Here is a two page cheat sheet for the OWASP Top 10 2010.
OWASP Top 10 2010 Cheat Sheet (100 kb PDF)
Double side to create a single piece of paper and hand it out to all your developers for free – it’s licensed under a Creative Commons Sharealike with attribution license. Once I’ve had a bit of feedback and I’ve tweaked it a bit, I’ll donate it to OWASP.
This cheat sheet is an unapologetically developer centric list of things to do right.
I’ve made it as simple as possible by only including things that I personally know will work with the least amount of (re-)work. Therefore, I have purposely left out all the different alternatives. You can (and probably will) have differing views as how to do it better.
The cheat sheet assumes the reader knows how to program, use a search engine and thus find OWASP. I might have to change these assumptions.
I’d love to hear feedback. Comments or e-mail will work fine.
Hi Andrew,
I like this approach to helping developers. It is similar to something I have been promoting for a while now called the Principles of Secure Web Development.
I’d rather focus on the things a developer should do right instead of the things an attacker might do.
More details on the principles can be found on my website or by listening to a soon to be published OWASP podcast I recorded recently 🙂
SN
Useful, thanks!
Hi Andrew,
I think its a very useful document, but it lacks operational solutions, i.e you have reference ESAPI modules for preventions only, but if anyone knew ESAPI enough s/he wouldn’t need a top ten cheat sheet at all!
Provide some alternate solutions, such as libraries for XSS or Prepared Statements for injections.
Regards
AbiusX