OWASP sheds light on its security standards
May 13, 2009 —
(Page 1 of 2)
Related Search Term(s): OWASP, security
The mission of the Open Web Application Security Project (OWASP) is to make security more “visible,” but over the last few months, the organization itself is raising its profile.
OWASP this year has spawned different committees that work on conferences, project and tool development, and industry outreach. The not-for-profit organization now has approximately 150 chapters around the world, producing software, documentation and videos, and several conferences to educate professionals on how to be more secure.
“Currently, when you buy a piece of software or use a website that’s driven by software that’s out in the cloud, you have no way of knowing if that software is secure,” said Jeff Williams, board member and chair of OWASP. “When you buy a car, you or your mechanic can open up the hood, look at it and figure out if it’s a decent car. But with software, it’s really almost impossible; they say software is a black box, and unless you have incredible software skills, it’s very difficult to open up that black box and figure out if that’s a piece of software that you want to trust your business to.”
There are several documentation projects taking place in OWASP, including the Application Security Verification Standard, the organization’s first attempt to create a specification, Williams said. The Application Security Verification Standard identifies four levels of application security verification: manual review, manual design review, manual test and review, and the use of defect trackers. The standard was first published in December 2008, with ongoing improvements discussed through workshops, mailing lists and input from outside developers.
“We saw a lot of people doing all kinds of testing of applications—[penetration] tests, automated scans, static analysis, code reviews—all sorts of different attempts to verify the security of an application,” Williams said. “So we thought there should be a standard around that. Frankly, there’s a lot of folks out there doing good application security work, and folks that aren’t doing such good work, and we want to have a way to tell the difference.”