In a previous article, I briefly talked about the Open Web Application Security Project (OWASP) and based on some recent projects, I wanted to shed some light on this incredible organization. Established in 2001, OWASP’s mission is simply to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. As a result of OWASP providing best practices, guidelines, advice and tools, web applications have become even more secure. Unlike other security organizations, OWASP’s strength lies within the open, global community independent of commercial pressures, so they can provide the most effective and innovative approaches to security. Organizations and practitioners alike can utilize the resources from OWASP to help reduce the security exposure for applications with a level of trust from an open community.
My first one-on-one interaction with OWASP was during one of my late Monday night security training courses. The class talked in detail about following the OWASP Top 10 list and using that document as a guide to making sure applications are secure. That served as a catalyst to my understanding and usage of OWASP resources. Without a doubt, the OWASP Top 10 is the most popular project in the community. Notably the PCI Council relies on it for PCI DSS along with other large companies like Microsoft, Oracle and Citrix. In addition, the U.S. Defense Information Systems Agency (DISA) recommends using the Top 10 for the DoD Information Assurance Certification and Accreditation Process (DIACAP).
“So, what is the Top 10 all about?” you might ask. The value of the Top 10 is that is serves as an awareness document that identifies risks for organizations and the 2013 edition marks the 10th anniversary of the Top 10 (last updated in 2010). It covers items like SQL injection attacks under the A1-Injection section and provides cheat sheets for engineers to prevent flaws. It should be noted that OWASP is not limited to just the Top 10 list, there are many other projects around guides, tools for both learning and work, and code as well to utilize.
Throughout the last decade I have found OWASP to be a valuable resource that I’d recommend to all security practitioners. I’m happy to say Ipswitch is now sponsoring OWASP so that the project can continue to help improve security awareness. At Ipswitch, we believe in the mission and core values and want to see the continued success of the OWASP community along with being engaged with it. I definitely recommend checking out the projects and resources at OWASP if you haven’t already.
I’m interested in hearing about any tips or recommendations based on OWASP that you may have—please share below in the comments section.