This is an empty page linking to Category:Encoding. Delete it.
>
> * Encryption
> Another link to the guide to cryptography. Delete it.
>
> * Executable space protection
> Empty draft. Delete.
>
> * History Isn't Always Pretty
>
> WTF? This is also like some random blog post from 2009. Delete.
>
> * Identity Management
> Empty Stub. Delete.
>
> * Input Validation
>
> Non-empty stub. But terrible. Delete.
>
> * Intrusion Detection
> Reasonable. Leave it.
>
> * Intrusion Prevention
> Empty stub. Delete.
>
> * Logging
> Empty stub pointing to "Error_Handling,_Auditing_and_Logging". Delete.
>
> * Memory Management
> Empty stub. Delete.
>
> * Parameterized Command Interface
> Empty stub. Delete.
>
> * PDF Attack Filter for Apache mod rewrite
> Out-of-date. Tagged as out of date.
>
> * PDF Attack Filter for Java EE
> Out-of-date. Tagged as out of date.
>
> * Query Parameterization
> This is an OK start, but it's incomplete. This is the kind of
> incomplete page worth saving.
>
> * Quotas
> Empty stub. Delete.
>
> * Randomization
> Empty stub. Delete.
>
> * Resource Locking
> Empty Stub. Delete.
>
> * Safe Libraries
> Empty Stub. Delete.
>
> * SecureFlag
> A bit out of date. Flagged it.
>
> * SSL
> I cleaned this up to basically say "SSL is bad, don't use it" and then
> linked
> it to the TLS page.
> https://www.owasp.org/index.php/SSL_TLS_Knowledge_Center
> The only reason I'm keeping it around is because if you google "owasp"
> and "ssl"
> you'll probably get this page.
>
> * Stack-smashing Protection (SSP)
> Empty Stub. Delete.
>
> * Static Code Analysis
> Fairly reasonable.
>
> * Tokenizing
> Empty Stub. Delete.
>
>
> My $0.02.
> Paco
>
>> On 28 Jul 2016, at 13:57, johanna curiel curiel
>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>> The pages reviewed are 
>> Home page >>controls , https://www.owasp.org/index.php/Category:Control>>
>> All under category:Control:
>>
>>
>>       B
>>
>>   * Blocking Brute Force Attacks
>>     <https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks>
>>   * Bounds Checking <https://www.owasp.org/index.php/Bounds_Checking>
>>   * Business Justification for Application Security Assessment
>>     <https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment>
>>   * Bytecode obfuscation
>>     <https://www.owasp.org/index.php/Bytecode_obfuscation>
>>
>>
>>       C
>>
>>   * Canonicalization <https://www.owasp.org/index.php/Canonicalization>
>>   * Certificate and Public Key Pinning
>>     <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>
>>   * HTTP Strict Transport Security Cheat Sheet
>>     <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>
>>   * Controls <https://www.owasp.org/index.php/Controls>
>>   * Cryptography <https://www.owasp.org/index.php/Cryptography>
>>
>>
>>       D
>>
>>   * Detect profiling phase into web application
>>     <https://www.owasp.org/index.php/Detect_profiling_phase_into_web_application>
>>
>>
>>       E
>>
>>   * Encoding <https://www.owasp.org/index.php/Encoding>
>>
>> 	
>>
>>
>>       E cont.
>>
>>   * Encryption <https://www.owasp.org/index.php/Encryption>
>>   * Executable space protection
>>     <https://www.owasp.org/index.php/Executable_space_protection>
>>
>>
>>       H
>>
>>   * History Isnt Always Pretty
>>     <https://www.owasp.org/index.php/History_Isnt_Always_Pretty>
>>
>>
>>       I
>>
>>   * Identity Management
>>     <https://www.owasp.org/index.php/Identity_Management>
>>   * Input Validation <https://www.owasp.org/index.php/Input_Validation>
>>   * Intrusion Detection
>>     <https://www.owasp.org/index.php/Intrusion_Detection>
>>   * Intrusion Prevention
>>     <https://www.owasp.org/index.php/Intrusion_Prevention>
>>
>>
>>       L
>>
>>   * Logging <https://www.owasp.org/index.php/Logging>
>>
>>
>>       M
>>
>>   * Memory Management <https://www.owasp.org/index.php/Memory_Management>
>>
>>
>>       P
>>
>>   * Parameterized Command Interface
>>     <https://www.owasp.org/index.php/Parameterized_Command_Interface>
>>   * PDF Attack Filter for Apache mod rewrite
>>     <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite>
>>
>> 	
>>
>>
>>       P cont.
>>
>>   * PDF Attack Filter for Java EE
>>     <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>
>>
>>
>>       Q
>>
>>   * Query Parameterization
>>     <https://www.owasp.org/index.php/Query_Parameterization>
>>   * Quotas <https://www.owasp.org/index.php/Quotas>
>>
>>
>>       R
>>
>>   * Randomization <https://www.owasp.org/index.php/Randomization>
>>   * Resource Locking <https://www.owasp.org/index.php/Resource_Locking>
>>
>>
>>       S
>>
>>   * Safe Libraries <https://www.owasp.org/index.php/Safe_Libraries>
>>   * SecureFlag <https://www.owasp.org/index.php/SecureFlag>
>>   * SSL <https://www.owasp.org/index.php/SSL>
>>   * Stack-smashing Protection (SSP)
>>     <https://www.owasp.org/index.php/Stack-smashing_Protection_%28SSP%29>
>>   * Static Code Analysis
>>     <https://www.owasp.org/index.php/Static_Code_Analysis>
>>
>>
>>       T
>>
>>   * Tokenizing <https://www.owasp.org/index.php/Tokenizing>
>>
>>
>> On Thu, Jul 28, 2016 at 7:16 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     Duly noted, thanks Johanna. I'll take care of this next week.
>>
>>     PS: Can you send us a link just to make sure we're on the same page?
>>
>>     - Jim
>>
>>
>>     On 7/27/16 10:15 PM, johanna curiel curiel wrote:
>>>     Hello wiki editors
>>>
>>>     I checked all the pages under category 'control'
>>>
>>>     Many of these pages are empty or incomplete.
>>>
>>>     I tagged them. 
>>>
>>>     Any plans for the future regarding what to do with these pages?
>>>
>>>     -- 
>>>     Johanna Curiel 
>>>     OWASP Volunteer
>>>
>>>
>>>     _______________________________________________
>>>     OWASP-wiki-editors mailing list
>>>     OWASP-wiki-editors at lists.owasp.org
>>>     <mailto:OWASP-wiki-editors at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>>
>>
>>
>>
>> -- 
>> Johanna Curiel 
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-wiki-editors mailing list
>> OWASP-wiki-editors at lists.owasp.org
>> <mailto:OWASP-wiki-editors at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>
>
>
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160728/4812e70c/attachment-0001.html>


More information about the OWASP-wiki-editors mailing list