2019 OWASP China project summary
Walk with you
OWASP China Project
01
OWASP top 10 proactive controls V3 Chinese
introduce
OWASP top 10 active control 2018 is a list of security technologies that should be considered and implemented for each software development project. This document is written for developers to help developers who are new to security development.
One of the main objectives of this document is to provide specific practical guidance to help developers develop secure software. These control mechanisms should be actively applied in the early stages of software development to ensure maximum effectiveness.
Top 10 active controls
This list is sorted by importance. The first list item is the most important:
C1: define security requirements
C2: using the security framework and libraries
C3: secure database access
C4: encode and escape data
C5: validate all inputs
C6: implementation digital identity
C7: enforce access controls
C8: protect data everywhere
C9: implementation security logging and monitoring
C10: handle all errors and exceptions
Project team:
Project team leader: Wang Jie project team members: Guo Zhenxin, Li Rui, Li Yongkai, Qin Bo, Zhang Jinghe
download
English version:
OWASP Top 10 Proactive Controls V3
Chinese version:
Top 10 main controls
02
OWASP no server application security risk top 10
introduce
Based on the 2017 version of OWASP top 10 document, this report examines each risk in OWASP top 10 from the following six aspects:
*Possible new attack vectors for serverless applications;
*Why is no service application vulnerable to such attacks and how;
*Business impact on cloud accounts;
*Best practices and recommendations for the prevention and mitigation of such risks or attacks;
*Attack case scenario, display possible loopholes and utilization methods;
*Considering the attack vector, security weakness, impact, risk identification and risk mitigation capability, is the risk higher, lower or the same in serverless applications?
Project team:
Project team leader: Xiao Wendi, Wang Jie project team members: Liu Xiaohui, Li Yuquan, Ming min, Wang Bin
download
English documents:
https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project
Chinese document:
OWASP no server application risk top 10
03
OWASP IOT top 10 2018 Chinese
introduce
The OWASP IOT project started in 2014 to help developers, manufacturers, businesses and consumers make better decisions when creating and using IOT systems. OWASP IOT top 10 released by OWASP in 2018 also continues this concept, and uses a single list to illustrate the top ten problems that should be avoided when building, deploying or managing the Internet of things system, so as to solve the highest priority problems of manufacturers, enterprises and consumers.
Project team:
360 code guard team: Shen Shaohua, Han Jian, Zhang Lei open source network security team: Cao Chuanyong, Zhang Haichun
download
English documents:
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10
Chinese document:
OWASP IoT TOP 10
04
Blockchain security top 10 2019
introduce
OWASP China has set up a special research group to collect, sort out and analyze 160 typical blockchain security events from 2011 to 2019, and has given the arrangement and description in this document, hoping to help the vast number of blockchain practitioners and people concerned about blockchain security.
After referring to the security threat assessment methods such as CVss (common vulnerability scoring system), this paper evaluates the threat through objective data based on the total direct economic loss caused by each kind of threat historical security events. The total amount of direct economic loss includes two important factors of threat assessment, one is the number of threats, that is, the number of threats; the other is the impact caused by threats, that is, direct economic loss. Therefore, the direct economic loss is enough to represent the size of the threat, and the data is relatively objective, which avoids the subjective data leading to the larger error of the evaluation results. At the same time, the evaluation method is more explanatory.
1) Advanced Sustainable threat
2) Runaway currency inflation
3) Invalid authority control
4) Unsafe consensus agreement
5) Inadequate program logic
6) Loose business strategy
7) Less strict transaction logic verification
8) Fragile random number mechanism
9) Defective incentive mechanism
10) Insufficient logging and monitoring
Project team:
Project team leader: Fu Shanyang project team members: Kevin Gu, Victor Fang, Wei Quan, Hou Xinjie, Jiang Xuxian, Song Fei, Wang Jie, Zhang xudi
download
Document download:
http://www.owasp.org.cn/owasp-project/533a575794fe5b895168top10
05
Evaluation benchmark of database audit system
introduce
The purpose of database audit system is to help the units that store and use data to conduct comprehensive monitoring and security audit on the core data, truly grasp the data dynamics, intuitively and clearly locate who, when, what tools, where and what operations have been done to the data. At present, the corresponding database audit solutions have been formed in the industry. However, due to the lack of appropriate evaluation criteria, the effectiveness of database audit can not be effectively evaluated.
This benchmark is the basic and framework benchmark for the construction and evaluation of database audit system, and gives the general requirements for database audit system. The significance of this benchmark is to:
a) It provides a standard and general description language for the design, implementation, construction, evaluation and audit of database audit system;
b) It is beneficial for the owner of database audit system to compile the system requirements;
c) It is beneficial for database audit system providers to provide more scientific and standardized design and services, and promote the development of the industry;
d) It is beneficial for the relevant administrative departments and evaluation and certification institutions to conduct security inspection, detection, audit, evaluation and certification for the database audit system.
Scope: this benchmark is applicable to database audit system.
Project team:
Shenzhen angkai Technology Co., Ltd., Shenzhen Kaiyuan Internet Security Technology Co., Ltd
download
Document download
Evaluation benchmark of database audit system
06
Web application firewall evaluation benchmark v2.0
introduce
Waf2.0 redefines the overall testing framework on the basis of v1.0, and makes a comprehensive expansion in new attacks, product performance (value-added services), and product security performance. V1.0 is mainly based on traditional vulnerabilities and basic network firewall like functions, and v2.0 is based on this to reduce and optimize, adding OWASP top 2017 as the main extension of business logic layer protection, multi-dimensional rating of bypass defense, etc. In addition to the special requirements of this document, unless otherwise specified, during the installation and configuration process, the tested web application firewall product must meet the requirements of this document, and the product must meet the requirements before, after and throughout the installation process.
Assessment content
Based on the OWASP top 10 risk, a comprehensive security vulnerability protection test is extended. The tested system needs to effectively protect all kinds of security vulnerabilities from traditional vulnerabilities to business logic layer.
When identifying security vulnerabilities to protect web applications, the tested system should be able to fully protect its own security and meet the accuracy and false alarm rate at the same time.
Detect the stability of the tested system to perform the specified functions in a specific environment and within a specific time.
Test the structure design, linkage, fault tolerance and expansibility of the tested equipment.
Project team:
Beijing Changting Technology Co., Ltd., Beijing Qiming Star Information Security Technology Co., Ltd., Beijing Shenzhou Lvmeng Technology Co., Ltd., Shenzhen Kaiyuan Internet Security Technology Co., Ltd., Sichuan Hong Micro Technology Co., Ltd., Xiamen Fuyun Information Technology Co., Ltd
download
Document download
Implementation rules of web application fire assessment certification 2.0
More highlights
Please pay attention to the official account.