In your perusal of the web application security and vulnerability space, you might have come across an organisation called OWASP. Who is OWASP, what are OWASP, and why are OWASP?
The Who
Modern software development is still a reasonably young industry, beginning only in 1948 when the first program-stored computer was created in Manchester. It wasn’t until the 1970s that cybersecurity became an industry when Bob Thomas wrote the first computer worm, Creeper, intended to leave a breadcrumb trail throughout ARPANET’s network. This consequently created the first anti-virus software, Reaper, by Ray Tomlinson. A new revelation happened in 1983, with the birth of the Internet, which was publicly released in 1991. This led to a new form of software development, web application development. However, once again security was an afterthought and it wasn’t until 2001 that it was taken seriously.
On September 24th of that year, Mark Curphey started a community to advocate for secure web application programming, the Open Web Application Security Project, or OWASP. The main aim was to make security in web applications more visible so that developers could make more informed decisions by discussing the risks of insecure web apps and possible solutions. This community started with a document simply named “The Guide”, a guide for secure software engineering aimed at developers.
Fast forward to now, and this community has transformed into a non-profit foundation with tens of thousands of participants. The project has also “gone global,”, with local chapters of OWASP spanning all continents (excluding Antarctica). These chapters build a community for application security professionals, where they organise talks and training to improve the participants’ skills and networking opportunities. Anyone is welcome to join OWASP and contribute to the multiple projects that are being created and updated. They also hold large-scale events across the world, including online webinars and multi-day conferences.
The What
The core principles of OWASP have not changed drastically from the inception of the group, it has just become much larger in scale - reflective of the increased importance of security on the internet. The current mission statement of OWASP is threefold.
Supporting individuals or teams to create impactful projects, whether these are guides for certain topics or research on the biggest risks in the industry.
Developing and nurturing communities that are passionate about web application security, facilitated through their events and local chapters.
Providing educational publications and resources, as there is a lack of knowledge in this sector. OWASP wants to be the first stop for developers or information security professionals to learn and better equip themselves to tackle the web application security sector.
We’ve already covered their community interactions and the opportunities they create for education, but other than the initial guide, what other projects have OWASP published? OWASP has a large portfolio of projects, categorised into tool projects, documentation projects, code projects, and other projects that further their reach. Within these categories, there are different levels of development of projects, from their flagship projects to lab and incubator projects. Lab projects are expected to produce an OWASP-reviewed deliverable with clearly defined value for the industry. Incubator projects are still in the development stages, with no current deliverable as they still need further research or fleshing out.
In total, OWASP currently has over 260 projects available, and looking at all of them is in itself a project! Some of the most famous and popular projects include:
The OWASP Top 10
This is typically the first entry point to hearing about OWASP. The Top 10 was first released in 2003, with minor updates to the document after this until 2010 when the format was revamped to prioritise by risk as well as prevalence. In 2013 and 2017 major releases were made, with the most recently released Top 10 in 2021. The OWASP Top 10 documents the top risks within web application security and has become a widely recognised document and the first step for developers in creating secure code.
The OWASP Mobile Top 10
First published in 2011, the OWASP Mobile Top 10 still covers security risks, but in the mobile application development industry rather than web applications. Again, this is aimed at creating more secure mobile applications and helps developers prioritise security remediations. This document was also updated in 2014 and 2016 but has not had any additional releases since.
The OWASP API Top 10
Given the explosion of APIs, it was inevitable that OWASP would once again create another new top-ten list. In 2019, they launched the first OWASP API Top 10. In 2022, they started collecting community feedback in order to provide their first update to this top ten list. We have articles covering some of the Top 10 API risks that give some insight into the current situation with API security.
These are some of the most popular pieces of documentation from OWASP, but they also have produced multiple different open-source tools.
Zed Attack Proxy (ZAP)
The most popular tool distributed by OWASP is Zed Attack Proxy or ZAP. This web app security testing tool scans for vulnerabilities within a web application. Scans can either be automated or manual; after a scan, the tool alerts if there are concerns with the request or response of the application and categorises these into different risk levels from high to low, informational, and false positive.
Juice Shop
Another popular tool is Juice Shop, an intentionally insecure web application intended for security training and awareness. It is built as an e-commerce application that sells juice to make security training easy to understand for even new developers.
Dependency-Check
This tool tries to detect vulnerabilities within a project’s dependencies by checking the Common Platform Enumeration (CPE) identifier, against the Common Vulnerabilities and Exposures (CVE) database; then it generates a report linking to any found vulnerabilities.
The Why
So, we’ve covered who OWASP is and what they do but why are they important? Before OWASP there weren’t any formal web application security education resources or testing tools on the market. They knew there was a problem with the priorities in the industry and sought to create a solution and educate about the issues with web application security. However, this is still a huge battle, which OWASP is actively trying to combat. This can be seen with even the most recent statistics about the online cybersecurity sphere. With 30,000 websites hacked daily and 64% of companies worldwide experiencing at least one cyber attack within the last year.
Not only have OWASP been about the longest, but due to the model of their foundation, they value collaboration above all else. This means that a vast base of developers and security professionals contribute to these projects, giving different perspectives and strengthening their documentation and tools. Along with their collaboration, since they aim to be an educational resource, all of their resources are easy to understand and free to everyone.
OWASP is a critical contributor to web-scale security. And, as more applications are built; and more businesses expand online, their role in providing a comprehensive “baseline” for building and maintaining security applications will only become more important. While every developer must build security and privacy into their own applications, strong security starts with a foundation of knowledge - as they say, knowing is half the battle!
Sources:
https://www.laneways.agency/history-of-software-development/
https://www.scienceandindustrymuseum.org.uk/objects-and-stories/baby-and-modern-computing
https://blog.avast.com/history-of-cybersecurity-avast
https://www.usg.edu/galileo/skills/unit07/internet07_02.phtml
https://thenextweb.com/news/20-years-ago-today-the-world-wide-web-opened-to-the-public
https://www.veracode.com/blog/intro-appsec/start-owasp-true-story
https://owasp.org/chapters/
https://owasp.org/about/
https://github.com/OWASP/DevGuide/wiki
https://owasp.org/events/
https://owasp.org/www-committee-education-and-training/
https://owasp.org/www-project-top-ten/
https://www.hackerone.com/knowledge-center/beyond-owasp-top-ten-13-resources-boost-your-security
https://hackr.io/blog/top-10-open-source-security-testing-tools-for-web-applications
https://www.zaproxy.org/getting-started/
https://owasp.org/www-project-juice-shop/
https://www.guru99.com/top-5-penetration-testing-tools.html
https://owasp.org/www-project-dependency-check/
https://techjury.net/blog/how-many-cyber-attacks-per-day/
https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf
https://www.hahwul.com/cullinan/history-of-owasp-top-10/
https://brightsec.com/blog/owasp-mobile-top-10/
https://owasp.org/www-project-mobile-top-10/
Top comments (1)
Good article! I am an OWASP associate member and feel great to support them. I even talk about it in my article (in Portuguese) - dev.to/brmartin/eu-me-associei-a-o...