LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 2/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Visual Studio 2010 Release Candidate Available Today
A Visual Studio 2010 release candidate is available on MSDN.
02/09/2010 09:45 AM EST

Is Microsoft eyeing Office subscription pricing?
Microsoft may be preparing to offer a new Office pricing option called "union," which charges the same for cloud as on-premises.
02/01/2010 09:38 AM EST

Facebook rewrites PHP runtime
Facebook is about to open source its own PHP runtime, written from scratch for speed.
01/30/2010 08:53 PM EST

 

Events calendar tab
Macworld 2010
2/9/2010 to 2/13/2010
San Francisco
IDG World Expo

SPTechCon 2010
2/10/2010 to 2/12/2010
San Francisco
BZ Media

PyCon 2010 (Python Conf.)
2/17/2010 to 2/25/2010
Atlanta
Python Software Foundation

Southern Calif. Linux Expo
2/19/2010 to 2/20/2010
Los Angeles
SCALE

IBM Pulse
2/21/2010 to 2/24/2010
Las Vegas
IBM


 
print Printable version 
Most Read Latest News Blog Resources
Facebook brings HipHop to PHP
HipHop compiles PHP to speed up the Web layer at world's most popular social networking si...

Adobe moves LiveCycle application platform to the cloud
Release gives developers just what they need to create targeted business process-oriented ...

Oracle acquires AmberPoint
Today's merger will probably affect most of AmberPoint's existing partnerships with other ...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

OWASP sheds light on its security standards


By Jeff Feinman
May 13, 2009 — 
The mission of the Open Web Application Security Project (OWASP) is to make security more “visible,” but over the last few months, the organization itself is raising its profile.

OWASP this year has spawned different committees that work on conferences, project and tool development, and industry outreach. The not-for-profit organization now has approximately 150 chapters around the world, producing software, documentation and videos, and several conferences to educate professionals on how to be more secure.  

“Currently, when you buy a piece of software or use a website that’s driven by software that’s out in the cloud, you have no way of knowing if that software is secure,” said Jeff Williams, board member and chair of OWASP. “When you buy a car, you or your mechanic can open up the hood, look at it and figure out if it’s a decent car. But with software, it’s really almost impossible; they say software is a black box, and unless you have incredible software skills, it’s very difficult to open up that black box and figure out if that’s a piece of software that you want to trust your business to.”

There are several documentation projects taking place in OWASP, including the Application Security Verification Standard, the organization’s first attempt to create a specification, Williams said. The Application Security Verification Standard identifies four levels of application security verification: manual review, manual design review, manual test and review, and the use of defect trackers. The standard was first published in December 2008, with ongoing improvements discussed through workshops, mailing lists and input from outside developers.

“We saw a lot of people doing all kinds of testing of applications—[penetration] tests, automated scans, static analysis, code reviews—all sorts of different attempts to verify the security of an application,” Williams said. “So we thought there should be a standard around that. Frankly, there’s a lot of folks out there doing good application security work, and folks that aren’t doing such good work, and we want to have a way to tell the difference.”

OWASP is also creating the Application Security Desk Reference, a reference book with approximately 1,000 pages on common threats, vulnerabilities and risk factors.

Another notable project in OWASP is the Enterprise Security API (ESAPI), which focuses on giving developers the proper steps and metrics they’d need to build secure applications. Some of those steps include encrypting data, authenticating users and rotating session identifications. Instead of developers having to do these functions themselves, the ESAPI project hopes to provide all developers in all programming environments a simple set of security methods.

Williams estimated that OWASP has about 100 projects currently taking place to create software to help developers be more secure. Some of those are essentially a “testing ground” for software that has the potential to be commercialized.

“Some of the projects are pushing the envelope on new things that we’re experimenting with,” Williams said. “We try to experiment with things that might be effective; someone has to.”


Related Search Term(s): OWASPsecurity


Share this link: http://www.sdtimes.com/link/33469
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading