fbpx
Wikipedia

OWASP

April 26, 2024

The Open Web Application Security Project [7] (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.[8][9][10] The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

OWASP
Founded2001[1]
FounderMark Curphey[1]
Type501(c)(3) nonprofit organization
FocusWeb security, application security, vulnerability assessment
MethodIndustry standards, conferences, workshops
Avi Douglen, Chair; Matt Tesauro, Vice-Chair; Bil Corry, Treasurer; Ricardo Griffith, Secretary; Kevin Johnson, Member-at-Large; Sam Stepanyan, Member-at-Large; Steve Springett, Member-at-Large[2]
Key people
Andrew van der Stock, Executive Director; Kelly Santalucia, Director of Events and Corporate Support; Harold Blankenship, Director of Technology and Projects; Jason C. McDonald, Director of Community Development; Dawn Aitken, Operations Manager; Lauren Thomas, Event Coordinator[3]
Revenue (2017)
$2.3 million[4]
Employees
0 (2020)[5]
Volunteers
approx. 13,000 (2017)[6]
Websiteowasp.org

History edit

Mark Curphey started OWASP on September 9, 2001.[1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board.[11]

The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.[12]

In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer,[13] on Twitter[7] that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.

Publications and resources edit

  • OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.[14] It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.[15][16][17] Many standards, books, tools, and many organizations reference the Top 10 project, including MITRE, PCI DSS,[18] the Defense Information Systems Agency (DISA-STIG), and the United States Federal Trade Commission (FTC),[19]
  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project's mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. A core objective is to raise awareness and educate organizations on how to design, develop, and deploy secure software through a flexible self-assessment model. SAMM supports the complete software lifecycle and is technology and process agnostic. The SAMM model is designed to be evolutive and risk-driven in nature, acknowledging there is no single recipe that works for all organizations.[20]
  • OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
  • OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.[21]
  • OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.
  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.[22]
  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[23]
  • OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.[24]
  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.
  • Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.[1] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.
  • OWASP AppSec Pipeline: The Application Security (AppSec) Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.[25]
  • OWASP Automated Threats to Web Applications: Published July 2015[26] - the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as credential stuffing. The project outlines the top 20 automated threats as defined by OWASP.[27]
  • OWASP API Security Project: focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security[28] risks of Application Programming Interfaces (APIs). Includes the most recent list API Security Top 10 2023.[29]

Awards edit

The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award.[9][30]

See also edit

References edit

  1. ^ a b c d Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley. p. 203. ISBN 0470857447.
  2. ^ "OWASP Foundation Global Board". OWASP. February 14, 2023. Retrieved March 20, 2023.
  3. ^ "OWASP Foundation Staff". OWASP. February 12, 2023. Retrieved May 3, 2022.
  4. ^ "OWASP FOUNDATION INC". Nonprofit Explorer. ProPublica. May 9, 2013. Retrieved January 8, 2020.
  5. ^ "OWASP Foundation's Form 990 for fiscal year ending Dec. 2020". October 29, 2021. Retrieved January 18, 2023 – via ProPublica Nonprofit Explorer.
  6. ^ "OWASP Foundation's Form 990 for fiscal year ending Dec. 2017". October 26, 2018. Retrieved January 8, 2020 – via ProPublica Nonprofit Explorer.
  7. ^ a b "Web" to "Worldwide" Bil Corry on Twitter
  8. ^ "OWASP top 10 vulnerabilities". developerWorks. IBM. April 20, 2015. Retrieved November 28, 2015.
  9. ^ a b (PDF). Media.scmagazine.com. Archived from the original (PDF) on September 22, 2014. Retrieved November 3, 2014.
  10. ^ "OWASP Internet of Things". Retrieved December 26, 2023.
  11. ^ Board September 16, 2017, at the Wayback Machine. OWASP. Retrieved on 2015-02-27.
  12. ^ OWASP Europe, OWASP, 2016.
  13. ^ Global Board
  14. ^ OWASP Top Ten Project on owasp.org
  15. ^ Trevathan, Matt (October 1, 2015). . Database and Network Journal. Archived from the original on November 28, 2015.
  16. ^ Crosman, Penny (July 24, 2015). . American Banker. Archived from the original on November 28, 2015.
  17. ^ Pauli, Darren (December 4, 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved December 4, 2015.
  18. ^ "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved December 3, 2015.
  19. ^ "Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved July 20, 2017. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
  20. ^ "What is OWASP SAMM?". OWASP SAMM. Retrieved November 6, 2022.
  21. ^ Pauli, Darren (September 18, 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved November 28, 2015.
  22. ^ Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN 9789401800129.
  23. ^ . Owasp.org. Archived from the original on November 3, 2014. Retrieved November 3, 2014.
  24. ^ . Archived from the original on April 6, 2019. Retrieved December 12, 2015.
  25. ^ . Open Web Application Security Project (OWASP). Archived from the original on January 18, 2020. Retrieved February 26, 2017.
  26. ^ "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.
  27. ^ The list of automated threat events
  28. ^ Mehta, Janki (May 8, 2023). "Mitigating OWASP Top 10 Vulnerabilities in 2023". EncryptedFence by Certera - A Complete Web Security Blog. Retrieved June 7, 2023.
  29. ^ "OWASP API Security Project - OWASP Foundation". OWASP.
  30. ^ . Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved July 17, 2014. Editor's Choice [...] Winner: OWASP Foundation

External links edit

  • Official website

April 26, 2024
owasp, major, contributor, this, article, appears, have, close, connection, with, subject, require, cleanup, comply, with, wikipedia, content, policies, particularly, neutral, point, view, please, discuss, further, talk, page, december, 2022, learn, when, remo. A major contributor to this article appears to have a close connection with its subject It may require cleanup to comply with Wikipedia s content policies particularly neutral point of view Please discuss further on the talk page December 2022 Learn how and when to remove this template message The Open Web Application Security Project 7 OWASP is an online community that produces freely available articles methodologies documentation tools and technologies in the fields of IoT system software and web application security 8 9 10 The OWASP provides free and open resources It is led by a non profit called The OWASP Foundation The OWASP Top 10 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations OWASPFounded2001 1 FounderMark Curphey 1 Type501 c 3 nonprofit organizationFocusWeb security application security vulnerability assessmentMethodIndustry standards conferences workshopsBoard of directorsAvi Douglen Chair Matt Tesauro Vice Chair Bil Corry Treasurer Ricardo Griffith Secretary Kevin Johnson Member at Large Sam Stepanyan Member at Large Steve Springett Member at Large 2 Key peopleAndrew van der Stock Executive Director Kelly Santalucia Director of Events and Corporate Support Harold Blankenship Director of Technology and Projects Jason C McDonald Director of Community Development Dawn Aitken Operations Manager Lauren Thomas Event Coordinator 3 Revenue 2017 2 3 million 4 Employees0 2020 5 Volunteersapprox 13 000 2017 6 Websiteowasp wbr org Contents 1 History 2 Publications and resources 3 Awards 4 See also 5 References 6 External linksHistory editMark Curphey started OWASP on September 9 2001 1 Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011 As of 2015 update Matt Konda chaired the Board 11 The OWASP Foundation a 501 c 3 non profit organization in the US established in 2004 supports the OWASP infrastructure and projects Since 2011 OWASP is also registered as a non profit organization in Belgium under the name of OWASP Europe VZW 12 In February 2023 it was reported by Bil Corry a OWASP Foundation Global Board of Directors officer 13 on Twitter 7 that the board had voted for renaming from the Open Web Application Security Project to its current name replacing Web with Worldwide Publications and resources editOWASP Top Ten The Top Ten first published in 2003 is regularly updated 14 It aims to raise awareness about application security by identifying some of the most critical risks facing organizations 15 16 17 Many standards books tools and many organizations reference the Top 10 project including MITRE PCI DSS 18 the Defense Information Systems Agency DISA STIG and the United States Federal Trade Commission FTC 19 OWASP Software Assurance Maturity Model The Software Assurance Maturity Model SAMM project s mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture A core objective is to raise awareness and educate organizations on how to design develop and deploy secure software through a flexible self assessment model SAMM supports the complete software lifecycle and is technology and process agnostic The SAMM model is designed to be evolutive and risk driven in nature acknowledging there is no single recipe that works for all organizations 20 OWASP Development Guide The Development Guide provides practical guidance and includes J2EE ASP NET and PHP code samples The Development Guide covers an extensive array of application level security issues from SQL injection through modern concerns such as phishing credit card handling session fixation cross site request forgeries compliance and privacy issues OWASP Testing Guide The OWASP Testing Guide includes a best practice penetration testing framework that users can implement in their own organizations and a low level penetration testing guide that describes techniques for testing most common web application and web service security issues Version 4 was published in September 2014 with input from 60 individuals 21 OWASP Code Review Guide The code review guide is currently at release version 2 0 released in July 2017 OWASP Application Security Verification Standard ASVS A standard for performing application level security verifications 22 OWASP XML Security Gateway XSG Evaluation Criteria Project 23 OWASP Top 10 Incident Response Guidance This project provides a proactive approach to Incident Response planning The intended audience of this document includes business owners to security engineers developers audit program managers law enforcement amp legal council 24 OWASP ZAP Project The Zed Attack Proxy ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing Webgoat a deliberately insecure web application created by OWASP as a guide for secure programming practices 1 Once downloaded the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely OWASP AppSec Pipeline The Application Security AppSec Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program 25 OWASP Automated Threats to Web Applications Published July 2015 26 the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects developers testers and others to help defend against automated threats such as credential stuffing The project outlines the top 20 automated threats as defined by OWASP 27 OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security 28 risks of Application Programming Interfaces APIs Includes the most recent list API Security Top 10 2023 29 Awards editThe OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor s Choice award 9 30 See also editOpen Source Security FoundationReferences edit a b c d Huseby Sverre 2004 Innocent Code A Security Wake Up Call for Web Programmers Wiley p 203 ISBN 0470857447 OWASP Foundation Global Board OWASP February 14 2023 Retrieved March 20 2023 OWASP Foundation Staff OWASP February 12 2023 Retrieved May 3 2022 OWASP FOUNDATION INC Nonprofit Explorer ProPublica May 9 2013 Retrieved January 8 2020 OWASP Foundation s Form 990 for fiscal year ending Dec 2020 October 29 2021 Retrieved January 18 2023 via ProPublica Nonprofit Explorer OWASP Foundation s Form 990 for fiscal year ending Dec 2017 October 26 2018 Retrieved January 8 2020 via ProPublica Nonprofit Explorer a b Web to Worldwide Bil Corry on Twitter OWASP top 10 vulnerabilities developerWorks IBM April 20 2015 Retrieved November 28 2015 a b SC Magazine Awards 2014 PDF Media scmagazine com Archived from the original PDF on September 22 2014 Retrieved November 3 2014 OWASP Internet of Things Retrieved December 26 2023 Board Archived September 16 2017 at the Wayback Machine OWASP Retrieved on 2015 02 27 OWASP Europe OWASP 2016 Global Board OWASP Top Ten Project on owasp org Trevathan Matt October 1 2015 Seven Best Practices for Internet of Things Database and Network Journal Archived from the original on November 28 2015 Crosman Penny July 24 2015 Leaky Bank Websites Let Clickjacking Other Threats Seep In American Banker Archived from the original on November 28 2015 Pauli Darren December 4 2015 Infosec bods rate app languages find Java king put PHP in bin The Register Retrieved December 4 2015 Payment Card Industry PCI Data Security Standard PDF PCI Security Standards Council November 2013 p 55 Retrieved December 3 2015 Open Web Application Security Project Top 10 OWASP Top 10 Knowledge Database Synopsys Synopsys Inc 2017 Retrieved July 20 2017 Many entities including the PCI Security Standards Council National Institute of Standards and Technology NIST and the Federal Trade Commission FTC regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives What is OWASP SAMM OWASP SAMM Retrieved November 6 2022 Pauli Darren September 18 2014 Comprehensive guide to obliterating web apps published The Register Retrieved November 28 2015 Baar Hans Smulters Andre Hintzbergen Juls Hintzbergen Kees 2015 Foundations of Information Security Based on ISO27001 and ISO27002 3 ed Van Haren p 144 ISBN 9789401800129 Category OWASP XML Security Gateway Evaluation Criteria Project Latest Owasp org Archived from the original on November 3 2014 Retrieved November 3 2014 OWASP Incident Response Project OWASP Archived from the original on April 6 2019 Retrieved December 12 2015 OWASP AppSec Pipeline Open Web Application Security Project OWASP Archived from the original on January 18 2020 Retrieved February 26 2017 AUTOMATED THREATS to Web applications PDF OWASP July 2015 The list of automated threat events Mehta Janki May 8 2023 Mitigating OWASP Top 10 Vulnerabilities in 2023 EncryptedFence by Certera A Complete Web Security Blog Retrieved June 7 2023 OWASP API Security Project OWASP Foundation OWASP Winners SC Magazine Awards Awards scmagazine com Archived from the original on August 20 2014 Retrieved July 17 2014 Editor s Choice Winner OWASP FoundationExternal links editOfficial website Retrieved from https en wikipedia org w index php title OWASP amp oldid 1219034089, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.