Discussion about excluded cheat sheet from the migration

Question

Discussion about excluded cheat sheet from the migration

righettod opened this issue 5 years ago · comments

Dominique RIGHETTO commented 5 years ago

The following cheat sheets are subject to discussion about the need to be migrated or discarded.

The reason of my decision to open the discussion on these cheat sheets is related to either the quality or either the added value of the content provided.

Content Security Policy

I think that the content of this CS is too old and needs to be deeply refactored and I think they currently do not bring added value to a dev team.

✅ Refactored and released by @ThunderSon

PL SQL Security

I think that the content of this CS need to more thorough and I think they currently do not bring added value to a dev team.

Secure SDLC

I think that this CS is not needed because the OWASP Open SAMM project is dedicated to this topic.

Security Testing

The CS do not add any added value and the content is too light.

Web Application Security Testing

I think that this CS is not needed because the OWASP Testing Guide project is dedicated to this topic and there this project for a checklist about the OTG.

Web Service Security Testing

Same remarks than for Web Application Security Testing CS.

OWASP TOP 10

I think that this CS is not needed because the OWASP ASVS project and the OWASP Proactive Controls project are dedicated to help developers. Moreover, OWASP TOP 10 should only be used for awareness operation...

Secure Coding

I think that this CS is not needed because the OWASP ASVS project should be used for code review operation

XSS Filter Evasion

The CS project is oriented defense and prevention. This CS is oriented attack so I think it must be re-classified into the Attack category of the OWASP wiki.

Feel free to post a comment, it's the reason of existence of this post 😃

mackowski · Answer 1 · Mon Feb 18 2019 15:51:27 GMT+0800 (China Standard Time)

I agree with your judgment. In my opinion Content Security Policy and PL SQL Security should be refactored and updated. Rest excluded CSs should be deleted.

Dominique RIGHETTO · Answer 2 · Mon Feb 18 2019 15:55:27 GMT+0800 (China Standard Time)

Thanks you very much for your feedback.

Dominique RIGHETTO · Answer 3 · Wed Feb 20 2019 23:29:51 GMT+0800 (China Standard Time)

I have added a comment for the XSS Filter Evasion Cheat Sheet.

mackowski · Answer 4 · Thu Feb 21 2019 16:15:29 GMT+0800 (China Standard Time)

I have problem with XSS Filter Evasion Cheat Sheet because as you mentioned this is offensive side but all other CSs are about defence. The question for me is do we want to have attack CSs at all?

Jim Manico · Answer 5 · Thu Feb 21 2019 17:09:41 GMT+0800 (China Standard Time)

Yes we do. It’s a great addition.

Dominique RIGHETTO · Answer 6 · Thu Feb 21 2019 17:16:51 GMT+0800 (China Standard Time)

The CS project is a defender classified project so, in my opinion, it make no sense to add attacker CS because into his mindset, CS project is for development team, not for pentester... It's just my point of view in order to keep the project consistant with his foundation.

ThunderSon · Answer 7 · Thu Feb 28 2019 14:25:59 GMT+0800 (China Standard Time)

I agree on the above.
For XSS attacks, there are 2 dedicated pages on the OWASP website, one being for WAF evasion.
About the security testing, what is the exact goal for it? What will be the main target for it? Security testing is a vague term compared to the specific fields.
About the CSP CS, how do you compare it to https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ? What should be the key differences?

Dominique RIGHETTO · Answer 8 · Fri Mar 01 2019 13:03:52 GMT+0800 (China Standard Time)

For the security testing, i think that the idea was to guide an assessment but the WTG is complete and do the job. For the CSP i think that the goal of the CS should not to explains what is CSP because there already good article on Internet but propose different approach to build an effective CSP (v3) for different common case like existing legacy app, new modern app, setup of a buyed product and csp in reverse proxy...

Dominique RIGHETTO · Answer 9 · Sun Mar 03 2019 21:36:33 GMT+0800 (China Standard Time)

@ThunderSon have started to refactor the CSP CS.

Dominique RIGHETTO · Answer 10 · Thu Mar 28 2019 13:12:13 GMT+0800 (China Standard Time)

I close the issue: More than a month without other reaction.
We can reopen it in case of need.
So, to resume only the CSP one will be refactored and included.