From Wikipedia, the free encyclopedia
Jump to: navigation, search
OWASP Logo.png
Founded April 21, 2004
Founder Mark Curphey
Type 501(c)(3) Nonprofit organization
Focus Web Security, Application Security, Vulnerability Assessment
Method Industry standards, Conferences, Workshops
Tobias Gondrom, Chairman; Josh Sokol, Vice-Chairman; Fabio Cerullo, Treasurer; Matt Konda, Secretary; Andrew van der Stock; Michael Coates; Jim Manico
Key people
Paul Ritchie, Executive Director; Kate Hartmann, Operations Director; Kelly Santalucia, Membership and Business Liaison; Alison McNamee, Accounting; Laura Grau, Event Manager; Noreen Whysel, Community Manager; Claudia Cassanovas, Project Coordinator
Website www.owasp.org

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011.


OWASP was started on September 9, 2001 by Mark Curphey. Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. The current chair is Tobias Gondrom and the vice chair is Josh Sokol.[1] The OWASP Foundation, a 501(c)(3) non-profit organization (in the USA), was established in 2004 and supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.

A published history of OWASP is online.[2]


OWASP maintains approximately 200 chapters in over 100 countries around the world. A complete list of chapters can be viewed on the website.[3] Chapters are run by volunteers and feature community events to discuss application security topics.

There are many large and very active chapters, including New York City, Austin, Tokyo, London, and many more.[4]


OWASP projects[5] are collections of related tasks that have a defined roadmap and team members; OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project, as well as promoting the project and building the team. OWASP projects are organized into the following categories:

  • Incubator projects - projects where ideas are still being proven and development is still underway.
  • Lab projects - projects that have produced an OWASP-reviewed deliverable of value.
  • Flagship projects - The Flagship designation is given to projects that have demonstrated superior maturity, established quality, and strategic value to OWASP and to application security as a whole.

Partial project list[edit]

  • OWASP Top Ten: The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.
  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that is tailored to the specific business risks facing the organization.
  • OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
  • OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
  • OWASP Code Review Guide: The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity. It has even inspired individuals to build tools based on its information.
  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.
  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[6]
  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
  • Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices. Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.

Full inventory of projects


The OWASP organization received the 2014 SC Magazine Editors Choice award.[7][8]

See also[edit]


  1. ^ Board. OWASP. Retrieved on 2015-02-27.
  2. ^ Mark Curphey. "The Start of OWASP – A True Story - SourceClear". Blog.sourceclear.com. Retrieved 2014-07-17. 
  3. ^ "Local Chapters". OWASP. 2012-02-09. Retrieved 2014-07-17. 
  4. ^ "OWASP Chapter Locations". OWASP. 
  5. ^ "Category:OWASP Project". OWASP. Retrieved 2014-07-17. 
  6. ^ "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Retrieved November 3, 2014. 
  7. ^ "Winners | SC Magazine Awards". Awards.scmagazine.com. Retrieved 2014-07-17. 
  8. ^ "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Retrieved 3 November 2014. 

External links[edit]