What is OWASP?
Keeping up with the latest security news and best practices can be a daunting task. Luckily, there are many resources for CTOs and security professionals who want to stay up-to-date.
One of these valuable sources of information, best practices, and open source tools is the OWASP. Standing for the Open Web Application Security Project, it states its mission as being “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” Through various tools, documents, and other materials, which are free and open to anyone, the community strives to turn application security into an accessible topic for those interested in making informed decisions to improve it.
What is OWASP’s main value?
Since it advocates approaching application security as a people, process, and technology problem, many of OWASP publications translate this into methodologies and actionable guidelines spanning the whole spectrum.
OWASP relies in turn on CWE, which stands for Common Weakness Enumeration and aims at providing a formal list of software weakness types.
What are the main resources on OWASP and where is a good place to start?
During any security project definition, you will want to begin by identifying and prioritizing your risks. But vulnerabilities follow trends. Depending on the technology and application architecture landscape, new flaws can be discovered and attacks refined. For this purpose, OWASP maintains a list of Top 10 attack types, which focuses on the most serious web application security risks and provides general information to help you become more knowledgeable about each item, as well as links to many reference documents to dig deeper. The Top Ten project became OWASP flagship application security standard and is a great start for anyone wanting to set foot in the field.
As far as testing is concerned, OWASP recommends using the Application Security Verification Standard which is intended for organizations looking to develop and maintain secure applications and for vendors and certifying organizations alike. The standard defines three levels for security verification which are set as follows:
- ASVS Level 1 is for low assurance levels, and is completely penetration testable
- ASVS Level 2 is for applications that contain sensitive data, which requires protection and is the recommended level for most apps
- ASVS Level 3 is for the most critical applications - applications that perform high value transactions, contain sensitive medical data, or any application that requires the highest level of trust.”
- ASVS can be used as a blueprint to define a specific checklist tailored for your application and environment. OWASP strongly recommends looking at the risk and business requirements of your organization to determine the appropriate level for you, as well as using a mix of automated tools and human in-depth analysis.
For a more practical approach to testing, you can refer to the Testing Guide which is another quality resource. Not only does it describe all the phases of the testing framework, but it also explains all the testing techniques and points out their advantages and disadvantages. Furthermore, the document walks the reader through the methodology by providing how-tos and illustrations on categories such as: authorization testing, weak cryptography testing, session management testing, and more.
OWASP also produces cheat sheets on multiple security topics, giving practical steps to go about the projects and detailing mainly how to avoid the vulnerabilities, how to review the code, and how to test. Some cheat sheets cover a broad subject (such as logging cheat sheet) while others are more specific and delve into the particularities of a certain technology (such as the Injection prevention in Java cheat sheet). For best practices around certain languages or security topics, Sqreen has also put together a range of options.
Some of the most popular projects of the OWASP are the OWASP top 10, OWASP ZAP, Global AppSec conferences or the vulnerable Webgoat apps.
Depending on your profile, you can have a look at the adapted methodology and appropriate resources recommended by OWASP:
- What’s Next for Developers
- What’s Next for Security Testers
- What’s Next for Organizations
- What’s Next for Application Managers
On top of these published resources and in order to bring together application security professionals to discuss the state of the art of the domain, the OWASP community organizes conferences and presentations. Moreover, OWASP has a youtube channel for broadcasting the conference recordings if you’re not able to attend.
How can I get involved?
If you do not want to stay only on the receiving end and are interested in getting involved in the open source community, you can join your local OWASP chapter, participate in a project or, if you feel confident, start one on the platform.
Whether you are new to application security or are a seasoned professional, OWASP should be one of your primary sources of information. We strongly recommend that you take the time to learn how to navigate the website, as it will prove to be useful throughout your security projects and initiatives.