Discussion about excluded cheat sheet from the migration #13
Comments
righettod
added
the
MIGRATION
|
I agree with your judgment. In my opinion Content Security Policy and PL SQL Security should be refactored and updated. Rest excluded CSs should be deleted. |
|
Thanks you very much for your feedback.
|
|
I have added a comment for the XSS Filter Evasion Cheat Sheet. |
|
I have problem with XSS Filter Evasion Cheat Sheet because as you mentioned this is offensive side but all other CSs are about defence. The question for me is do we want to have attack CSs at all? |
|
Yes we do. It’s a great addition.
|
|
The CS project is a defender classified project so, in my opinion, it make no sense to add
attacker CS because into his mindset, CS project is for development team, not for pentester...
It's just my point of view in order to keep the project consistant with his foundation.
|
|
I agree on the above. |
|
For the security testing, i think that the idea was to guide an assessment
but the WTG is complete and do the job. For the CSP i think that the goal
of the CS should not to explains what is CSP because there already good
article on Internet but propose different approach to build an effective
CSP (v3) for different common case like existing legacy app, new modern
app, setup of a buyed product and csp in reverse proxy...
|
|
@ThunderSon have started to refactor the CSP CS. |
|
I close the issue: More than a month without other reaction. |
- Following existing syntax adds Rule OWASP#13 covering Docker Secrets Signed-off-by: otkd <[email protected]>
…1301) * chore(Docker): compose v2 & networking update - Updates Docker Compose references to use v2 `docker compose` command - Change ICC recommendation to use network policies instead of disabling Signed-off-by: otkd <[email protected]> * feat(Docker): add Docker Secrets rule - Following existing syntax adds Rule #13 covering Docker Secrets Signed-off-by: otkd <[email protected]> * Apply suggestions from code review Co-authored-by: Shlomo Zalman Heigh <[email protected]> * feat(Docker): add Supply Chain Security & Podman - Merges the linting and container scanning section into a single rule - Fixes issue in proposed solution in Rule 10 doesn’t actually help implement the suggestion - Expand rootless mode - Add high level practices covering Docker supply chain security - Add Podman as an alternative to Docker for secure defaults Signed-off-by: otkd <[email protected]> --------- Signed-off-by: otkd <[email protected]> Co-authored-by: Shlomo Zalman Heigh <[email protected]>
The following cheat sheets are subject to discussion about the need to be migrated or discarded.
The reason of my decision to open the discussion on these cheat sheets is related to either the quality or either the added value of the content provided.
Content Security Policy
I think that the content of this CS is too old and needs to be deeply refactored and I think they currently do not bring added value to a dev team.
✅ Refactored and released by @ThunderSon
PL SQL Security
I think that the content of this CS need to more thorough and I think they currently do not bring added value to a dev team.
Secure SDLC
I think that this CS is not needed because the OWASP Open SAMM project is dedicated to this topic.
Security Testing
The CS do not add any added value and the content is too light.
Web Application Security Testing
I think that this CS is not needed because the OWASP Testing Guide project is dedicated to this topic and there this project for a checklist about the OTG.
Web Service Security Testing
Same remarks than for Web Application Security Testing CS.
OWASP TOP 10
I think that this CS is not needed because the OWASP ASVS project and the OWASP Proactive Controls project are dedicated to help developers. Moreover, OWASP TOP 10 should only be used for awareness operation...
Secure Coding
I think that this CS is not needed because the OWASP ASVS project should be used for code review operation
XSS Filter Evasion
The CS project is oriented defense and prevention. This CS is oriented attack so I think it must be re-classified into the Attack category of the OWASP wiki.
Feel free to post a comment, it's the reason of existence of this post 😃
The text was updated successfully, but these errors were encountered: