[OWASP-wiki-editors] Control section
Jim Manico
jim.manico at owasp.org
Thu Jul 28 21:10:15 UTC 2016
Paco,
Thank you for your feedback, I'll send you email once these have been
addresses.
- Jim
On 7/28/16 2:17 PM, Paco Hope wrote:
> When I look at that page, I think some can probably be pointed to some
> other page on the OWASP Wiki.
>
> Plenty of them, however, should be unceremoniously deleted, as they
> simply contain a few brainstorm items. For example: "Safe Libraries"
> is literally no more than those 2 words, followed by some boilerplate
> template. It could be deleted with impunity, since there is no actual
> content. Other pages, like "Canonicalization" simply point to another
> page. Those two should be coalesced.
>
> For pages that are so minimal, isn't it better to just delete them?
> It's not like there's any harm in doing so—we're not losing any
> content. If it's an important concept, someone will write it. But it
> doesn't hurt us to delete these stubs.
>
> I took a look at all the pages one by one, and here are my specific
> recommendations on each. I couldn't figure out how (maybe I don't have
> rights?) to delete a page entirely. So I'm just recommending deletion
> of a lot of pages.
>
> It wouldn't hurt to perhaps leave a bunch of links in this page that
> suggest people to write about these concepts. But having the empty
> pages out there doesn't do us any favours.
>
> Subcategories: delete all of them. They add no value and most are
> totally empty.
>
> Pages:
> * Blocking Brute Force Attacks: reasonable page, keep it.
>
> * Bounds Checking: empty page: delete it
>
> * Business Justification for Application Security Assessment:
>
> This isn't a security control. Application security assessment might
> be, but
> the business justification for one is not a security control. This is
> old, out-
> dated content. It should either be removed, or it should be removed
> from the
> Controls category. There's a little value in having such a thing
> around, but
> not much.
>
> * Bytecode obfuscation
>
> This doesn't talk about bytecode obfuscation at all. It talks about
> bytecode
> decompilation. Again, not a security control. Should be renamed to
> Bytecode
> decompilation and removed from this category. Not sure where to put
> it, though.
>
> * Canonicalization
>
> Simply points to
> https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode
>
> Quick and dirty: make Canonicalization a pointer to that page, not a stub.
> TheRightWay™: Make all our canonicalization content show up on the
> page "Canonicalization". (i.e., copy/paste it over from the
> locale_and_unicode page). Then make the locale_and_unicode page a
> pointer to the newly-created Canonicalization page.
>
> * Certificate and Public Key Pinning
> Great: leave as is.
>
> * HTTP Strict Transport Security Cheat Sheet
> Leave as is.
>
> * Cryptography
> Empty page listing only a link to "guide to cryptography". Delete this
> stub page.
>
> * Detect profiling phase into web application
> This is something that should have been on a person's personal blog.
> It's an idea. It's not OWASP content and it's not particularly good.
> Recommend delete.
>
> * Encoding
> This is an empty page linking to Category:Encoding. Delete it.
>
> * Encryption
> Another link to the guide to cryptography. Delete it.
>
> * Executable space protection
> Empty draft. Delete.
>
> * History Isn't Always Pretty
>
> WTF? This is also like some random blog post from 2009. Delete.
>
> * Identity Management
> Empty Stub. Delete.
>
> * Input Validation
>
> Non-empty stub. But terrible. Delete.
>
> * Intrusion Detection
> Reasonable. Leave it.
>
> * Intrusion Prevention
> Empty stub. Delete.
>
> * Logging
> Empty stub pointing to "Error_Handling,_Auditing_and_Logging". Delete.
>
> * Memory Management
> Empty stub. Delete.
>
> * Parameterized Command Interface
> Empty stub. Delete.
>
> * PDF Attack Filter for Apache mod rewrite
> Out-of-date. Tagged as out of date.
>
> * PDF Attack Filter for Java EE
> Out-of-date. Tagged as out of date.
>
> * Query Parameterization
> This is an OK start, but it's incomplete. This is the kind of
> incomplete page worth saving.
>
> * Quotas
> Empty stub. Delete.
>
> * Randomization
> Empty stub. Delete.
>
> * Resource Locking
> Empty Stub. Delete.
>
> * Safe Libraries
> Empty Stub. Delete.
>
> * SecureFlag
> A bit out of date. Flagged it.
>
> * SSL
> I cleaned this up to basically say "SSL is bad, don't use it" and then
> linked
> it to the TLS page.
> https://www.owasp.org/index.php/SSL_TLS_Knowledge_Center
> The only reason I'm keeping it around is because if you google "owasp"
> and "ssl"
> you'll probably get this page.
>
> * Stack-smashing Protection (SSP)
> Empty Stub. Delete.
>
> * Static Code Analysis
> Fairly reasonable.
>
> * Tokenizing
> Empty Stub. Delete.
>
>
> My $0.02.
> Paco
>
>> On 28 Jul 2016, at 13:57, johanna curiel curiel
>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>> The pages reviewed are
>> Home page >>controls , https://www.owasp.org/index.php/Category:Control>>
>> All under category:Control:
>>
>>
>> B
>>
>> * Blocking Brute Force Attacks
>> <https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks>
>> * Bounds Checking <https://www.owasp.org/index.php/Bounds_Checking>
>> * Business Justification for Application Security Assessment
>> <https://www.owasp.org/index.php/Business_Justification_for_Application_Security_Assessment>
>> * Bytecode obfuscation
>> <https://www.owasp.org/index.php/Bytecode_obfuscation>
>>
>>
>> C
>>
>> * Canonicalization <https://www.owasp.org/index.php/Canonicalization>
>> * Certificate and Public Key Pinning
>> <https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>
>> * HTTP Strict Transport Security Cheat Sheet
>> <https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet>
>> * Controls <https://www.owasp.org/index.php/Controls>
>> * Cryptography <https://www.owasp.org/index.php/Cryptography>
>>
>>
>> D
>>
>> * Detect profiling phase into web application
>> <https://www.owasp.org/index.php/Detect_profiling_phase_into_web_application>
>>
>>
>> E
>>
>> * Encoding <https://www.owasp.org/index.php/Encoding>
>>
>>
>>
>>
>> E cont.
>>
>> * Encryption <https://www.owasp.org/index.php/Encryption>
>> * Executable space protection
>> <https://www.owasp.org/index.php/Executable_space_protection>
>>
>>
>> H
>>
>> * History Isnt Always Pretty
>> <https://www.owasp.org/index.php/History_Isnt_Always_Pretty>
>>
>>
>> I
>>
>> * Identity Management
>> <https://www.owasp.org/index.php/Identity_Management>
>> * Input Validation <https://www.owasp.org/index.php/Input_Validation>
>> * Intrusion Detection
>> <https://www.owasp.org/index.php/Intrusion_Detection>
>> * Intrusion Prevention
>> <https://www.owasp.org/index.php/Intrusion_Prevention>
>>
>>
>> L
>>
>> * Logging <https://www.owasp.org/index.php/Logging>
>>
>>
>> M
>>
>> * Memory Management <https://www.owasp.org/index.php/Memory_Management>
>>
>>
>> P
>>
>> * Parameterized Command Interface
>> <https://www.owasp.org/index.php/Parameterized_Command_Interface>
>> * PDF Attack Filter for Apache mod rewrite
>> <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Apache_mod_rewrite>
>>
>>
>>
>>
>> P cont.
>>
>> * PDF Attack Filter for Java EE
>> <https://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE>
>>
>>
>> Q
>>
>> * Query Parameterization
>> <https://www.owasp.org/index.php/Query_Parameterization>
>> * Quotas <https://www.owasp.org/index.php/Quotas>
>>
>>
>> R
>>
>> * Randomization <https://www.owasp.org/index.php/Randomization>
>> * Resource Locking <https://www.owasp.org/index.php/Resource_Locking>
>>
>>
>> S
>>
>> * Safe Libraries <https://www.owasp.org/index.php/Safe_Libraries>
>> * SecureFlag <https://www.owasp.org/index.php/SecureFlag>
>> * SSL <https://www.owasp.org/index.php/SSL>
>> * Stack-smashing Protection (SSP)
>> <https://www.owasp.org/index.php/Stack-smashing_Protection_%28SSP%29>
>> * Static Code Analysis
>> <https://www.owasp.org/index.php/Static_Code_Analysis>
>>
>>
>> T
>>
>> * Tokenizing <https://www.owasp.org/index.php/Tokenizing>
>>
>>
>> On Thu, Jul 28, 2016 at 7:16 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>> Duly noted, thanks Johanna. I'll take care of this next week.
>>
>> PS: Can you send us a link just to make sure we're on the same page?
>>
>> - Jim
>>
>>
>> On 7/27/16 10:15 PM, johanna curiel curiel wrote:
>>> Hello wiki editors
>>>
>>> I checked all the pages under category 'control'
>>>
>>> Many of these pages are empty or incomplete.
>>>
>>> I tagged them.
>>>
>>> Any plans for the future regarding what to do with these pages?
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>>
>>> _______________________________________________
>>> OWASP-wiki-editors mailing list
>>> OWASP-wiki-editors at lists.owasp.org
>>> <mailto:OWASP-wiki-editors at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-wiki-editors mailing list
>> OWASP-wiki-editors at lists.owasp.org
>> <mailto:OWASP-wiki-editors at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
>
>
>
> _______________________________________________
> OWASP-wiki-editors mailing list
> OWASP-wiki-editors at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-wiki-editors
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-wiki-editors/attachments/20160728/4812e70c/attachment-0001.html>
More information about the OWASP-wiki-editors
mailing list