The open-source application security project known as the Open Web Application Security Project (OWASP) set up to develop knowledge-based documentation and software tools used for Web application security. Mark Curphey and Dennis Groves started OWASP in 2001. Jeff Williams served as the volunteer Chair of the organization from 2003 through 2011. Michael Coates is the current chair. OWASP has three employees and low expenses. Any expenses are covered by banner ads, conferences and corporate sponsorships. The organization presents thousands of dollars of individual and corporate grants and dues to various research projects targeted at the OWASP community. This community includes:
• Educational organizations
This community works together to create articles, documentation, tools and technologies freely-available to the public. OWASP projects are managed and supported by the OWASP Foundation, a 501(c)(3) charitable organization. OWASP is not affiliated with any specific technology-based company. However, the organization does support the use of security technology. OWASP places an emphasis on making technology work for people, not the other way around. The emphasis is on practical, unbiased, cost-effective information specific to application security. OWASP projects fall into two basic categories: development projects and documentation projects. Current documentation projects supported by OWASP include:
• The Guide – A document designed to provide guidance related to web application security.
• OWASP Application Security Verification Standard – A specific standard on how to perform certain application-level security verifications.
• Top Ten Most DotNet – This document presents a ranking of tools used to secure .Net environments.
• Enigform – This project provides a set of proof-of-concept server and client-based applications used to initiate OpenPGP features in HTTP format. Some of these features include: OpenPGP-Encrypted HTTP, Secure Session Management and Request/Response signing.
• ESAPI – This project is an open and free collection of various security methods used to construct web applications that are secure.
• AntiSamy – This is a Web-based input validation and output encoding tool.
• WebScarab – This project is a proxy server for HTTP-formats used to examine, intercept and modify the content of packets. This service helps give an user a better understanding of what is being sent to and from various Web-based servers. The goal is to discover vulnerabilities in the system.
• Webgoat – This Web-based application is designed as a guide for secure programming practices. A tutorial and related lessons provides instruction on vulnerabilities to instruct students on how to write effective code securely.
Expanding the Application Security Community
The most successful documents created by OWASP include the OWASP Guide, the OWASP Top Ten awareness document and OWASP Code Review Guide. Information is distributed through approximately 100 chapters located throughout the world with mailing lists that reach into the thousands. OWASP organizes conferences throughout the year to further develop the application security community.
OWASP is also working to establish itself as a standards body. The first step in this direction was the publication of the OWASP Application Security Verification Standard in 2008. The goal with projects like this is to develop standards when it comes to application-level security verification. OWASP is working to created commercially-applicable standards specific to certain Web-based technologies. OWASP plans to release updated guides and additional documentation to achieve this goal.
For a great tutorial, check out this video:
Thanks to our friends at NetQin for the content contribution. Learn more about mobile security and NetQin at any of the following links: