OWASP sheds light on its security standards
May 13, 2009 —
(Page 1 of 2)
The mission of the Open Web Application Security Project (OWASP) is to make security more “visible,” but over the last few months, the organization itself is raising its profile.
OWASP this year has spawned different committees that work on conferences, project and tool development, and industry outreach. The not-for-profit organization now has approximately 150 chapters around the world, producing software, documentation and videos, and several conferences to educate professionals on how to be more secure.
“Currently, when you buy a piece of software or use a website that’s driven by software that’s out in the cloud, you have no way of knowing if that software is secure,” said Jeff Williams, board member and chair of OWASP. “When you buy a car, you or your mechanic can open up the hood, look at it and figure out if it’s a decent car. But with software, it’s really almost impossible; they say software is a black box, and unless you have incredible software skills, it’s very difficult to open up that black box and figure out if that’s a piece of software that you want to trust your business to.”
There are several documentation projects taking place in OWASP, including the Application Security Verification Standard, the organization’s first attempt to create a specification, Williams said. The Application Security Verification Standard identifies four levels of application security verification: manual review, manual design review, manual test and review, and the use of defect trackers. The standard was first published in December 2008, with ongoing improvements discussed through workshops, mailing lists and input from outside developers.
“We saw a lot of people doing all kinds of testing of applications—[penetration] tests, automated scans, static analysis, code reviews—all sorts of different attempts to verify the security of an application,” Williams said. “So we thought there should be a standard around that. Frankly, there’s a lot of folks out there doing good application security work, and folks that aren’t doing such good work, and we want to have a way to tell the difference.”
Related Search Term(s): OWASP, security
Share this link: http://sdt.bz/33469
Most Read Latest News Blog Resources
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
From the Editors: Node.js is unruly, but that’s where the fun is
The time to get involved with Node.js is now; Hadoop is about to break its own barriers
|
|
Zeichick’s Take: Looking for the best of the best of the best
It's time once again for readers to send in nominees for the SD Times 100
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
|
Facebook claims hacker cred
Facebook's SEC S-1 filing form includes a short essay on the Hacker Way by Mark Zuckerberg himself.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|