Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards. In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short). OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, methodologies and technologies are made available free of charge to the public. OWASP maintains roughly 100 local chapters and counts thousands of members. OWASP was started in 2001 and has operated since 2004 as the 501(c)(3) charitable OWASP Foundation which supports its infrastructure and projects. Its leadership is completely volunteer and makes decisions about technical direction, project priorities, schedule, and releases. OWASP has only three employees to keep its operating costs low. OWASP collects corporate and individual membership dues and conference fees to award grants each year to promising AppSec research projects. OWASP projects fall into two basic categories: development projects and documentation projects. Some of the foundation's more influential work includes:
- The book-length OWASP Guide, The OWASP Code Review Project and the widely adopted OWASP Top 10 which tracks the top software security vulnerabilities
- To advance routine testing of web applications, OWASP developed WebScarab, an open source enterprise-level security scanning tool
- Secure development training is a large part of OWASP’s mission – so it created and maintains an deliberately insecure application called WebGoat solely as a teaching tool
- OWASP became an emerging standards body with the publication of its first open standard in 2008, the OWASP Application Security Verification Standard (ASVS). The ASVS Project aims to create a set of commercial standards for performing rigorous application-level security verification on a number of web-based technologies.
- Other OWASP projects are involved with advancing specific programming languages, functions and applications
OWASP hosts a number of global, regional and local events under the AppSec Conference banner. This important organization would tell any information security professional that the best way to understand the community’s mision is to become involved.