According to PSYKNOWHOW, the acronym OWASP is an abbreviation for the “Open Web Application Security Project”. Behind it is an organization of experts who, as a non-profit organization, have committed themselves to the security of web services and applications.
The OWASP has no commercial intentions and is open to all people who are interested in the subject of data and operational security of web applications. The organization is organized worldwide in so-called chapters, the German representation has come together in the German Chapter.
The members of the OWASP regularly publish publications pointing out security vulnerabilities in web applications. A special OWASP publication makes a name for itself every year: the top 10 list of the greatest risks and the most frequent attacks in the web applications sector. Further material is made available in the form of recommendations, tools and documentation.
This form of transparency to be created should enable users of web applications as well as companies and organizations to be able to make decisions about the acquisition and use of web applications that are affected by actual security risks.
Membership structure of the OWASP
The OWASP community is made up of teaching institutions and companies from all over the world, but also of individuals. Together, openly accessible information, tools, methods and technologies are developed with which security gaps and weak points are to be recognized and published. Great importance is attached to independence from software manufacturers and technology companies. This distance to the big players in the industry makes it possible to provide practical and unbiased information about the security of web applications.
The OWASP project employs very few permanent employees and thus has very little expenditure, which is covered in the form of sponsorship, advertising and conferences. In addition, each year several thousand US dollars are paid out as bonuses for special achievements in the research of web applications and their security.
The OWASP is organizationally divided into boards, chapters and members, with the chapters forming regional organizational units that each member can found and set up. The basics for this are described in a chapter manual. Furthermore, regular meetings and get-togethers take place in many larger cities.
Topics and goals of the OWASP community
The OWASP project has set itself the following goals:
- Improving the security of web applications
- Publication of web application risks and vulnerabilities
- Provision of tools, documentation and solutions
- Creation of transparency and awareness of the topic of security on the web
- Support of software developers, IT managers and penetration testers
The individual sub-projects of the Open Web Application Security Project are summarized in the two main categories of development and documentation projects. The documentation project currently includes the following individual projects:
- “The Guide” is a guide with important recommendations for action relating to the security of web applications.
- In its Application Security Verification Standard, ASVS includes essential guidelines for performing security checks at the application level.
- AntiSamy is a tool with which entries in online forms are checked and the result is encoded.
- XSSer is a system that automatically detects weaknesses in terms of cross-site scripting (XSS) in web applications.
- Top Ten Most * DotNet comprises a collection of tools to secure environments based on the .NET platform.
- OWASP Mantra Security Framework is a collection of hacking tools, scripts and plugins for the Mozilla Firefox browser.
- Webgoat is a web application that contains intentionally implemented vulnerabilities to show webapp developers “how not to do it”.
- Enigform is a collection of templates from which exemplary applications with encryption functions (SSL, OpenPGP etc.) can be created.
Top 10 report of the OWASP project
The OWASP has published a top 10 report every year since 2003, which summarizes the ten main risks and the most important types of attacks on web applications. The aim of this list is to highlight the most common vulnerabilities in web applications. This top 10 list of the OWASP is an essential working basis for software architects and developers as well as for security experts.