OWASP

From Wikipedia, the free encyclopedia
Jump to: navigation, search
OWASP
OWASP Logo.png
Founded 2001[1]
Founder Mark Curphey[1]
Type 501(c)(3) Nonprofit organization
Focus Web Security, Application Security, Vulnerability Assessment
Method Industry standards, Conferences, Workshops
Tobias Gondrom, Chairman; Josh Sokol, Vice-Chairman; Fabio Cerullo, Treasurer; Matt Konda, Secretary; Andrew van der Stock; Michael Coates; Jim Manico
Key people
Paul Ritchie, Executive Director; Kate Hartmann, Operations Director; Kelly Santalucia, Membership and Business Liaison; Alison McNamee, Accounting; Laura Grau, Event Manager; Noreen Whysel, Community Manager; Claudia Cassanovas, Project Coordinator
Volunteers
42,000+
Website www.owasp.org

The Open Web Application Security Project (OWASP) is an online community which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.[2][3]

History[edit]

OWASP was started on September 9, 2001 by Mark Curphey.[1][4] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. The current chair is Tobias Gondrom and the vice chair is Josh Sokol.[5]

The OWASP Foundation, a 501(c)(3) non-profit organization (in the USA), was established in 2004 and supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.[citation needed]

Publications and resources[edit]

  • OWASP Top Ten: The Top Ten was first published in 2003 and is regularly updated.[6] Its goal is to raise awareness about application security by identifying some of the most critical risks facing organizations.[7][8][9] The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS,[10] Defense Information Systems Agency, FTC, and many more.
  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that is tailored to the specific business risks facing the organization.
  • OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
  • OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.[11]
  • OWASP Code Review Guide: The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008.
  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.[12]
  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[13]
  • OWASP Top 10 Incident Response Guidance This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council
  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.
  • Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.[1] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.

Awards[edit]

The OWASP organization received the 2014 SC Magazine Editors Choice award.[14][3]

References[edit]

  1. ^ a b c d Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley. p. 203. ISBN 0470857447. 
  2. ^ "OWASP top 10 vulnerabilities". developerWorks. IBM. 20 April 2015. Retrieved 28 November 2015. 
  3. ^ a b "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Retrieved 3 November 2014. 
  4. ^ Curphey, Mark. "The Start of OWASP – A True Story - SourceClear". SRC:CLR. Retrieved 2014-07-17. 
  5. ^ Board. OWASP. Retrieved on 2015-02-27.
  6. ^ Cerullo, Fabio (2010). Web Application Security. Springer. p. 19. 
  7. ^ Trevathan, Matt (1 October 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Retrieved 28 November 2015 – via  – via HighBeam (subscription required). 
  8. ^ Crosman, Penny (24 July 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Retrieved 28 November 2015 – via  – via HighBeam (subscription required). 
  9. ^ Pauli, Darren (4 December 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved 4 December 2015. 
  10. ^ "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved 3 December 2015. 
  11. ^ Pauli, Darren (18 September 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved 28 November 2015. 
  12. ^ Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN 9789401800129. 
  13. ^ "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Retrieved November 3, 2014. 
  14. ^ "Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved 2014-07-17. 

External links[edit]