OWASP sheds light on its security standards
May 13, 2009 —
(Page 1 of 2)
The mission of the Open Web Application Security Project (OWASP) is to make security more “visible,” but over the last few months, the organization itself is raising its profile.
OWASP this year has spawned different committees that work on conferences, project and tool development, and industry outreach. The not-for-profit organization now has approximately 150 chapters around the world, producing software, documentation and videos, and several conferences to educate professionals on how to be more secure.
“Currently, when you buy a piece of software or use a website that’s driven by software that’s out in the cloud, you have no way of knowing if that software is secure,” said Jeff Williams, board member and chair of OWASP. “When you buy a car, you or your mechanic can open up the hood, look at it and figure out if it’s a decent car. But with software, it’s really almost impossible; they say software is a black box, and unless you have incredible software skills, it’s very difficult to open up that black box and figure out if that’s a piece of software that you want to trust your business to.”
There are several documentation projects taking place in OWASP, including the Application Security Verification Standard, the organization’s first attempt to create a specification, Williams said. The Application Security Verification Standard identifies four levels of application security verification: manual review, manual design review, manual test and review, and the use of defect trackers. The standard was first published in December 2008, with ongoing improvements discussed through workshops, mailing lists and input from outside developers.
“We saw a lot of people doing all kinds of testing of applications—[penetration] tests, automated scans, static analysis, code reviews—all sorts of different attempts to verify the security of an application,” Williams said. “So we thought there should be a standard around that. Frankly, there’s a lot of folks out there doing good application security work, and folks that aren’t doing such good work, and we want to have a way to tell the difference.”
Related Search Term(s): OWASP, security
Share this link: http://sdt.bz/33469
Most Read
Latest News
Resources
SAP unveils SAP HANA platform innovations for Big Data and spatial processing
Features include smart data access and expanded cloud deployment options
|
|
|
Alteryx raises $12 million to put Big Data analytics in the hands of all business analysts
Quest founder's firm, Toba Capital, selects Alteryx as its first analytics investment
|
|
|
Google I/O kicks off
Developers get new APIs and tools, and the Go language hits version 1.1
|
|
|
Jelastic launches new version of its Java and PHP hosting platform
Jelastic today announced the launch of a new version of its ultra-scalable cloud hosting platform
|
CollabNet fuses CloudForge, TeamForge
New pricing structure and integration gives developers an enterprise-grade choice for dist...
|
|
|
Eclipse release train for Kepler arrives June 26
New version of Eclipse includes Stardust for business process management, and Orion 3.0 fo...
|
|
|
Google I/O kicks off
Developers get new APIs and tools, and the Go language hits version 1.1
|
|
|
Enterprises going mobile get first ALM platform
Solstice Mobile releases AppLauncher for native app development and deployment on multiple...
|
IDC MarketScape: Worldwide Cloud Testing and ASQ SaaS
Demand for solutions to test applications on the cloud and for the cloud is rising signifi...
|
|
|
Get to Know the Database Decision Factors
What should you look for when choosing a relational database system? This informative arti...
|
|
|
Exploring the Database Forest
Today’s database technology landscape is more dynamic and varied than ever before. What’s...
|
|
|
Data Management Resource Guide
Today’s data is generated by more than just applications. Data is generated by trillions o...
|