OWASP explained

The Open Worldwide Application Security Project ^[7] (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.^{[8] [9]} The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

History

Mark Curphey started OWASP on September 9, 2001.^[1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011., Matt Konda chaired the Board.^[10]

The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.^[11]

In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer,^[12] on Twitter that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.

Publications and resources

• OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.^[13] It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.^{[14] [15] [16]} Many standards, books, tools, and many organizations reference the Top 10 project, including MITRE, PCI DSS,^[17] the Defense Information Systems Agency (DISA-STIG), and the United States Federal Trade Commission (FTC),^[18]
• OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project's mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. A core objective is to raise awareness and educate organizations on how to design, develop, and deploy secure software through a flexible self-assessment model. SAMM supports the complete software lifecycle and is technology and process agnostic. The SAMM model is designed to be evolutive and risk-driven in nature, acknowledging there is no single recipe that works for all organizations.^[19]
• OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
• OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.^[20]
• OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.
• OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.^[21]
• OWASP XML Security Gateway (XSG) Evaluation Criteria Project.^[22]
• OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.^[23]
• OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.
• Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.^[1] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.
• OWASP AppSec Pipeline: The Application Security (AppSec) Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.^[24]
• OWASP Automated Threats to Web Applications: Published July 2015^[25] - the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as credential stuffing. The project outlines the top 20 automated threats as defined by OWASP.^[26]
• OWASP API Security Project: focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). Includes the most recent list API Security Top 10 2023.^[27]

Awards

The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award.^{[28] [29]}

See also

• Open Source Security Foundation

Notes and References

1. Book: Huseby, Sverre. Innocent Code: A Security Wake-Up Call for Web Programmers. registration. 2004. Wiley. 0470857447. 203.
2. Web site: OWASP Foundation Staff. OWASP. 12 February 2023. 3 May 2022.
3. Web site: OWASP Foundation Global Board. OWASP. 14 February 2023. 20 March 2023.
4. Web site: OWASP FOUNDATION INC. ProPublica. Nonprofit Explorer. May 9, 2013. 8 January 2020.
5. Web site: OWASP Foundation's Form 990 for fiscal year ending Dec. 2017. 26 October 2018. ProPublica Nonprofit Explorer. 8 January 2020.
6. Web site: OWASP Foundation's Form 990 for fiscal year ending Dec. 2020. 29 October 2021. ProPublica Nonprofit Explorer. 18 January 2023.
7. 1629165062207442944 . bilcorry . A change you might notice about @owasp, the Board voted to change the “W” from “Web” to “Worldwide”, making it the “Open Worldwide Application Security Project” . 2023-02-25 . 2024-07-07 . Bil . Corry.
8. Web site: OWASP top 10 vulnerabilities. 20 April 2015. developerWorks. IBM. 28 November 2015.
9. Web site: OWASP Internet of Things. 2023-12-26.
10. Web site: Board . 2015-02-27 . OWASP . https://web.archive.org/web/20170916053008/https://www.owasp.org/index.php/Board . 2017-09-16.
11. Web site: OWASP Europe . 2024-07-07 . OWASP . https://web.archive.org/web/20160417094223/https://www.owasp.org/index.php/Europe . 2016-04-17.
12. Web site: Global Board . live . https://web.archive.org/web/20240429110124/https://owasp.org/www-board/ . 2024-04-29 . 2024-07-07 . owasp.org . en.
13. Web site: OWASP Top Ten . live . https://web.archive.org/web/20240706131536/https://owasp.org/www-project-top-ten/ . 2024-07-06 . 2024-07-07 . owasp.org . en.
14. News: Seven Best Practices for Internet of Things. https://web.archive.org/web/20151128082719/https://www.highbeam.com/doc/1G1-432063283.html. dead. 28 November 2015. Trevathan. Matt. 1 October 2015. Database and Network Journal.
15. News: Leaky Bank Websites Let Clickjacking, Other Threats Seep In. https://web.archive.org/web/20151128082719/https://www.highbeam.com/doc/1G1-375828488.html. dead. 28 November 2015. Crosman. Penny. 24 July 2015. American Banker.
16. Web site: Infosec bods rate app languages; find Java 'king', put PHP in bin. Pauli. Darren. 4 December 2015. The Register. 4 December 2015.
17. Web site: Payment Card Industry (PCI) Data Security Standard. November 2013. PCI Security Standards Council. 55. 3 December 2015.
18. Web site: Open Web Application Security Project Top 10 (OWASP Top 10) . 2017 . Knowledge Database . Synopsys . Synopsys, Inc . 2017-07-20 . Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives..
19. Web site: What is OWASP SAMM? . 2022-11-06 . OWASP SAMM.
20. News: Comprehensive guide to obliterating web apps published. Pauli. Darren. 18 September 2014. The Register. 28 November 2015.
21. Book: Baar. Hans. Smulters. Andre. Hintzbergen. Juls. Hintzbergen. Kees. Foundations of Information Security Based on ISO27001 and ISO27002. 3. 2015. Van Haren. 9789401800129. 144.
22. Web site: Category:OWASP XML Security Gateway Evaluation Criteria Project Latest. Owasp.org. November 3, 2014. https://web.archive.org/web/20141103212323/https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project_Latest. November 3, 2014. dead.
23. Web site: OWASP Incident Response Project - OWASP . December 12, 2015 . https://web.archive.org/web/20190406184056/https://www.owasp.org/index.php/OWASP_Incident_Response_Project . April 6, 2019 . dead.
24. Web site: OWASP AppSec Pipeline. Open Web Application Security Project (OWASP). 26 February 2017. January 18, 2020. https://web.archive.org/web/20200118102518/https://owasp.org/www-project-appsec-pipeline. dead.
25. Web site: AUTOMATED THREATS to Web applications . July 2015 . OWASP.
26. Web site: OWASP Automated Threats to Web Applications . live . https://web.archive.org/web/20240629004719/https://owasp.org/www-project-automated-threats-to-web-applications/ . 2024-06-29 . 2024-07-07 . owasp.org . en.
27. Web site: OWASP API Security Project - OWASP Foundation. OWASP.
28. Web site: SC Magazine Awards 2014. Media.scmagazine.com. 3 November 2014. https://web.archive.org/web/20140922094528/http://media.scmagazine.com/documents/64/botn2014sm_15794.pdf. September 22, 2014. dead.
29. Web site: Winners | SC Magazine Awards. Awards.scmagazine.com . 2014-07-17 . dead. https://web.archive.org/web/20140820004509/http://awards.scmagazine.com/Winners2014. August 20, 2014 . Editor's Choice [...] Winner: OWASP Foundation.