Discussion about excluded cheat sheet from the migration
righettod opened this issue · comments
The following cheat sheets are subject to discussion about the need to be migrated or discarded.
The reason of my decision to open the discussion on these cheat sheets is related to either the quality or either the added value of the content provided.
I think that the content of this CS is too old and needs to be deeply refactored and I think they currently do not bring added value to a dev team.
✅ Refactored and released by @ThunderSon
I think that the content of this CS need to more thorough and I think they currently do not bring added value to a dev team.
I think that this CS is not needed because the OWASP Open SAMM project is dedicated to this topic.
The CS do not add any added value and the content is too light.
Web Application Security Testing
I think that this CS is not needed because the OWASP Testing Guide project is dedicated to this topic and there this project for a checklist about the OTG.
Same remarks than for Web Application Security Testing CS.
I think that this CS is not needed because the OWASP ASVS project and the OWASP Proactive Controls project are dedicated to help developers. Moreover, OWASP TOP 10 should only be used for awareness operation...
I think that this CS is not needed because the OWASP ASVS project should be used for code review operation
The CS project is oriented defense and prevention. This CS is oriented attack so I think it must be re-classified into the Attack category of the OWASP wiki.
Feel free to post a comment, it's the reason of existence of this post 😃
I agree with your judgment. In my opinion Content Security Policy and PL SQL Security should be refactored and updated. Rest excluded CSs should be deleted.
I have added a comment for the XSS Filter Evasion Cheat Sheet.
I have problem with XSS Filter Evasion Cheat Sheet because as you mentioned this is offensive side but all other CSs are about defence. The question for me is do we want to have attack CSs at all?
I agree on the above.
For XSS attacks, there are 2 dedicated pages on the OWASP website, one being for WAF evasion.
About the security testing, what is the exact goal for it? What will be the main target for it? Security testing is a vague term compared to the specific fields.
About the CSP CS, how do you compare it to https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ? What should be the key differences?
@ThunderSon have started to refactor the CSP CS.
I close the issue: More than a month without other reaction.
We can reopen it in case of need.
So, to resume only the CSP one will be refactored and included.