Guide to the OWASP Application Security Top Ten

Tuesday, May 01, 2012

Fergal Glynn

68b48711426f3b082ab24e5746a66b36

Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards.

In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short).

OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide.

Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, methodologies and technologies are made available free of charge to the public. OWASP maintains roughly 100 local chapters and counts thousands of members.

OWASP was started in 2001 and has operated since 2004 as the 501(c)(3) charitable OWASP Foundation which supports its infrastructure and projects. Its leadership is completely volunteer and makes decisions about technical direction, project priorities, schedule, and releases.

OWASP has only three employees to keep its operating costs low. OWASP collects corporate and individual membership dues and conference fees to award grants each year to promising AppSec research projects.

OWASP projects fall into two basic categories: development projects and documentation projects. Some of the foundation’s more influential work includes:

  • To advance routine testing of web applications, OWASP developed WebScarab, an open source enterprise-level security scanning tool
  • Secure development training is a large part of OWASP’s mission – so it created and maintains an deliberately insecure application called WebGoat solely as a teaching tool
  • OWASP became an emerging standards body with the publication of its first open standard in 2008, the OWASP Application Security Verification Standard (ASVS). The ASVS Project aims to create a set of commercial standards for performing rigorous application-level security verification on a number of web-based technologies.
  • Other OWASP projects are involved with advancing specific programming languages, functions and applications

OWASP hosts a number of global, regional and local events under the AppSec Conference banner. This important organization would tell any information security professional that the best way to understand the community’s mission is to become involved.

Learn more:

Cross-posted from Veracode

Possibly Related Articles:
13726
Network->General
Information Security
OWASP Web Application Security Secure Coding Guidelines Standards Software Security Assurance Information Security Infosec Resources
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.