OWASP

The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011.

OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).^[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.

Projects

OWASP projects is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. There are over 130 active OWASP Projects, and new project applications are submitted every week.

All OWASP tools, document, and code library projects are organized into the following categories: PROTECT - These are tools and documents that can be used to guard against security-related design and implementation flaws. DETECT - These are tools and documents that can be used to find security-related design and implementation flaws. LIFE CYCLE - These are tools and documents that can be used to add security-related activities into the Software Development Life Cycle (SDLC).

Partial project list

• OWASP Application Security Verification Standard (ASVS) – A standard for performing application-level security verifications.

• OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.

• OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.

• OWASP Code Review Guide: The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information.

• OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

• OWASP Top Ten: The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.

• OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that's tailored to the specific business risks facing the organization.

• Webgoat - a deliberately insecure web application created by OWASP as a guide for secure programming practices. Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.

History

OWASP was started on September 9, 2001 By Mark Curphey and Dennis Groves. Since late 2003, Jeff Williams served as the volunteer Chair of OWASP until September 2011. The current chair is Michael Coates, and vice chair is Eoin Keary. The OWASP Foundation, a 01(c)(3) organization (in the USA) was established in 2004 and supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization registered in Belgium under the name of OWASP Europe VZW.

OWASP expenses are covered by conferences, corporate sponsors and banner advertisements.

See also

• Computer security

References

1. http://www.owasp.org/index.php/ASVS

External links

• Official website