OWASP: Difference between revisions
→See also: lose CERT (you could put CERT everywhere in security), add WASC |
→Security Fundamentals: “ - ” × 12; random space |
||
(426 intermediate revisions by more than 100 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Computer security organization}} |
|||
The '''Open Web Application Security Project''' (OWASP) is an open-source application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a [[501(c)(3)]] charitable organization that supports and manages OWASP projects and infrastructure. |
|||
{{COI|date=December 2022}} |
|||
{{Infobox organization/Wikidata |
|||
| name = OWASP |
|||
| logo = OWASP black logo.svg |
|||
| logo_size = |
|||
| type = [[501(c)(3) organization|501(c)(3)]] [[nonprofit organization]] |
|||
| founded_date = 2001<ref name="ICSH">{{cite book|last= Huseby|first= Sverre|title= Innocent Code: A Security Wake-Up Call for Web Programmers|url= https://archive.org/details/innocentcodesecu0000huse|url-access= registration|year= 2004|publisher= Wiley|isbn= 0470857447|page= [https://archive.org/details/innocentcodesecu0000huse/page/203 203]}}</ref> |
|||
| founder = Mark Curphey<ref name="ICSH"/> |
|||
| location = |
|||
| origins = |
|||
| key_people = Andrew van der Stock, Executive Director; Kelly Santalucia, Director of Events and Corporate Support; Harold Blankenship, Director of Technology and Projects; Jason C. McDonald, Director of Community Development; Dawn Aitken, Operations Manager; Lauren Thomas, Event Coordinator<ref name="owasp-staff">{{cite web|url=https://owasp.org/corporate/|title=OWASP Foundation Staff|publisher=OWASP|date=12 February 2023|access-date=3 May 2022}}</ref> |
|||
| board_of_directors = Avi Douglen, Chair; Matt Tesauro, Vice-Chair; Bil Corry, Treasurer; Ricardo Griffith, Secretary; Kevin Johnson, Member-at-Large; Sam Stepanyan, Member-at-Large; Steve Springett, Member-at-Large<ref name="owasp-board">{{cite web|url=https://owasp.org/www-board/#div-board|title=OWASP Foundation Global Board|publisher=OWASP|date=14 February 2023|access-date=20 March 2023}}</ref> |
|||
| area_served = |
|||
| focus = Web security, application security, vulnerability assessment |
|||
| method = Industry standards, conferences, workshops |
|||
| revenue = {{decrease}} $2.3 million<ref name="nonprofit-explorer">{{cite web|url=https://projects.propublica.org/nonprofits/organizations/200963503|title=OWASP FOUNDATION INC|publisher=[[ProPublica]]|work=Nonprofit Explorer|date=May 9, 2013|access-date=8 January 2020}}</ref> |
|||
| revenue_year = 2017 |
|||
| endowment = |
|||
| num_volunteers = approx. 13,000 (2017)<ref name="nonprofit-explorer-full-2017">{{cite web|url=https://projects.propublica.org/nonprofits/organizations/200963503/201842999349300619/full|title=OWASP Foundation's Form 990 for fiscal year ending Dec. 2017|date=26 October 2018|via=ProPublica Nonprofit Explorer|access-date=8 January 2020}}</ref> |
|||
| num_employees = 0 (2020)<ref name="nonprofit-explorer-full-2020">{{cite web|url=https://projects.propublica.org/nonprofits/organizations/200963503/202103029349301825/full|title=OWASP Foundation's Form 990 for fiscal year ending Dec. 2020|date=29 October 2021|via=ProPublica Nonprofit Explorer|access-date=18 January 2023}}</ref> |
|||
| num_members = |
|||
| owner = |
|||
| slogan = |
|||
| homepage = {{URL|https://owasp.org}} |
|||
| dissolved = |
|||
| footnotes = |
|||
| fetchwikidata =ALL |
|||
}} |
|||
{{Use mdy dates|date=August 2012}} |
|||
OWASP is not affiliated with any technology company, although it supports the informed use of security technology. OWASP has avoided affiliation as it believes freedom from organizational pressures may make it easier for it to provide unbiased, practical, cost-effective information about application security.{{Fact|date=June 2007}} OWASP advocates approaching application security by considering the people, process, and technology dimensions. |
|||
The '''Open Web Application Security Project''' <ref name=namechangetweet>{{Cite tweet |number=1629165062207442944 |user=bilcorry |title=A change you might notice about @owasp , the Board voted to change the “W” from “Web” to “Worldwide”, making it the “Open Worldwide Application Security Project” |date=2023-02-25 |access-date=2024-07-07 |first=Bil |last=Corry}}</ref> ('''OWASP''') is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of [[Internet of things|IoT]], system software and [[web application security]].<ref>{{cite web|url= https://www.ibm.com/developerworks/library/se-owasptop10/|title= OWASP top 10 vulnerabilities|date= 20 April 2015|work= developerWorks|publisher= IBM|access-date= 28 November 2015}}</ref><ref name="SCmag14"/><ref>{{cite web|url=https://owasp.org/www-project-internet-of-things/|title= OWASP Internet of Things|access-date= 2023-12-26}}</ref> The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. |
|||
OWASP's most successful documents include the book-length [http://www.owasp.org/index.php/OWASP_Guide_Project OWASP Guide] and the widely adopted [http://www.owasp.org/index.php/OWASP_Top_Ten_Project OWASP Top 10] awareness document.{{Fact|date=June 2007}} The most widely used OWASP tools include their training environment [http://www.owasp.org/index.php/OWASP_WebGoat_Project WebGoat], their penetration testing proxy [http://www.owasp.org/index.php/OWASP_WebScarab_Project WebScarab], and their [http://www.owasp.org/index.php/Category:OWASP_.NET_Project OWASP .NET] tools. OWASP includes roughly 100 [http://www.owasp.org/index.php/Category:OWASP_Chapter local chapters] around the world and thousands of participants on the project mailing lists. OWASP has organized the [http://www.owasp.org/index.php/Category:OWASP_AppSec_Conference AppSec] series of conferences to further build the application security community. |
|||
== |
==History== |
||
Mark Curphey started OWASP on September 9, 2001.<ref name="ICSH"/> Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. {{As of | 2015}}, Matt Konda chaired the Board.<ref>{{Cite web |url=https://www.owasp.org/index.php/Board |title=Board |access-date=2015-02-27 |website=OWASP |archive-url=https://web.archive.org/web/20170916053008/https://www.owasp.org/index.php/Board |archive-date=2017-09-16}}</ref> |
|||
[http://www.owasp.org/index.php/Category:OWASP_Project OWASP projects] are broadly divided into two main categories, development projects, and documentation projects. Its documentation projects currently consist of: |
|||
* The Guide – This document that provides detailed guidance on web application security |
|||
* Top Ten Most Critical Web Application Vulnerabilities – A high-level document to help focus on the most critical issues |
|||
* Metrics – A project to define workable web application security metrics |
|||
* Legal – A project to help software buyers and sellers negotiate appropriate security in their contracts |
|||
* Testing Guide – A guide focused on effective web application security testing |
|||
* [[ISO 17799]] – Supporting documents for organizations performing ISO17799 reviews |
|||
* AppSec FAQ – Frequently asked questions and answers about application security |
|||
The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.<ref>{{Cite web |url=https://www.owasp.org/index.php/Europe |title=OWASP Europe |access-date=2024-07-07 |website=OWASP |archive-url=https://web.archive.org/web/20160417094223/https://www.owasp.org/index.php/Europe |archive-date=2016-04-17}}</ref> |
|||
Development projects include: |
|||
* [[WebScarab]] - a web application vulnerability assessment suite including proxy tools |
|||
* Validation Filters – (Stinger for J2EE, filters for PHP) generic security boundary filters that developers can use in their own applications |
|||
* [[WebGoat]] - an interactive training and benchmarking tool that users can learn about web application security in a safe and legal environment |
|||
* DotNet – a variety of tools for securing .NET environments. |
|||
* And many other application security tools |
|||
In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer,<ref>{{Cite web |title=Global Board |url=https://owasp.org/www-board/ |url-status=live |archive-url=https://web.archive.org/web/20240429110124/https://owasp.org/www-board/ |archive-date=2024-04-29 |access-date=2024-07-07 |website=owasp.org |language=en}}</ref> on Twitter<ref name=namechangetweet /> that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide. |
|||
==History== |
|||
OWASP was started in 2000. The OWASP Foundation, a 501(c)(3) organization (in the USA) was established in 2004 and supports the OWASP infrastructure and projects. OWASP is not about individual recognition but community knowledge sharing. The OWASP Leaders are responsible for making decisions about technical direction, project priorities, schedule, and releases. Collectively, the OWASP Leaders can be thought of as the management of the OWASP Foundation. |
|||
==Publications and resources== |
|||
OWASP has no employees and very low expenses, which are covered by conferences and a single banner advertisement. OWASP awards 100% of corporate and individual [http://www.owasp.org/index.php/Membership membership] dues as [http://www.owasp.org/index.php/OWASP_Grants grants] to promising applications security research projects. |
|||
* OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.<ref>{{Cite web |title=OWASP Top Ten |url=https://owasp.org/www-project-top-ten/ |url-status=live |archive-url=https://web.archive.org/web/20240706131536/https://owasp.org/www-project-top-ten/ |archive-date=2024-07-06 |access-date=2024-07-07 |website=owasp.org |language=en}}</ref> It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.<ref>{{cite news|url= https://www.highbeam.com/doc/1G1-432063283.html|archive-url= https://web.archive.org/web/20151128082719/https://www.highbeam.com/doc/1G1-432063283.html|url-status= dead|archive-date= 28 November 2015|title= Seven Best Practices for Internet of Things|last= Trevathan|first= Matt|date= 1 October 2015|work= Database and Network Journal}}</ref><ref>{{cite news|url= https://www.highbeam.com/doc/1G1-375828488.html|archive-url= https://web.archive.org/web/20151128082719/https://www.highbeam.com/doc/1G1-375828488.html|url-status= dead|archive-date= 28 November 2015|title= Leaky Bank Websites Let Clickjacking, Other Threats Seep In|last= Crosman|first= Penny|date= 24 July 2015|work= American Banker}}</ref><ref>{{cite web|url= https://www.theregister.co.uk/2015/12/04/veracode_programming_languages/|title= Infosec bods rate app languages; find Java 'king', put PHP in bin|last= Pauli|first= Darren|date= 4 December 2015|work= The Register|access-date= 4 December 2015}}</ref> Many standards, books, tools, and many organizations reference the Top 10 project, including MITRE, [[Payment Card Industry Data Security Standard|PCI DSS]],<ref>{{cite web|url= https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf|title= Payment Card Industry (PCI) Data Security Standard|date= November 2013|publisher= PCI Security Standards Council|page= 55|access-date= 3 December 2015}}</ref> the [[Defense Information Systems Agency]] ([[Security Technical Implementation Guide|DISA-STIG]]), and the United States [[Federal Trade Commission]] (FTC),<ref> |
|||
{{cite web |
|||
| url= https://www.synopsys.com/software-integrity/resources/knowledge-database/owasp-top-10.html |
|||
| title= Open Web Application Security Project Top 10 (OWASP Top 10) |
|||
| year= 2017 |
|||
| department= Knowledge Database |
|||
| website= Synopsys |
|||
| publisher= Synopsys, Inc |
|||
| access-date= 2017-07-20 |
|||
| quote= Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives. |
|||
}} |
|||
</ref><ref>{{Cite web |title=Authorization remains #1 issue{{dash}}OWASP 2023 Top 10 List |url=https://www.cerbos.dev/blog/authorization-remains-1-issue-owasp-2023-top-10-list |access-date=2024-09-02 |website=Cerbos |language=en-GB}}</ref> |
|||
* OWASP Software Assurance Maturity Model: The [https://owaspsamm.org Software Assurance Maturity Model (SAMM)] project's mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. A core objective is to raise awareness and educate organizations on how to design, develop, and deploy secure software through a flexible self-assessment model. SAMM supports the complete software lifecycle and is technology and process agnostic. The SAMM model is designed to be evolutive and risk-driven in nature, acknowledging there is no single recipe that works for all organizations.<ref>{{Cite web |title=What is OWASP SAMM? |url=https://owaspsamm.org/about/ |access-date=2022-11-06 |website=OWASP SAMM}}</ref> |
|||
* OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues. |
|||
* OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.<ref>{{cite news|url=https://www.theregister.co.uk/2014/09/18/guide_to_obliterating_web_apps_published/|title=Comprehensive guide to obliterating web apps published|last=Pauli|first=Darren|date=18 September 2014|work=The Register|access-date=28 November 2015}}</ref> |
|||
* OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017. |
|||
* OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.<ref>{{cite book|last1=Baar|first1=Hans|last2=Smulters|first2=Andre|last3=Hintzbergen|first3=Juls|last4=Hintzbergen|first4=Kees|title=Foundations of Information Security Based on ISO27001 and ISO27002|url=https://books.google.com/books?id=l6ePCgAAQBAJ&pg=PA144|edition=3|year=2015|publisher=Van Haren|isbn=9789401800129|page=144}}</ref> |
|||
* OWASP XML Security Gateway (XSG) Evaluation Criteria Project.<ref>{{cite web|url=https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project_Latest|title=Category:OWASP XML Security Gateway Evaluation Criteria Project Latest|publisher=Owasp.org|access-date=November 3, 2014|archive-url=https://web.archive.org/web/20141103212323/https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project_Latest|archive-date=November 3, 2014|url-status=dead}}</ref> |
|||
* OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.<ref>{{Cite web |url=https://www.owasp.org/index.php/OWASP_Incident_Response_Project |title=OWASP Incident Response Project{{dash}}OWASP |access-date=December 12, 2015 |archive-url=https://web.archive.org/web/20190406184056/https://www.owasp.org/index.php/OWASP_Incident_Response_Project |archive-date=April 6, 2019 |url-status=dead}}</ref> |
|||
* [[OWASP ZAP|OWASP ZAP Project: The Zed Attack Proxy (ZAP)]] is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing. |
|||
* Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.<ref name="ICSH"/> Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely. |
|||
* OWASP AppSec Pipeline: The [[Application security|Application Security]] (AppSec) Rugged [[DevOps]] Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.<ref>{{Cite web|url=https://owasp.org/www-project-appsec-pipeline|title=OWASP AppSec Pipeline|website=Open Web Application Security Project (OWASP)|access-date=26 February 2017|archive-date=January 18, 2020|archive-url=https://web.archive.org/web/20200118102518/https://owasp.org/www-project-appsec-pipeline|url-status=dead}}</ref> |
|||
* OWASP [[Automated Threat]]s to Web Applications: Published July 2015<ref>{{cite web |url= https://www.owasp.org/images/0/03/Automation-project-briefing.pdf |title= AUTOMATED THREATS to Web applications |date= July 2015 |publisher= OWASP}}</ref>{{dash}}the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as [[credential stuffing]]. The project outlines the top 20 automated threats as defined by OWASP.<ref> |
|||
{{Cite web |title=OWASP Automated Threats to Web Applications |url=https://owasp.org/www-project-automated-threats-to-web-applications/ |url-status=live |archive-url=https://web.archive.org/web/20240629004719/https://owasp.org/www-project-automated-threats-to-web-applications/ |archive-date=2024-06-29 |access-date=2024-07-07 |website=owasp.org |language=en}}</ref> |
|||
* OWASP API Security Project: focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). Includes the most recent list API Security Top 10 2023.<ref>{{Cite web|title=OWASP API Security Project{{dash}}OWASP Foundation|url=https://owasp.org/www-project-api-security/|website=OWASP}}</ref> |
|||
== Certifications == |
|||
They have several certification schemes to certify the knowledge of students in particular areas of security. |
|||
=== Security Fundamentals === |
|||
Baseline set of security standards applicable across technology stacks teaching learners about the OWASP top ten vulnerabilities.<ref>{{Cite web |title=qa.com {{!}} Certified OWASP Security Fundamentals (QAOWASPF) |url=https://www.qa.com/course-catalogue/courses/certified-owasp-security-fundamentals-qaowaspf/ |access-date=2024-10-25 |website=www.qa.com |language=en}}</ref> |
|||
* A01:2021 Broken [[Access control|Access Controls]]<ref>{{Cite web |title=A01 Broken Access Control{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A01_2021-Broken_Access_Control/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A02:2021 [[Cryptography|Cryptographic]] Failures<ref>{{Cite web |title=A02 Cryptographic Failures{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* [[Code injection|A03:2021 Injection]]<ref>{{Cite web |title=A03 Injection{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A03_2021-Injection/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A04:2021 [[Secure by design|Insecure Design]]<ref>{{Cite web |title=A04 Insecure Design{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A04_2021-Insecure_Design/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A05:2021 Security Misconfiguration{{dash}}improper configuration of security settings, permissions, and controls that can lead to vulnerabilities<ref>{{Cite web |title=A05 Security Misconfiguration{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A05_2021-Security_Misconfiguration/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A06:2021 Vulnerable and Outdated [[Component-based software engineering|Components]]<ref>{{Cite web |title=A06 Vulnerable and Outdated Components{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A07:2021 Identification and [[Authentication, authorization, and accounting|Authentication]] Failures<ref>{{Cite web |title=A07 Identification and Authentication Failures{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A08:2021 Software and Data Integrity Failures<ref>{{Cite web |title=A08 Software and Data Integrity Failures{{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/ |access-date=2024-10-25 |website=owasp.org}}</ref> |
|||
* A09:2021 Security Logging and Monitoring Failures |
|||
* A10:2021 [[Server-side request forgery]] (SSRF){{dash}}caused by a web application fetching a remote resource without validating the user-supplied URL<ref>{{Cite web |title=A10 Server Side Request Forgery (SSRF){{dash}}OWASP Top 10:2021 |url=https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_(SSRF)/ |access-date=2024-10-25 |website=owasp.org}}</ref><ref>{{Cite web |title=Server Side Request Forgery Prevention{{dash}}OWASP Cheat Sheet Series |url=https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html |access-date=2024-12-13 |website=cheatsheetseries.owasp.org}}</ref> |
|||
==Awards== |
|||
The OWASP organization received the 2014 [[Haymarket Media Group]] ''[[SC Magazine]]'' Editor's Choice award.<ref name="SCmag14">{{cite web|url=http://media.scmagazine.com/documents/64/botn2014sm_15794.pdf|title=SC Magazine Awards 2014|publisher=Media.scmagazine.com|access-date=3 November 2014|archive-url=https://web.archive.org/web/20140922094528/http://media.scmagazine.com/documents/64/botn2014sm_15794.pdf|archive-date=September 22, 2014|url-status=dead}}</ref><ref> |
|||
{{cite web |
|||
|url=http://awards.scmagazine.com/Winners2014 |title=Winners | SC Magazine Awards |
|||
|publisher=Awards.scmagazine.com |access-date=2014-07-17 |url-status=dead |
|||
|archive-url=https://web.archive.org/web/20140820004509/http://awards.scmagazine.com/Winners2014 |
|||
|archive-date=August 20, 2014 | quote = Editor's Choice [...] Winner: OWASP Foundation |
|||
}} |
|||
</ref> |
|||
==See also== |
==See also== |
||
* [[Open Source Security Foundation]] |
|||
* [[Computer security]] |
|||
* [[WASC]] |
|||
==References== |
|||
{{Reflist}} |
|||
==External links== |
==External links== |
||
* |
* {{Official website|https://owasp.org}} |
||
* [http://www.webappsec.org/ The Web Application Security Consortium (WASC)] |
|||
{{Authority control}} |
|||
* [http://www.microsoft.com/mspress/books/5957.asp Writing Secure Code (MS Press) ISBN 0-7356-1722-8 ] |
|||
* [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp Threats and Countermeasures (MSDN)] |
|||
* [http://www.jerichoforum.org/ Jericho Forum] |
|||
[[Category: |
[[Category:Computer security organizations]] |
||
[[Category: |
[[Category:Computer standards]] |
||
[[Category:501(c)(3) organizations]] |
|||
[[Category:Non-profit organisations based in Belgium]] |
|||
[[Category:Organizations established in 2001]] |
|||
[[Category:2001 establishments in Belgium]] |
Latest revision as of 04:58, 30 December 2024
A major contributor to this article appears to have a close connection with its subject. (December 2022) |
Types | 501(c)(3) nonprofit organization |
---|---|
Focus | Web security, application security, vulnerability assessment |
Coordinates | 39°44′47″N 75°33′03″W / 39.746343°N 75.5508357°W |
Method | Industry standards, conferences, workshops |
Revenue | $2.3 million[1] |
Total Assets | 1,669,244 United States dollar (2021) |
Website | owasp |
The Open Web Application Security Project [7] (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system software and web application security.[8][9][10] The OWASP provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.
History
[edit]Mark Curphey started OWASP on September 9, 2001.[2] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015[update], Matt Konda chaired the Board.[11]
The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.[12]
In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer,[13] on Twitter[7] that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.
Publications and resources
[edit]- OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.[14] It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.[15][16][17] Many standards, books, tools, and many organizations reference the Top 10 project, including MITRE, PCI DSS,[18] the Defense Information Systems Agency (DISA-STIG), and the United States Federal Trade Commission (FTC),[19][20]
- OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project's mission is to provide an effective and measurable way for all types of organizations to analyze and improve their software security posture. A core objective is to raise awareness and educate organizations on how to design, develop, and deploy secure software through a flexible self-assessment model. SAMM supports the complete software lifecycle and is technology and process agnostic. The SAMM model is designed to be evolutive and risk-driven in nature, acknowledging there is no single recipe that works for all organizations.[21]
- OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
- OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.[22]
- OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.
- OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.[23]
- OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[24]
- OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.[25]
- OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.
- Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.[2] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.
- OWASP AppSec Pipeline: The Application Security (AppSec) Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.[26]
- OWASP Automated Threats to Web Applications: Published July 2015[27] – the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as credential stuffing. The project outlines the top 20 automated threats as defined by OWASP.[28]
- OWASP API Security Project: focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). Includes the most recent list API Security Top 10 2023.[29]
Certifications
[edit]They have several certification schemes to certify the knowledge of students in particular areas of security.
Security Fundamentals
[edit]Baseline set of security standards applicable across technology stacks teaching learners about the OWASP top ten vulnerabilities.[30]
- A01:2021 Broken Access Controls[31]
- A02:2021 Cryptographic Failures[32]
- A03:2021 Injection[33]
- A04:2021 Insecure Design[34]
- A05:2021 Security Misconfiguration – improper configuration of security settings, permissions, and controls that can lead to vulnerabilities[35]
- A06:2021 Vulnerable and Outdated Components[36]
- A07:2021 Identification and Authentication Failures[37]
- A08:2021 Software and Data Integrity Failures[38]
- A09:2021 Security Logging and Monitoring Failures
- A10:2021 Server-side request forgery (SSRF) – caused by a web application fetching a remote resource without validating the user-supplied URL[39][40]
Awards
[edit]The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award.[9][41]
See also
[edit]References
[edit]- ^ "OWASP FOUNDATION INC". Nonprofit Explorer. ProPublica. May 9, 2013. Retrieved January 8, 2020.
- ^ a b c d Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley. p. 203. ISBN 0470857447.
- ^ "OWASP Foundation Staff". OWASP. February 12, 2023. Retrieved May 3, 2022.
- ^ "OWASP Foundation Global Board". OWASP. February 14, 2023. Retrieved March 20, 2023.
- ^ "OWASP Foundation's Form 990 for fiscal year ending Dec. 2017". October 26, 2018. Retrieved January 8, 2020 – via ProPublica Nonprofit Explorer.
- ^ "OWASP Foundation's Form 990 for fiscal year ending Dec. 2020". October 29, 2021. Retrieved January 18, 2023 – via ProPublica Nonprofit Explorer.
- ^ a b Corry, Bil [@bilcorry] (February 25, 2023). "A change you might notice about @owasp , the Board voted to change the "W" from "Web" to "Worldwide", making it the "Open Worldwide Application Security Project"" (Tweet). Retrieved July 7, 2024 – via Twitter.
- ^ "OWASP top 10 vulnerabilities". developerWorks. IBM. April 20, 2015. Retrieved November 28, 2015.
- ^ a b "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Archived from the original (PDF) on September 22, 2014. Retrieved November 3, 2014.
- ^ "OWASP Internet of Things". Retrieved December 26, 2023.
- ^ "Board". OWASP. Archived from the original on September 16, 2017. Retrieved February 27, 2015.
- ^ "OWASP Europe". OWASP. Archived from the original on April 17, 2016. Retrieved July 7, 2024.
- ^ "Global Board". owasp.org. Archived from the original on April 29, 2024. Retrieved July 7, 2024.
- ^ "OWASP Top Ten". owasp.org. Archived from the original on July 6, 2024. Retrieved July 7, 2024.
- ^ Trevathan, Matt (October 1, 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Archived from the original on November 28, 2015.
- ^ Crosman, Penny (July 24, 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Archived from the original on November 28, 2015.
- ^ Pauli, Darren (December 4, 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved December 4, 2015.
- ^ "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved December 3, 2015.
- ^
"Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved July 20, 2017.
Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
- ^ "Authorization remains #1 issue – OWASP 2023 Top 10 List". Cerbos. Retrieved September 2, 2024.
- ^ "What is OWASP SAMM?". OWASP SAMM. Retrieved November 6, 2022.
- ^ Pauli, Darren (September 18, 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved November 28, 2015.
- ^ Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN 9789401800129.
- ^ "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Archived from the original on November 3, 2014. Retrieved November 3, 2014.
- ^ "OWASP Incident Response Project – OWASP". Archived from the original on April 6, 2019. Retrieved December 12, 2015.
- ^ "OWASP AppSec Pipeline". Open Web Application Security Project (OWASP). Archived from the original on January 18, 2020. Retrieved February 26, 2017.
- ^ "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.
- ^ "OWASP Automated Threats to Web Applications". owasp.org. Archived from the original on June 29, 2024. Retrieved July 7, 2024.
- ^ "OWASP API Security Project – OWASP Foundation". OWASP.
- ^ "qa.com | Certified OWASP Security Fundamentals (QAOWASPF)". www.qa.com. Retrieved October 25, 2024.
- ^ "A01 Broken Access Control – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A02 Cryptographic Failures – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A03 Injection – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A04 Insecure Design – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A05 Security Misconfiguration – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A06 Vulnerable and Outdated Components – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A07 Identification and Authentication Failures – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A08 Software and Data Integrity Failures – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "A10 Server Side Request Forgery (SSRF) – OWASP Top 10:2021". owasp.org. Retrieved October 25, 2024.
- ^ "Server Side Request Forgery Prevention – OWASP Cheat Sheet Series". cheatsheetseries.owasp.org. Retrieved December 13, 2024.
- ^
"Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved July 17, 2014.
Editor's Choice [...] Winner: OWASP Foundation