OWASP
From Wikipedia, the free encyclopedia
This article needs references that appear in reliable third-party publications. Primary sources or sources affiliated with the subject are generally not sufficient for a Wikipedia article. Please add more appropriate citations from reliable sources. (January 2009) |
This article is written like an advertisement. Please help rewrite this article from a neutral point of view. For blatant advertising that would require a fundamental rewrite to become encyclopedic, use {{db-spam}} to mark for speedy deletion. (January 2009) |
The neutrality of this article is disputed. Please see the discussion on the talk page. Please do not remove this message until the dispute is resolved. (January 2009) |
The Open Web Application Security Project (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure.
OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, cost-effective information about application security.[citation needed] OWASP advocates approaching application security by considering the people, process, and technology dimensions.
OWASP's most successful documents include the book-length OWASP Guide and the widely adopted OWASP Top 10 awareness document.[citation needed] The most widely used OWASP tools include their training environment WebGoat, their penetration testing proxy WebScarab, and their OWASP .NET tools. OWASP includes roughly 100 local chapters around the world and thousands of participants on the project mailing lists. OWASP has organized the AppSec series of conferences to further build the application security community.
OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS). The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially-workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
Contents |
[edit] Projects
OWASP projects are broadly divided into two main categories, development projects, and documentation projects. Its documentation projects currently consist of:
- OWASP Application Security Verification Standard (ASVS) - A standard for performing application-level security verifications.
- The Guide – This document that provides detailed guidance on web application security
- Top Ten Most Critical Web Application Vulnerabilities – A high-level document to help focus on the most critical issues
- Metrics – A project to define workable web application security metrics
- Legal – A project to help software buyers and sellers negotiate appropriate security in their contracts
- Testing Guide – A guide focused on effective web application security testing
- ISO 17799 – Supporting documents for organizations performing ISO17799 reviews
- AppSec FAQ – Frequently asked questions and answers about application security
Development projects include:
- WebScarab - a web application vulnerability assessment suite including proxy tools
- Validation Filters – (Stinger for J2EE, filters for PHP) generic security boundary filters that developers can use in their own applications
- WebGoat - an interactive training and benchmarking tool that users can learn about web application security in a safe and legal environment
- DotNet – a variety of tools for securing .NET environments.
- Enigform - A set of proof-of-concept client and server side applications to implement OpenPGP features into HTTP, such as Secure Session Management, Request/Response signing, and OpenPGP-Encrypted HTTP.
- ESAPI - OWASP Enterprise Security API (ESAPI) Project - A free and open collection of security methods needed to build secure web applications.
- AntiSamy - An enterprise web input validation and output encoding tool
- And many other application security tools
[edit] History
OWASP was started in 2000. The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 and supports the OWASP infrastructure and projects. OWASP is not about individual recognition but community knowledge sharing. The OWASP Leaders are responsible for making decisions about technical direction, project priorities, schedule, and releases. Collectively, the OWASP Leaders can be thought of as the management of the OWASP Foundation.
OWASP has (3) employees and very low expenses, which are covered by conferences, corporate sponsors and banner advertisements. OWASP awards thousands of dollars each year of corporate and individual membership dues as grants to promising applications security research projects.