Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards. In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short). OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, methodologies and technologies are made available free of charge to the public. OWASP maintains roughly 100 local chapters and counts thousands of members. OWASP was started in 2001 and has operated since 2004 as the 501(c)(3) charitable OWASP Foundation which supports its infrastructure and projects. Its leadership is completely volunteer and makes decisions about technical direction, project priorities, schedule, and releases. OWASP has only three employees to keep its operating costs low. OWASP collects corporate and individual membership dues and conference fees to award grants each year to promising AppSec research projects. OWASP projects fall into two basic categories: development projects and documentation projects. Some of the foundation's more influential work includes:

  • The book-length OWASP Guide, The OWASP Code Review Project and the widely adopted OWASP Top 10 which tracks the top software security vulnerabilities
  • To advance routine testing of web applications, OWASP developed WebScarab, an open source enterprise-level security scanning tool
  • Secure development training is a large part of OWASP’s mission – so it created and maintains an deliberately insecure application called WebGoat solely as a teaching tool
  • OWASP became an emerging standards body with the publication of its first open standard in 2008, the OWASP Application Security Verification Standard (ASVS). The ASVS Project aims to create a set of commercial standards for performing rigorous application-level security verification on a number of web-based technologies.
  • Other OWASP projects are involved with advancing specific programming languages, functions and applications

OWASP hosts a number of global, regional and local events under the AppSec Conference banner. This important organization would tell any information security professional that the best way to understand the community’s mision is to become involved.

Learn more: OWASP AppSec Tutorial Series channel on YouTube OWASP Security Podcast with Veracode’s Chris Wysopal on iTunes Find an OWASP chapter near you

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (3)

Tom Brennan | April 25, 2012 12:25 pm

Nice article couple of revised facts.

OWASP is focused on Software Security not just "Web Applications"

1. Kate, Sarah, Alison and Kelly (4) paid resources see: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Paid_Employees_of_the_OWASP_Foundation

2. Over 160 chapters now worldwide - find the local one see: https://www.owasp.org/index.php/Category:OWASP_Chapter

3. Approx 30,000 people involved worldwide however individual members are less see for breakdown and if your listed:

4. For Proxy see OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

5 One of the helpful series of projects is the *new* cheat sheet series see: https://www.owasp.org/index.php/Cheat_Sheets

Great article

fglynn | April 25, 2012 12:49 pm

Thank you for the great additions to our blog post.

Russ McRee | April 25, 2012 11:23 pm

OWASP Top 10 Tools and Tactics
A tool for each of the OWASP Top 10 to aid in discovering and remediating each of the Top Ten.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.