OWASP is among the longest running security projects, with collaborators in nations across the globe, and an open-source community actively dedicated to improving digital security. But what exactly is OWASP? If you’re in the technology business long enough, it’s hard not to hear about the loosely organized group. The Open Web Application Security Project (OWASP), which is now buoyed by the OWASP Foundation and a Board, has played a vital role in Internet life for two decades. Here’s how it works.
The Open Web Application Security Project (OWASP): What is It?
OWASP is an online community committed to web security. It’s been around since 2001, when it was formally founded by Mark Curphey. Prior to that, it existed as a loose association of security buffs and web geeks who came together to form OWASP. In 2004, the OWASP Foundation, was incorporated as an American 501(c)(3) nonprofit corporation to fund OWASP’s projects and maintain its infrastructure. The organization is also registered as a European nonprofit in Belgium.
OWASP produces a wide breadth and depth of security-related content. Its open-source nature means that group members can select their own projects, build upon previous projects, draw upon work published to and by other communities, or contribute OWASP work to other security projects outside of OWASP. The organization is noncommercial in nature, which its organizers claim helps it to offer a higher quality product without commercial pressures.
OWASP endeavors to provide a thriving global community on the forefront of digital security issues.
Ethics, Values, and Culture
OWASP promotes four core values:
- Open: OWASP is transparent in nature, offering open-source code, but also transparent in organization and finances.
- Innovative: OWASP aims to be innovative, and supports experimental solutions to various security challenges.
- Global: Users aren’t limited to a particular geographic location, and OWASP explicitly encourages participation from users across the globe.
- Integrity: OWASP is vendor neutral, without commercial pressures, and aims to be an honest and truthful global community.
OWASP’s community of hackers are “white hat,” which means they engage in legal activities to support their own projects and those of others. Consequently, the organization has a rigorous code of ethics. A few of its principles include:
- Performing activities within the scope of the law, and under high ethical principles.
- Protecting the confidentiality of proprietary and sensitive information.
- Diligent and honest approaches to professional responsibilities.
- Promoting standards, procedures, and controls for application security.
- Avoiding conflicts of interest, particularly commercial conflicts of interest.
- Avoiding inappropriate pressure from within the industry.
- Never intentionally injuring colleagues, including their reputations.
- Treating all people, including members and non-members, with respect and dignity.
Because OWASP is an open-source project, anyone can participate -- and anyone can correct anyone else’s code or contributions. Official publications have been reviewed to meet the organization’s standards. Like most nonprofits, OWASP is directed by a board of directors, with a detailed mission statement and comprehensive bylaws. It is not just a loose conglomerate of participants; it’s a substantive organization with lasting commitments from members.
Publications and Role in Web Security
OWASP helps set a wide range of standards for web security. Because it’s been around for two decades, it has played a role in a wide range of coding protocols. It publishes numerous guides and supplements, including:
- OWASP Software Assurance Maturity Model
- OWASP Top Ten
- OWASP Development Guide
- OWASP Testing Guide
- OWASP Code Review Guide
- OWASP Application Security Verification Standard (ASVS)
- OWASP Top 10 Incident Response Guidance
- OWASP XML Security Gateway
- OWASP ZAP Project: The Zed Attack Proxy (ZAP)
Though none of these publications and endeavors are specifically commercial, a wide range of commercial enterprises rely on OWASP guidance. Each sub project has its own standards and culture, but all projects fall within the general guidelines and culture OWASP promulgates.
OWASP and Open-Source
Coding projects generally fall into two broad categories: open-source and closed or proprietary source. Commercial endeavors, such as Microsoft's numerous software projects, are not typically open-source -- though they sometimes rely on elements of open-source software. OWASP, like other organizations that use and support open-source software, argues that the open-source model supports innovation by making information publicly available. Because OWASP is not a commercial endeavor, it does not have to worry about strategic concerns, such as when to release updates or whether to disclose a security breach.
How is OWASP Relevant to Your Business?
OWASP projects have supported hundreds of businesses, including many app development companies. OWASP is a great reference source for common security flaws. Its protocols also provide a detailed education on web security. Some businesses actively participate in OWASP projects as a way to give back to the community or become a part of the security culture.
Others draw upon OWASP wisdom to build their own projects. Because OWASP has played such a vital role in web security culture, a basic familiarity can help you better understand various security issues.