DEV Community: Sophie McKay

The Role of API Standards in Data Privacy

Sophie McKay — Wed, 13 Sep 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

In the world of APIs, open standards compliance represents the pinnacle of maturity. But why are these standards so crucial, particularly when it comes to data privacy? In this blog post, we'll explore the indispensable role of API standards in data privacy.

Why Open Standards Matter

At first glance, open standards might seem like just another regulatory hurdle to clear. However, they serve a deeper purpose: fostering interoperability, encouraging innovation, and enhancing data privacy. By adhering to these standards, organizations can ensure their APIs communicate effectively with others, unlock new avenues for growth, and most importantly, uphold the highest levels of data protection.

Data Privacy Is a Primary Concern

An executive from a global retailer reiterated the significance of data privacy, stating, "With APIs being such a fundamental part of our digital infrastructure, ensuring they adhere to privacy standards is crucial." APIs often handle sensitive data, making them attractive targets for cybercriminals. As such, it's vital that they conform to open standards, providing a secure foundation for data transmission.

Standards Compliance in Practice

So, how do companies navigate the often complex landscape of open standards? The CTO of a leading tech enterprise shared their approach: "We view compliance not as a burden, but as an opportunity to fortify our APIs, increase their interoperability, and enhance the security of the data they handle."

This shift in perspective can be a game-changer. By embracing open standards as part of their core strategy, organizations can proactively enhance their APIs' functionality and security, rather than reactively responding to regulatory requirements.

The Role of Contxt

Navigating open standards compliance can be challenging, which is where Contxt steps in. Our platform is designed to guide you through this complex process, offering the tools and insights necessary to ensure your APIs not only meet but exceed these standards.

The representative from an Oil and Gas multinational echoed the benefits of such a solution: "Contxt has been instrumental in helping us navigate the intricacies of open standards compliance, making the process much more manageable and less daunting."

The Bottom Line

The importance of open standards compliance, especially in relation to data privacy, cannot be overstated. It's not merely a box to tick off, but a critical component of a robust API strategy. As you climb the ladder of the API Context Maturity Model, remember the expert insights shared today and consider how your organization can benefit from a steadfast commitment to API standards and data privacy. After all, in the digital era, the security of your APIs is synonymous with the security of your data.

Stay tuned for our next blog post as we continue to unravel the complexities of the API journey.

Why APIs & What Are They Made Of?

Sophie McKay — Tue, 18 Apr 2023 12:49:24 +0000

We’ve covered how prevalent APIs are on the internet and how important they are in the application development process. But why APIs? What makes them so useful that half of a company’s development efforts go into them?

The simple answer is that it makes the process of app development much more efficient and effective, saving time and money. APIs allow your products or services to communicate with other products and services without needing to know how the third-party product or service is implemented. Due to the rapid development in the digital market, flexibility and simple design are of the utmost importance, which is why APIs are so heavily used.

It’s easy to find examples of APIs in use all over the digital world. One of the most prominent is logging in to a website using a different account such as Google, Facebook, or Twitter. Using these options makes it a more seamless process for the user and gives the site access to the user’s personal data automatically. Finally, it offers secure authentication, allowing developers to focus on other aspects of application development.

Another common API example is paying with PayPal. A lot of e-commerce websites will allow a user to pay with PayPal when checking out. Again, this makes for a good customer experience and is much more efficient for developers as they do not have to create their own secure payment system, as they can just use PayPal.

So, it’s obvious why APIs are so popular with developers, it creates a development process with much less friction, allowing developers to focus on innovating and growing the business value rather than functions that have been done to death.

But, how does an API even work, how is this data transmitted and converted for both systems to understand? The most basic understanding of APIs is that an API is a set of rules on how the two systems should communicate with each other. This is done by the user initiating an API call in the application, which means the API sends a request for information. The API will then access the web server to retrieve this information. Finally, the API will send this information back to the application which will display the requested information for the user.
When using an API, it all works by using an API call. It is integral to the function of an API. So what is it? What is it made of? There are four main components of an API call:

The Endpoint
The HTTP Method
The Request Headers
The Request Body

The Endpoint

This is where the request will be sent, the path to the web server or external program that has the information the user wants. This can be split into three different parts:

Root Endpoint
Resource
Parameters

The Root Endpoint will be the URI for the API however, APIs often have multiple endpoints so the other two parts will be needed to specify where to go. The resource is what you are searching through, two common examples could be a user list or a product list. The parameters could consist of a query, a path, a form, or any other type of parameter. An example of this would be if you were searching for the details of a certain user, you would need to give the user ID of the user to find them in the database.

The HTTP Method

The HTTP Method defines the action that needs to be taken. The five most common HTTP methods are:

GET - retrieve data from a resource
POST - send data to a resource
PUT - update data of a resource
PATCH - partial update to data of a resource
DELETE - delete data from a resource

The Request Headers

These are additional details to inform the API about your request and the type of response that is expected. Below are four of the most common headers in an API call:

User-Agent - identifies the application, operating system, vendor, and/or version of the software that is acting for the user
Content-Type - indicates the media type of the resource, such as XML or JSON
Accept - indicates what media type the response should be sent, such as XML or JSON
Authorization - provides credentials to authenticate a user when accessing protected resources

The Request Body

This contains the data that the user wants to send to the server or external program such as the user’s email if they are signing up for a newsletter.

That is a brief explanation of all the different parts of an API call. If you are interested in learning more about the information being sent in your API calls, you can integrate Darkspark into your application and view all your active API calls in your Inventory to better understand what data you might be unnecessarily sending.

Sources:

https://www.redhat.com/en/topics/api/what-are-application-programming-interfaces
https://blog.dreamfactory.com/3-reasons-why-you-need-an-api/
https://stateful.com/blog/google-oauth
https://nordicapis.com/5-examples-of-apis-we-use-in-our-everyday-lives/
https://www.turing.com/kb/7-examples-of-APIs
https://tray.io/blog/how-do-apis-work
https://www.programsbuzz.com/article/api-request-anatomy
https://blog.uptrends.com/technology/the-anatomy-of-an-api-call/
https://blog.hubspot.com/website/api-calls
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
https://www.geeksforgeeks.org/http-headers-content-type/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization

Protect Your Data: A Guide to Secure Transmissions for Devs

Sophie McKay — Tue, 11 Apr 2023 12:44:59 +0000

Basically, the internet is a network of connected computers transmitting data from one another. So, if you’re building an application for the world wide web, you’ll be transmitting vast amounts of data and depending on the nature of that application, it might contain data that is sensitive.

This leads to a key question: how do I keep this data safe and don’t expose it to all the computers on this worldwide network?

That’s where secure transmissions come into the mix.

What is a secure transmission? Simply, it’s a data transmission that is sent over a secure channel. But why is it essential to secure transmissions with sensitive data? Firstly, consumers are becoming more interested and concerned about how their personal data is being handled, willing to leave companies if this data is mishandled. Secondly, many new regulations such as GDPR and the CCPA require the personal data of users to be handled carefully and mishandling of this data can result in hefty fines. For a more in-depth look into the importance of protecting sensitive data, read our article about it here.

Secure transmissions are the first step to protecting private information and if it is not implemented, can be one of the most easily exploited vulnerabilities of a web application. There are multiple instances of insecure communication resulting in negative outcomes for companies.

In 2021, one of LinkedIn’s APIs was abused by a threat actor, allowing them to scrape the data of between 500 and 700 million users. Data scraping is a technique where a computer program extracts data from an output generated by another computer, typically into files or spreadsheets. So, in this case, the threat actor scraped the data this API was generating, which happened to be the email addresses, full names, phone numbers, physical addresses, geo-location records, and personal and professional background records of a majority of their user base.

First American Financial Corp.

Due to a lack of authentication, in 2019, First American Financial Corp leaked over 885 million sensitive documents. If you knew where to look on their website, you were able to view these documents, which included bank account numbers, bank statements, social security numbers, and driver’s license photos. Although collecting the data could be a long and slow process, with the use of bots and purposely making fewer requests, data collection was vast and hard to detect.

River City Media

Finally, in 2017, the spam email operator, River City Media, leaked 1.37 billion records due to a backup of their system accidentally being published with no password or user authentication. These records included email addresses, real names, IP addresses, and even physical addresses. Most of these records were also obtained by gathering data from websites affiliated with River City Media, meaning a large portion of people were unaware their records were involved in the leak.

Again, if you would like to learn more about the consequences of these data leaks, read our article about PII.

So how do you secure this data? With a quick Google search on secure transmissions, it’ll speak about encryption which is a great starting point but not the only way to secure transmissions. Authentication is also another huge part of secure transmissions.

For encryption, all transmissions should be held over HTTPS, the secure version of Hypertext Protocol Transfer. This involves using TLS, Transport Layer Security, a protocol that authenticates and encrypts a link between networked computers, the current version of this being TLS 1.3, released in 2018. To do this, you will need an SSL/TLS certificate. This is a digital document that contains a cryptographic key pair that consists of a public and private key. The public key will be included in the certificate and the private key will be kept secure on a server. To ensure the security of the private key, a keystore should be used for the certificate.

However, how do you authenticate transmissions accessing resources from another web app on behalf of the user? This is when OAuth or Open Authorization comes into the mix. This is a standard used by the industry to remediate this issue, also using OpenID Connect to add additional security, which extends OAuth with ID tokens.

Although this seems like a mountain to climb, Darkspark can lend a hand in prioritising any remediations that are required by pinpointing the exact position of insecure transmissions. Features within Darkspark that can accelerate this process include the Environment Comparison and the Action Centre. Environment Comparison will be able to find these issues before they hit production and the Action Centre will help you to prioritise remediations and categorise these issues. If you have any questions about Darkspark, feel free to contact us.

Sources:

https://www.cloudflare.com/en-gb/learning/bots/what-is-data-scraping/
https://scrubbed.net/blog/linkedin-data-leak-what-we-can-do-about-it/
https://about.linkedin.com/
https://www.upguard.com/blog/biggest-data-breaches-us
https://www.forbes.com/sites/ajdellinger/2019/05/26/understanding-the-first-american-financial-data-leak-how-did-it-happen-and-what-does-it-mean/?sh=69e47d40567f
https://www.theguardian.com/technology/2017/mar/06/email-addresses-spam-leak-river-city-media
https://www.cloudflare.com/en-gb/learning/ssl/what-is-https/
https://www.ssl.com/faqs/faq-what-is-ssl/
https://solutionsreview.com/network-monitoring/protect-yourself-five-fundamentals-for-api-security/?utm_source=rss&utm_medium=rss&utm_campaign=protect-yourself-five-fundamentals-for-api-security
https://informationsecuritybuzz.com/10-api-security-best-practices-to-protect-your-organization/

PII & You: Why AppDevs need to protect it.

Sophie McKay — Wed, 08 Mar 2023 15:12:14 +0000

Less than a week into 2023 and Twitter has already reported a data breach affecting 200 million users. With data breaches rising by 70% in the third quarter of 2022 and notable organisations such as Uber, Medibank, DoorDash, and even the Costa Rican government reporting data breaches, data privacy is becoming an ever-growing concern for consumers. This has forced the introduction of laws such as GDPR in 2018 for the EU, APPI in 2020 for Japan, and PIPEDA in 2000 for Canada.

According to Clock Tower Insight, two-thirds of consumers believed that a company’s privacy practices relate to the business's trustworthiness. This has also led to the creation of a new faction of consumers, known as, “privacy actives”. In a 2019 survey conducted by Cisco, almost a third of respondents said they care so much about privacy that they are willing and have switched companies and businesses due to their data usage or sharing policies. So, with the scene set, how does PII enter the picture and why should you care?

PII stands for Personally Identifiable Information and has multiple definitions, but the most basic is any piece of information or data that can be used to identify an individual. PII can be separated into two different categories, sensitive and non-sensitive. Sensitive PII could be passport numbers or banking details, data that is unique to an individual. Non-sensitive PII is information that can be found in public records such as their date of birth or postal code.

However, in the eyes of the law, the definition can change and what is and isn’t important to protect becomes murkier. In the United States, PII is defined as something that is personally identifiable, such as a name, social security number, or biometric records. This changes when looking at the Australian privacy laws, the definition is much broader, as it defines PII as information or an opinion about an individual where the identity is either apparent or can be reasonably ascertained. But, when you look at Canadian privacy laws, they define PII as a piece of data that on its own or combined with other pieces of information, can identify an individual.

Most basic signup pages for a company will at least ask for an email address, if not more such as first names, surnames, and dates of birth. Under the various privacy laws we have discussed, all or none of them can constitute PII. Given these circumstances, it’s best to treat all incoming data from consumers as PII and sensitive.

To contextualise the value of PII to malicious attackers, let’s look at some statistics. It’s the most commonly stolen data asset according to IBM, with PII being included in 44% of attacks. That’s because it can make attackers lots of money to sell PII on the dark web. The average cost per customer record in 2021 was $180. But that is for one record. Also according to IBM, the average number of records stolen in a data breach is 25,575. Extrapolating this data, an average attack can earn $4.6 million for an attacker by selling records alone. That’s a coffee a day for the next 4,500 years. Or having all of your meals out for the next 210 years. Or 23 Lamborghinis. Basically, it’s a lot of money.

So, we’ve looked at what constitutes PII, its value, and the importance of data privacy for consumers. Now let’s dive deeper into how PII can be overexposed and what ramifications can come about from it. Unlike other security breaches with direct attacks on network systems, obtaining PII due to overexposure is much more passive; by just listening to network traffic, a bad actor can obtain mountains of data. This can happen due to PII being sent over unencrypted networks; sending PII over email; having media storage devices lost or stolen that contain PII; not having proper authentication access controls for areas of the network with PII; or not correctly monitoring the PII sent over APIs.

To examine the different variations of overexposure, we’ll look at three different examples of where companies didn’t sufficiently protect consumers’ PII, which ultimately lead to breaches. In 2017, the parent company of the Wall Street Journal, Dow Jones & Co were found to have unsecured AWS servers meaning anybody with (freely available) Amazon web authentication, could access this server with records for their four million customers. The data on this server included customer names, home and business addresses, email addresses, and the last four digits of the customer’s credit card.

Another example of PII overexposure happened in 2010 when the Brighton & Sussex University Hospitals NHS Trust was tasked to destroy over 1,000 hard drives and gave the job to a subcontractor who took at least 252 hard drives from the hospital, of which 232 of these found their way onto eBay. These records included medical records such as diagnosed STIs, disability allowance forms, and reports on children as well as National Insurance numbers, the UK equivalent to a Social Security number, home addresses, and information on criminal convictions.

The final example happened in 2021, due to a design flaw in Microsoft Power Apps, Table Permissions were not enabled by default, which meant that the Open Data Protocol (OData) API created a list of data that an anonymous user could access. Due to safeguards not being put in place by Microsoft, 47 different organisations were affected that used Microsoft Power Apps, including American Airlines, Ford, the Maryland Department of Health, and the state of Indiana. Due to the sensitivity of some of the affected organisations, records that were accessible included names, email addresses, and Social Security numbers.

So, according to the laws previously mentioned, these breaches should have resulted in repercussions. And indeed they did. In the case of the Brighton & Sussex University Hospitals NHS Trust, they were fined £325,000 by a data protection watchdog. So, data protection breaches can impose huge fines, especially with the introduction of GDPR. If a company is found to be in breach of GDPR, which affects any company that collects or processes data of customers within the EU, they could be fined up to €20 million or 4% of the worldwide turnover of the preceding year, whichever is higher. This had led to companies such as Amazon, Facebook, and WhatsApp getting fined for €746 million, €265 million, and €225 million respectively. In Canada, if an organisation is found to violate PIPEDA, the organisation could be fined up to CAD 100,000.

But large fines are not the only repercussion for a business found to be in breach of data protection and overexposing PII. Also mentioned previously are people such as “privacy actives”, willing to leave businesses and organisations if they deem their privacy policies insufficient. Comparitech reported that when examining the share prices of businesses that had suffered major data breaches, they tended to underperform significantly in the following years. A year after the breach, the examined companies underperformed the NASDAQ by 8.6% and after three years were underperforming by 15.6%. So, these overexposures don’t just affect short-term profits but can also have longer-lasting ones too.

So, PII is highly valuable to malicious attackers and should be protected at all costs. Not only should sensitive PII be protected but by some legal standards, so should non-sensitive PII. Also by protecting all PII, it garners more respect and trust from your customers using your product, no stone has been left unturned. But, how do we protect the consumer’s PII?

A lot of guides to PII data protection will advise on taking stock of the PII on servers and employee systems, scaling down the amount of PII that is collected so that the attack surface is minimised, and locking down all the systems that store any form of PII. But this is hard to do. Trying to discover all of this is a long and arduous task. So much so that once you’re finished, it usually has to be started again with systems constantly changing. Especially with the ever-changing and expanding world of APIs that have become so integral to systems within organisations, as we’ve mentioned before in this blog.

That is why Darkspark detects PII overexposure from the APIs that you use within your business. It ranks the risk of these exposures and helps to prioritise the order in which risks should be remediated. As in the Microsoft Power Apps breach, an API that handles PII isn’t always properly configured or secure and can lead to PII overexposure. Protecting the PII of your customers is not only important for legal reasons but also the reputation of your company and will help with better security practices.

Sources:
https://dataconomy.com/2023/01/twitter-data-breach-2023-twitter-email-leak/
https://www.infosecurity-magazine.com/news/data-breaches-rise-by-70-q3-2022/
https://www.securitymagazine.com/articles/98716-the-top-10-data-breaches-of-2022
https://securityscorecard.com/blog/countries-with-gdpr-like-data-privacy-laws
https://clocktowerinsight.com/customer-privacy-why-its-more-important-than-ever/
https://hbr.org/2020/01/do-you-care-about-privacy-as-much-as-your-customers-do
https://gocardless.com/guides/posts/what-is-personally-identifiable-information-pii/
https://www.imperva.com/learn/data-security/personally-identifiable-information-pii/
https://www.rmda.army.mil/privacy/PII/PII-breaches.html
https://www.comparitech.com/blog/vpn-privacy/data-breach-statistics-facts/
https://www.varonis.com/blog/data-breach-statistics
https://www.idtheftcenter.org/post/what-is-an-over-exposure-of-your-data/
https://www.independent.co.uk/life-style/health-and-families/health-news/brighton-and-sussex-university-hospitals-nhs-trust-fined-over-privacy-breach-7811300.html
https://healthitsecurity.com/news/microsoft-data-breach-exposes-38m-records-containing-pii
https://www.tessian.com/blog/biggest-gdpr-fines-2020/
https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/north-america/canada/topics/penalties-for-non-compliance
https://securityintelligence.com/articles/5-steps-to-protect-personally-identifiable-information/
https://www.virtru.com/blog/6-steps-to-securing-pii-for-privacy-and-compliance

The Who, the What, and the Why of OWASP

Sophie McKay — Wed, 08 Mar 2023 11:20:58 +0000

In your perusal of the web application security and vulnerability space, you might have come across an organisation called OWASP. Who is OWASP, what are OWASP, and why are OWASP?

The Who

Modern software development is still a reasonably young industry, beginning only in 1948 when the first program-stored computer was created in Manchester. It wasn’t until the 1970s that cybersecurity became an industry when Bob Thomas wrote the first computer worm, Creeper, intended to leave a breadcrumb trail throughout ARPANET’s network. This consequently created the first anti-virus software, Reaper, by Ray Tomlinson. A new revelation happened in 1983, with the birth of the Internet, which was publicly released in 1991. This led to a new form of software development, web application development. However, once again security was an afterthought and it wasn’t until 2001 that it was taken seriously.

On September 24th of that year, Mark Curphey started a community to advocate for secure web application programming, the Open Web Application Security Project, or OWASP. The main aim was to make security in web applications more visible so that developers could make more informed decisions by discussing the risks of insecure web apps and possible solutions. This community started with a document simply named “The Guide”, a guide for secure software engineering aimed at developers.

Fast forward to now, and this community has transformed into a non-profit foundation with tens of thousands of participants. The project has also “gone global,”, with local chapters of OWASP spanning all continents (excluding Antarctica). These chapters build a community for application security professionals, where they organise talks and training to improve the participants’ skills and networking opportunities. Anyone is welcome to join OWASP and contribute to the multiple projects that are being created and updated. They also hold large-scale events across the world, including online webinars and multi-day conferences.

The What

The core principles of OWASP have not changed drastically from the inception of the group, it has just become much larger in scale - reflective of the increased importance of security on the internet. The current mission statement of OWASP is threefold.

Supporting individuals or teams to create impactful projects, whether these are guides for certain topics or research on the biggest risks in the industry.
Developing and nurturing communities that are passionate about web application security, facilitated through their events and local chapters.
Providing educational publications and resources, as there is a lack of knowledge in this sector. OWASP wants to be the first stop for developers or information security professionals to learn and better equip themselves to tackle the web application security sector.

We’ve already covered their community interactions and the opportunities they create for education, but other than the initial guide, what other projects have OWASP published? OWASP has a large portfolio of projects, categorised into tool projects, documentation projects, code projects, and other projects that further their reach. Within these categories, there are different levels of development of projects, from their flagship projects to lab and incubator projects. Lab projects are expected to produce an OWASP-reviewed deliverable with clearly defined value for the industry. Incubator projects are still in the development stages, with no current deliverable as they still need further research or fleshing out.

In total, OWASP currently has over 260 projects available, and looking at all of them is in itself a project! Some of the most famous and popular projects include:

The OWASP Top 10

This is typically the first entry point to hearing about OWASP. The Top 10 was first released in 2003, with minor updates to the document after this until 2010 when the format was revamped to prioritise by risk as well as prevalence. In 2013 and 2017 major releases were made, with the most recently released Top 10 in 2021. The OWASP Top 10 documents the top risks within web application security and has become a widely recognised document and the first step for developers in creating secure code.

The OWASP Mobile Top 10

First published in 2011, the OWASP Mobile Top 10 still covers security risks, but in the mobile application development industry rather than web applications. Again, this is aimed at creating more secure mobile applications and helps developers prioritise security remediations. This document was also updated in 2014 and 2016 but has not had any additional releases since.

The OWASP API Top 10

Given the explosion of APIs, it was inevitable that OWASP would once again create another new top-ten list. In 2019, they launched the first OWASP API Top 10. In 2022, they started collecting community feedback in order to provide their first update to this top ten list. We have articles covering some of the Top 10 API risks that give some insight into the current situation with API security.

These are some of the most popular pieces of documentation from OWASP, but they also have produced multiple different open-source tools.

Zed Attack Proxy (ZAP)

The most popular tool distributed by OWASP is Zed Attack Proxy or ZAP. This web app security testing tool scans for vulnerabilities within a web application. Scans can either be automated or manual; after a scan, the tool alerts if there are concerns with the request or response of the application and categorises these into different risk levels from high to low, informational, and false positive.

Juice Shop

Another popular tool is Juice Shop, an intentionally insecure web application intended for security training and awareness. It is built as an e-commerce application that sells juice to make security training easy to understand for even new developers.

Dependency-Check

This tool tries to detect vulnerabilities within a project’s dependencies by checking the Common Platform Enumeration (CPE) identifier, against the Common Vulnerabilities and Exposures (CVE) database; then it generates a report linking to any found vulnerabilities.

The Why

So, we’ve covered who OWASP is and what they do but why are they important? Before OWASP there weren’t any formal web application security education resources or testing tools on the market. They knew there was a problem with the priorities in the industry and sought to create a solution and educate about the issues with web application security. However, this is still a huge battle, which OWASP is actively trying to combat. This can be seen with even the most recent statistics about the online cybersecurity sphere. With 30,000 websites hacked daily and 64% of companies worldwide experiencing at least one cyber attack within the last year.

Not only have OWASP been about the longest, but due to the model of their foundation, they value collaboration above all else. This means that a vast base of developers and security professionals contribute to these projects, giving different perspectives and strengthening their documentation and tools. Along with their collaboration, since they aim to be an educational resource, all of their resources are easy to understand and free to everyone.

OWASP is a critical contributor to web-scale security. And, as more applications are built; and more businesses expand online, their role in providing a comprehensive “baseline” for building and maintaining security applications will only become more important. While every developer must build security and privacy into their own applications, strong security starts with a foundation of knowledge - as they say, knowing is half the battle!

Sources:
https://www.laneways.agency/history-of-software-development/
https://www.scienceandindustrymuseum.org.uk/objects-and-stories/baby-and-modern-computing
https://blog.avast.com/history-of-cybersecurity-avast
https://www.usg.edu/galileo/skills/unit07/internet07_02.phtml
https://thenextweb.com/news/20-years-ago-today-the-world-wide-web-opened-to-the-public
https://www.veracode.com/blog/intro-appsec/start-owasp-true-story
https://owasp.org/chapters/
https://owasp.org/about/
https://github.com/OWASP/DevGuide/wiki
https://owasp.org/events/
https://owasp.org/www-committee-education-and-training/
https://owasp.org/www-project-top-ten/
https://www.hackerone.com/knowledge-center/beyond-owasp-top-ten-13-resources-boost-your-security
https://hackr.io/blog/top-10-open-source-security-testing-tools-for-web-applications
https://www.zaproxy.org/getting-started/
https://owasp.org/www-project-juice-shop/
https://www.guru99.com/top-5-penetration-testing-tools.html
https://owasp.org/www-project-dependency-check/
https://techjury.net/blog/how-many-cyber-attacks-per-day/
https://owasp.org/www-pdf-archive/OWASP_Top_10_-_2013.pdf
https://www.hahwul.com/cullinan/history-of-owasp-top-10/
https://brightsec.com/blog/owasp-mobile-top-10/
https://owasp.org/www-project-mobile-top-10/