Web applications are difficult to secure. This is a well known fact. Hardly a day goes by that we do not hear a media story about a data security breach at some commercial site. Part of the challenge of securing web applications is that platforms can differ so much and the typical web application functions on multiple levels, protocols and software stacks.
To help companies and developers with the tremendous task of securing web applications, OWASP was formed. OWASP or the Open Web Application Security Project is a global 501(c)(3) non profit organization dedicated to making the security of web applications visible. All of the materials developed by OWASP are freely available under an open source license. It is OWASP’s policy to not endorse commercial products, services or solutions. The goal of this is to keep the OWASP community vendor agnostic.
OWASP provides a fantastic array of resources for determining the risks in your web applications. Their web site is set up as a wiki. They have developed a number of in depth guides including The OWASP Guide to Building Secure Web Applications and Web Services which deals with best practices when designing and building web based applications. They also publish The OWASP Testing Guide which gives guidance on how to conduct security reviews and penetration testing of web application architectures. The OWASP Code Review Guide contains similar information to the Testing Guide but emphasizes the review and testing of application code for vulnerabilities.
In addition to the guides that outline security best practices, OWASP also has a wiki devoted to describing various threat agents, vulnerabilities, activities, controls and technologies. This allows web administrators to quickly find information about potential vulnerabilities and techniques for addressing them. This section also includes code snippets to help provide examples of how to write secure web application code.
There are so many online publications, developers and bloggers writing about security on a regular basis that it can be overwhelming sifting through it all. Fortunately, you may not need too. OWASP’s news section is a filtered list of security articles and news that have been vetted by the staff of OWASP.
Besides the news feed, the useful in-depth guides and the wiki articles and glossary, OWASP also hosts a number of downloads and projects. These are typically security related projects such as test suites or security tools. For example, one popular OWASP project is a series of rules of the mod_security Apache module. Mod_security is a web application firewall. Another useful tool is a Joomla vulnerability scanner which scans a Joomla installation for known vulnerabilities.
As a non-profit organization, OWASP relies on its supporting members for the financial support to continue their work. There are various levels of membership available from individual to organization. Becoming a member of OWASP helps provide them the support to continue their work. Each membership level also provides some limited benefits. The benefit that all levels of membership have in common is demonstrating your awareness of security best practices. As a developer, this is a highly marketable skill set and membership in OWASP can help you stand out from other developers.
Even if you don’t join OWASP, I encourage you to investigate their site and download their guides. We all benefit when developers have a greater awareness of security best practices and apply them.