OWASP

















































OWASP
OWASP Logo.png
Founded 2001[1]
Founder Mark Curphey[1]
Type
501(c)(3) Nonprofit organization
Focus Web Security, Application Security, Vulnerability Assessment
Method Industry standards, Conferences, Workshops
Board of directors
 Martin Knobloch, Chair; Chenxi Wang, Co-Chair; Andrew van der Stock, Treasurer; Owen Pendlebury, Secretary; Matt Konda; Greg Anderson; Sherif Mansour
Key people
 Karen Staley, Executive Director; Kelly Santalucia, Membership and Business Liaison; Laura Grau, Event Manager; Tiffany Long, Community Manager; Claudia Cassanovas, Project Coordinator; Dawn Aitken, Program Assistant
Employees
8
Volunteers
42,000+
Website www.owasp.org



The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.[2][3]




Contents






  • 1 History


  • 2 Publications and resources


  • 3 Awards


  • 4 See also


  • 5 References


  • 6 External links





History


Mark Curphey started OWASP on September 9, 2001.[1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015[update], Matt Konda chaired the Board.[4]


The OWASP Foundation, a 501(c)(3) non-profit organization (in the USA) established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.[5]



Publications and resources



  • OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.[6] It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.[7][8][9] Many standards, books, tools, and organizations reference the Top 10 project, including MITRE, PCI DSS,[10] the Defense Information Systems Agency (DISA-STIG), the United States Federal Trade Commission (FTC),[11] and many[quantify] more.

  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that is tailored to the specific business risks facing the organization.

  • OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.

  • OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.[12]

  • OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.

  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.[13]

  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[14]

  • OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.[15]


  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.

  • Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.[1] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.

  • OWASP AppSec Pipeline: The Application Security (AppSec) Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.[16]

  • OWASP Automated Threats to Web Applications: Published July 2015[17] - the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as credential stuffing. The project outlines the top 20 automated threats as defined by OWASP.[18]



Awards


The OWASP organization received the 2014 SC Magazine Editor's Choice award.[3][19]



See also



  • Metasploit Project

  • w3af



References





  1. ^ abcd Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley. p. 203. ISBN 0470857447..mw-parser-output cite.citation{font-style:inherit}.mw-parser-output q{quotes:"""""""'""'"}.mw-parser-output code.cs1-code{color:inherit;background:inherit;border:inherit;padding:inherit}.mw-parser-output .cs1-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/6/65/Lock-green.svg/9px-Lock-green.svg.png")no-repeat;background-position:right .1em center}.mw-parser-output .cs1-lock-limited a,.mw-parser-output .cs1-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/d/d6/Lock-gray-alt-2.svg/9px-Lock-gray-alt-2.svg.png")no-repeat;background-position:right .1em center}.mw-parser-output .cs1-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/thumb/a/aa/Lock-red-alt-2.svg/9px-Lock-red-alt-2.svg.png")no-repeat;background-position:right .1em center}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration{color:#555}.mw-parser-output .cs1-subscription span,.mw-parser-output .cs1-registration span{border-bottom:1px dotted;cursor:help}.mw-parser-output .cs1-hidden-error{display:none;font-size:100%}.mw-parser-output .cs1-visible-error{font-size:100%}.mw-parser-output .cs1-subscription,.mw-parser-output .cs1-registration,.mw-parser-output .cs1-format{font-size:95%}.mw-parser-output .cs1-kern-left,.mw-parser-output .cs1-kern-wl-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right,.mw-parser-output .cs1-kern-wl-right{padding-right:0.2em}


  2. ^ "OWASP top 10 vulnerabilities". developerWorks. IBM. 20 April 2015. Retrieved 28 November 2015.


  3. ^ ab
    "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Retrieved 3 November 2014.


  4. ^ Board Archived September 16, 2017, at the Wayback Machine.. OWASP. Retrieved on 2015-02-27.


  5. ^ OWASP Europe, OWASP, 2016


  6. ^ OWASP Top Ten Project on owasp.org


  7. ^ Trevathan, Matt (1 October 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Retrieved 28 November 2015 – via  – via HighBeam (subscription required).


  8. ^ Crosman, Penny (24 July 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Retrieved 28 November 2015 – via  – via HighBeam (subscription required).


  9. ^ Pauli, Darren (4 December 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved 4 December 2015.


  10. ^ "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved 3 December 2015.


  11. ^
    "Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved 2017-07-20. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.


  12. ^ Pauli, Darren (18 September 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved 28 November 2015.


  13. ^ Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN 9789401800129.


  14. ^ "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Retrieved November 3, 2014.


  15. ^ https://www.owasp.org/index.php/OWASP_Incident_Response_Project


  16. ^ "OWASP AppSec Pipeline". Open Web Application Security Project (OWASP). Retrieved 26 February 2017.


  17. ^ "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.


  18. ^
    The list of automated threat events


  19. ^
    "Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved 2014-07-17. Editor's Choice [...] Winner: OWASP Foundation




External links


  • Official website



-

Popular posts from this blog

澳門輕軌系統

Image
本文或本章節是關於未來的公共运输建設或計划。 未有可靠来源的臆測內容可能會被移除,現時內容可能與竣工情況有所出入。 本文或本章節是關於澳門未來的建設或計畫 。 它可能包含推测的性质的信息,可能與竣工情況有所出入。 body.skin-minerva .mw-parser-output table.infobox caption{text-align:center} 澳門輕軌系統 葡萄牙語: Sistema de Metro Ligeiro de Macau 英语: Macau Light Rapid Transit System (Macau LRT System) 概覽 營運地區   澳門 服務類型 輕軌運輸 车站总数 氹仔線:11個 澳門半島線:10個 起訖站点 關閘 正線总数 3條 主要路線 海洋 - 氹仔碼頭 路線等級 輕軌 主要車站 蓮花口岸、 機場、氹仔碼頭 技術數據 路線長度 氹仔線:9.3公里 軌道標準 膠輪路軌系統 动力方式 第三軌供電 750V 車輛基地 計劃興建總數11個: 澳門半島6個,氹仔5個 运营信息 營運時期 氹仔線:預計於2019年 运营单位 港鐵(澳門)(2019年-2023年) 澳門輕軌股份有限公司(2023年後) 網站 http://www.git.gov.mo 路線圖 各期工程完成後的路線走向(模擬)圖 澳門輕軌系統(未來) 圖例 關閘 馬場北 馬場東 青洲 A區車廠 筷子基 新城A區01 紅街市
Read more

水泉澳邨

Image
水泉澳邨 //upload.wikimedia.org/wikipedia/commons/6/66/Shui_Chuen_O_Estate_Overview_2016.jpg 水泉澳邨航拍圖 房屋機構 香港房屋委員會 所屬地區 沙田區 屋邨類別 租住屋邨 入伙年份 2015年至2017年 樓宇座數 18 單位數目 11123 單位面積 151.23-397.73 呎(ft²) 住戶數目 10900 (截至2017年6月30日情況) 認可人口 28200 (截至2017年6月30日情況) 水泉澳邨內貌(2016年3月) 水泉澳邨 ( 英语: Shui Chuen O Estate ) [1] 是香港房屋委員會轄下的一個公共屋邨。全邨共分4期興建及管理,第1及2期樓宇由水泉澳邨辦事處管轄,第3及4期樓宇則由水泉澳邨辦事處分處管轄。項目編號為ST41,但已列入擴展市區配屋區內,位於香港新界沙田區水泉澳(沙田第52區)博泉街1號,已經興建18座樓高25至30層依山而建的住宅樓宇,共提供11,123個出租公屋單位,可容納人口逾29,000多人及水泉澳廣場,場內設有59個商舖及一個整體出租街市。水泉澳邨將設有行人天橋和升降機塔,接通博康邨和港鐵馬鞍山綫的沙田圍站;邨內亦設有公共交通交匯處及泊車位,方便居民出行。 整個項目於2015年4月至2017年3月分階段落成。整個項目由房屋署總建築師(1)負責總體設計;而詳細設計則拆細並以外判服務合約方式,第1及4期判給了周林建築師有限公司;第2A期(明泉樓、社會福利大樓、巴士總站、天橋及商場)及第3期(茂泉、林泉、修泉及竹泉樓)判給了興業建築師事務所有限公司及第2B期(月泉及映泉樓)判給了李景勳、雷煥庭建築師事務所;而第2C期(城泉及河泉樓)則由房屋署自行負責細部設計。全邨的總承建商是中國建築工程(香港)有限公司。 水泉澳邨共有18座出租公屋大樓,共分4期興建,第1期於2015年4月至7月底分2個階段完工,第2期在2016年3月至11月底分4個階段完工,第3期已於2017年2月完工交樓,第4期的嶺泉樓早已於2016年8月完工入伙,而餘下的崇泉、山泉及峻泉樓則由20
Read more

Indian Forest Service

Image
Indian Forest Service Service Overview Preceding service Imperial Forest Service (1864 to 1935) Year of Constitution 1966 Country India Staff College Indira Gandhi National Forest Academy (IGNFA), Dehradun, Uttarakhand Cadre Controlling Authority Ministry of Environment, Forests and Climate Change Legal personality Governmental: Government service General nature Administration of Forest and Wildlife resources Cadre strength 3131 (2182 Direct Recruits and 949 Promotion Posts) Website ifs.nic.in Service Chief Director General of Forests Siddhanth Das, IFS (1982 Batch, Odisha Cadre) [1] Head of the All India Civil Services Cabinet Secretary Pradeep Kumar Sinha, IAS Indian Forest Service (भारतीय वन सेवा) [2] is one of the three All India Services of the Government of India. The other two All India Services being the Indian Administrative Service (IAS) and the Indian Police Service (IPS). [3] [4] [5] It was constituted in
Read more