OWASP - User contributions [en]

Category:OWASP AppSec FAQ Project

2007-11-15T00:00:10Z

Notinsanjose: Undo revision 23412 by Notinsanjose (Talk)

=Introduction=

==What is this FAQ about?==

This FAQ answers some of the questions that developers have about Web Application Security. This FAQ is not specific to a particular platform or language. It addresses the common threats to web applications and are applicable to any platform.

==What are these common threats to Web Applications?==

While developing an application, most of us are focused on the functionality rather than security. Attackers take advantage of this by exploiting the application in a number of ways. Some of the common threats to web applications are SQL Injection, Cross Site Scripting, Variable Manipulation and exploitation of important features like Forgot Password. There are separate sections in this FAQ answering the common questions on these threats.

==Who developed this FAQ?==

This FAQ is an evolving document with contributions from the security community. Sangita Pakala and her team from [http://www.paladion.net/ Paladion Networks] developed the first version of the FAQ and maintain this page.

==How can I contribute to this FAQ?==

We need your feedback and contributions to improve the FAQ. We'd love to hear from you about:

*New questions to add to the FAQ
*Better answers for current questions
*New links to documents/tools
*Suggestions to improve the FAQ

You could mail your contributions to [mailto:appsecfaq@owasp.org appsecfaq@owasp.org]

=Contents=

You can find the full [[OWASP AppSec FAQ]] to see all the details.

=Downloads=
The OWASP FAQ is available for download as [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).doc Word] and [http://www.owasp.org/docroot/owasp/misc/OWASP_FAQ_Ver3.pdf PDF] formats.

'''New!''' The Spanish language verison of the FAQ is now available in [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).doc Word] and [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).pdf PDF] formats. Many thanks to Juan Carlos and Alberto Pena for their fantastic Spanish translation work.

=Roadmap=
[[OWASP AppSec FAQ Project Roadmap]]

[[Category:OWASP Project]]

Category:OWASP AppSec FAQ Project

2007-11-14T23:58:43Z

Notinsanjose:

=Introduction=

==What is this FAQ about? I have no idea==

This FAQ answers some of the questions that developers have about Web Application Security. This FAQ is not specific to a particular platform or language. It addresses the common threats to web applications and are applicable to any platform.

==What are these common threats to Web Applications?==

While developing an application, most of us are focused on the functionality rather than security. Attackers take advantage of this by exploiting the application in a number of ways. Some of the common threats to web applications are SQL Injection, Cross Site Scripting, Variable Manipulation and exploitation of important features like Forgot Password. There are separate sections in this FAQ answering the common questions on these threats.

==Who developed this FAQ?==

This FAQ is an evolving document with contributions from the security community. Sangita Pakala and her team from [http://www.paladion.net/ Paladion Networks] developed the first version of the FAQ and maintain this page.

==How can I contribute to this FAQ?==

We need your feedback and contributions to improve the FAQ. We'd love to hear from you about:

*New questions to add to the FAQ
*Better answers for current questions
*New links to documents/tools
*Suggestions to improve the FAQ

You could mail your contributions to [mailto:appsecfaq@owasp.org appsecfaq@owasp.org]

=Contents=

You can find the full [[OWASP AppSec FAQ]] to see all the details.

=Downloads=
The OWASP FAQ is available for download as [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).doc Word] and [http://www.owasp.org/docroot/owasp/misc/OWASP_FAQ_Ver3.pdf PDF] formats.

'''New!''' The Spanish language verison of the FAQ is now available in [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).doc Word] and [http://www.owasp.org/docroot/owasp/misc/Preguntas_Frecuentes_sobre_Seguridad_en_Aplicaciones_Web(OWASP_FAQ).pdf PDF] formats. Many thanks to Juan Carlos and Alberto Pena for their fantastic Spanish translation work.

=Roadmap=
[[OWASP AppSec FAQ Project Roadmap]]

[[Category:OWASP Project]]

Category:OWASP Working Groups

2007-11-14T22:22:30Z

Notinsanjose: New page: An OWASP Working Group is an arena for different parties with equal objectives to work together to provide guidance, requirements and deliverables to OWASP projects or the industry in gen...

An OWASP Working Group is an arena for different parties with equal objectives to work together to provide guidance, requirements and deliverables to OWASP projects or the industry in general.

OWASP Working Group leaders are responsible for defining its vision, roadmap, and tasks

To propose a new Working Group, please send an email to owasp@owasp.org

Every Working Group has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the OWASP Mailing Lists page.

Current active working groups:

* '''Browser Security''': Robert R'Snake, Petrov Pdb, Jeremiah
* '''Industry Sectors''': Tom Brennan
* '''Access Control (XACML)''': Gunner peterson
* '''Education''': Sebastien Deleersnyder
* '''Mobile Security''': Corey Benninger
* '''Preventive Security''': Dinis Cruz
* '''OWASP SDL''': Pravir Chandra
* '''OWASP Governance''': Tom Brennan

Some ideas for other OWASP working groups: Open Source solutions, Commercial vendors solutions, Evaluation & Certification, Privacy

Category:OWASP .NET Project

2007-11-13T19:01:45Z

Notinsanjose: /* Latest */

Welcome to the Owasp .Net Project. These pages are still in 'very alpha' format since we are still importing content (check out '''[[To Do on Owasp .Net Project Pages]]''' if you want to help out)

{|
| valign="top" |

== Latest ==
* Nov 2007: Uploaded test scripts from OWASP training in San Jose [https://www.owasp.org/images/7/7d/Fetch_Web_Page_%28from_OWASP_training_in_San_Jose%29.zip download here]
* Jun 2007: Created stub pages for Microsoft's [[SliverLight]], Abobe's [[AIR]], Microsoft's [[WSS]] and Apple's [[iPhone]]
* Jun 2007: [[DN_BOFinder]] Uploaded latest version to Sourceforge and updated WIKI page
* Feb 2007: Added info about the new tool: DotNet Buffer Overflow Finder [[DN_BOFinder]]
* 14th September: Added stub page [[Source Code Audit Tools]]
* 31st August: [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]], Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.
* 31st August: [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview], Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.
* 14 August: Finished adding in the <nowiki> {{Template:Stub}} </nowiki> to the pages - Mike de Libero
* 29 July: New finding [[Full Trust CLR Verification issue: changing the return address order]]
* 28 July: Added new tool [[.Net Assembly Analyzer]]
* 27 July: New Layout for home page
* 25 July: Made tons of changes to lots of pages (from new content, to images, etc...)
* 20 July: [[Owasp Report Generator]] page with links for download
* Uploaded latest version of [[Owasp SiteGenerator]](including the source code) to SourceForge and updated the links in [[Owasp SiteGenerator]]
* 11 July: [[Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net]]
* 11 July: We have started to upload the Owasp .Net Projects to [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 SourceForge dotNET section]. SiteGenerator is up there and more will follow.

Unless marked, the above entries were posted by [[User:Dinis.cruz|Dinis.cruz]]

| valign="top" |

[[Category:OWASP Project]]

== Current Projects ==
* [[Owasp SiteGenerator]] (sponsored by Foundstone)
* [[Owasp Report Generator]]
* [[ANBS]] (Asp.Net Baseline Security) - includes the tools [[SAM'SHE]] (Security Analyzer for Microsoft's Shared Hosting Environments) and [[Online IIS Metabase Explorer]]
* [[ASP.NET Reflector]]
* [[ANSA]] (Asp.Net Security Analyzer) - first tool developed by Dinis Cruz that hilights the security problems of Full Trust Asp.Net code (contains Proof of Concept tests (i.e. exploits))
* [[DefApp]] - Partial port of ModSecurity to the .Net Platform
* [[Owasp FOSBBWAS (code name Beretta)]]
* [[.Net Assembly Analyzer]]
* [[OWASP_Tiger|Owasp Tiger]]

'''Related Foundstone Open souce projects'''
* [[Hacme Bank]] (Foundstone tool)
* [[.NetMon]] (Foundstone tool)
* [[Validator.NET]] (Foundstone tool)

'''Note:''' All releases are available on the [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 dotNET section] of the [https://sourceforge.net/projects/owasp/ SourceForge Owasp Project pages]

|-
| valign="top" |

== .Net Security ==
* [[.Net Full Trust]] (the execution environment that makes an Asp.Net Application Insecure by Default, by Design and in Deployment)
* [[.Net Type Safety]]
* [[.Net Framework Security Issues]]
* [[Rooting The CLR]]

| valign="top" |

== Other misc stuff ==
* [[London Chapter WAF event]]
* [[Security Podcasts]]
* [[CVS details for Editors]]
* [[Wiki Edit Tips]]
* '''Code Samples'''
** [[.Net Code Sample - Reflecting assembly with missing dependency]]
** [[Files_Xml_WindowsMessages]] (with serialization stuff)
* [[.Net Research Links]]
* [[.Net Security Tools]]
* [[Richard Crypto .Net Stuff]]
* [[2006 Autumn Of Code]]
|}

== Mailing List ==
We have a mailing list at Sourceforge which we use to discuss relevant issue to .Net security (see [[How to join Owasp.Net Mailing List]])

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

__NOTOC__

Category:OWASP .NET Project

2007-11-13T19:01:29Z

Notinsanjose: /* Latest */

Welcome to the Owasp .Net Project. These pages are still in 'very alpha' format since we are still importing content (check out '''[[To Do on Owasp .Net Project Pages]]''' if you want to help out)

{|
| valign="top" |

== Latest ==
* Nov 2007: Uploaded test scripts from OWASP training in San Jose [https://www.owasp.org/images/7/7d/Fetch_Web_Page_%28from_OWASP_training_in_San_Jose%29.zip | download here]
* Jun 2007: Created stub pages for Microsoft's [[SliverLight]], Abobe's [[AIR]], Microsoft's [[WSS]] and Apple's [[iPhone]]
* Jun 2007: [[DN_BOFinder]] Uploaded latest version to Sourceforge and updated WIKI page
* Feb 2007: Added info about the new tool: DotNet Buffer Overflow Finder [[DN_BOFinder]]
* 14th September: Added stub page [[Source Code Audit Tools]]
* 31st August: [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]], Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.
* 31st August: [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview], Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.
* 14 August: Finished adding in the <nowiki> {{Template:Stub}} </nowiki> to the pages - Mike de Libero
* 29 July: New finding [[Full Trust CLR Verification issue: changing the return address order]]
* 28 July: Added new tool [[.Net Assembly Analyzer]]
* 27 July: New Layout for home page
* 25 July: Made tons of changes to lots of pages (from new content, to images, etc...)
* 20 July: [[Owasp Report Generator]] page with links for download
* Uploaded latest version of [[Owasp SiteGenerator]](including the source code) to SourceForge and updated the links in [[Owasp SiteGenerator]]
* 11 July: [[Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net]]
* 11 July: We have started to upload the Owasp .Net Projects to [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 SourceForge dotNET section]. SiteGenerator is up there and more will follow.

Unless marked, the above entries were posted by [[User:Dinis.cruz|Dinis.cruz]]

| valign="top" |

[[Category:OWASP Project]]

== Current Projects ==
* [[Owasp SiteGenerator]] (sponsored by Foundstone)
* [[Owasp Report Generator]]
* [[ANBS]] (Asp.Net Baseline Security) - includes the tools [[SAM'SHE]] (Security Analyzer for Microsoft's Shared Hosting Environments) and [[Online IIS Metabase Explorer]]
* [[ASP.NET Reflector]]
* [[ANSA]] (Asp.Net Security Analyzer) - first tool developed by Dinis Cruz that hilights the security problems of Full Trust Asp.Net code (contains Proof of Concept tests (i.e. exploits))
* [[DefApp]] - Partial port of ModSecurity to the .Net Platform
* [[Owasp FOSBBWAS (code name Beretta)]]
* [[.Net Assembly Analyzer]]
* [[OWASP_Tiger|Owasp Tiger]]

'''Related Foundstone Open souce projects'''
* [[Hacme Bank]] (Foundstone tool)
* [[.NetMon]] (Foundstone tool)
* [[Validator.NET]] (Foundstone tool)

'''Note:''' All releases are available on the [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 dotNET section] of the [https://sourceforge.net/projects/owasp/ SourceForge Owasp Project pages]

|-
| valign="top" |

== .Net Security ==
* [[.Net Full Trust]] (the execution environment that makes an Asp.Net Application Insecure by Default, by Design and in Deployment)
* [[.Net Type Safety]]
* [[.Net Framework Security Issues]]
* [[Rooting The CLR]]

| valign="top" |

== Other misc stuff ==
* [[London Chapter WAF event]]
* [[Security Podcasts]]
* [[CVS details for Editors]]
* [[Wiki Edit Tips]]
* '''Code Samples'''
** [[.Net Code Sample - Reflecting assembly with missing dependency]]
** [[Files_Xml_WindowsMessages]] (with serialization stuff)
* [[.Net Research Links]]
* [[.Net Security Tools]]
* [[Richard Crypto .Net Stuff]]
* [[2006 Autumn Of Code]]
|}

== Mailing List ==
We have a mailing list at Sourceforge which we use to discuss relevant issue to .Net security (see [[How to join Owasp.Net Mailing List]])

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

__NOTOC__

Category:OWASP .NET Project

2007-11-13T19:01:14Z

Notinsanjose: /* Latest */

Welcome to the Owasp .Net Project. These pages are still in 'very alpha' format since we are still importing content (check out '''[[To Do on Owasp .Net Project Pages]]''' if you want to help out)

{|
| valign="top" |

== Latest ==
* Nov 2007: Uploaded test scripts from OWASP training in San Jose [https://www.owasp.org/images/7/7d/Fetch_Web_Page_%28from_OWASP_training_in_San_Jose%29.zip| download here]
* Jun 2007: Created stub pages for Microsoft's [[SliverLight]], Abobe's [[AIR]], Microsoft's [[WSS]] and Apple's [[iPhone]]
* Jun 2007: [[DN_BOFinder]] Uploaded latest version to Sourceforge and updated WIKI page
* Feb 2007: Added info about the new tool: DotNet Buffer Overflow Finder [[DN_BOFinder]]
* 14th September: Added stub page [[Source Code Audit Tools]]
* 31st August: [[OWASP Autumn Of Code 2006 : Press Release | OWASP Autumn Of Code 2006]], Today we are lauching a new project called "OWASP Autumn of Code 2006" which will sponsor individuals to work on existing OWASP Projects.
* 31st August: [http://video.google.com/videoplay?docid=941077664562737284 Dinis Cruz video interview], Dinis talks about .NET security, the future of OWASP, and the brand new [[Autumn of Code]] project.
* 14 August: Finished adding in the <nowiki> {{Template:Stub}} </nowiki> to the pages - Mike de Libero
* 29 July: New finding [[Full Trust CLR Verification issue: changing the return address order]]
* 28 July: Added new tool [[.Net Assembly Analyzer]]
* 27 July: New Layout for home page
* 25 July: Made tons of changes to lots of pages (from new content, to images, etc...)
* 20 July: [[Owasp Report Generator]] page with links for download
* Uploaded latest version of [[Owasp SiteGenerator]](including the source code) to SourceForge and updated the links in [[Owasp SiteGenerator]]
* 11 July: [[Microsoft Security Bulletin July 2006-Vulnerabilities in IIS and ASP.Net]]
* 11 July: We have started to upload the Owasp .Net Projects to [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 SourceForge dotNET section]. SiteGenerator is up there and more will follow.

Unless marked, the above entries were posted by [[User:Dinis.cruz|Dinis.cruz]]

| valign="top" |

[[Category:OWASP Project]]

== Current Projects ==
* [[Owasp SiteGenerator]] (sponsored by Foundstone)
* [[Owasp Report Generator]]
* [[ANBS]] (Asp.Net Baseline Security) - includes the tools [[SAM'SHE]] (Security Analyzer for Microsoft's Shared Hosting Environments) and [[Online IIS Metabase Explorer]]
* [[ASP.NET Reflector]]
* [[ANSA]] (Asp.Net Security Analyzer) - first tool developed by Dinis Cruz that hilights the security problems of Full Trust Asp.Net code (contains Proof of Concept tests (i.e. exploits))
* [[DefApp]] - Partial port of ModSecurity to the .Net Platform
* [[Owasp FOSBBWAS (code name Beretta)]]
* [[.Net Assembly Analyzer]]
* [[OWASP_Tiger|Owasp Tiger]]

'''Related Foundstone Open souce projects'''
* [[Hacme Bank]] (Foundstone tool)
* [[.NetMon]] (Foundstone tool)
* [[Validator.NET]] (Foundstone tool)

'''Note:''' All releases are available on the [https://sourceforge.net/project/showfiles.php?group_id=64424&package_id=105632 dotNET section] of the [https://sourceforge.net/projects/owasp/ SourceForge Owasp Project pages]

|-
| valign="top" |

== .Net Security ==
* [[.Net Full Trust]] (the execution environment that makes an Asp.Net Application Insecure by Default, by Design and in Deployment)
* [[.Net Type Safety]]
* [[.Net Framework Security Issues]]
* [[Rooting The CLR]]

| valign="top" |

== Other misc stuff ==
* [[London Chapter WAF event]]
* [[Security Podcasts]]
* [[CVS details for Editors]]
* [[Wiki Edit Tips]]
* '''Code Samples'''
** [[.Net Code Sample - Reflecting assembly with missing dependency]]
** [[Files_Xml_WindowsMessages]] (with serialization stuff)
* [[.Net Research Links]]
* [[.Net Security Tools]]
* [[Richard Crypto .Net Stuff]]
* [[2006 Autumn Of Code]]
|}

== Mailing List ==
We have a mailing list at Sourceforge which we use to discuss relevant issue to .Net security (see [[How to join Owasp.Net Mailing List]])

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

__NOTOC__

File:Fetch Web Page (from OWASP training in San Jose).zip

2007-11-13T19:00:02Z

Notinsanjose:

Category:OWASP Project

2007-11-13T17:48:06Z

Notinsanjose: /* Alpha Status Projects */

An OWASP project is a collection of related tasks that have a defined roadmap and team members. OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team.

To propose a new project, please send an email to [mailto:owasp@owasp.org?subject=New_OWASP_Project_idea owasp@owasp.org]

Every project has an associated mail list. You can view all the lists, examine their archives, and subscribe to any of them on the [http://lists.owasp.org/mailman/listinfo OWASP Project Mailing Lists] page.

==Release Quality Projects==

<table><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP WebGoat Project|OWASP WebGoat Project]]
: an online training environment for hands-on learning about application security

; [[:Category:OWASP WebScarab Project|OWASP WebScarab Project]]
: a tool for performing all types of security testing on web applications and web services

</td><td>

; [[:Category:OWASP AppSec FAQ Project|OWASP AppSec FAQ Project]]
: FAQ covering many application security topics

; [[:Category:OWASP Guide Project|OWASP Guide Project]]
: a massive document covering all aspects of web application and web service security

; [[:Category:OWASP Legal Project|OWASP Legal Project]]
: a project focused on contracting for secure software

; [[:Category:OWASP Testing Project|OWASP Testing Guide]]
: a project focused on application security testing procedures and checklists

; [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
: an awareness document that describes the top ten web application security vulnerabilities

</td></tr></table>

==Beta Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP CAL9000 Project|OWASP CAL9000 Project]]
: a JavaScript based web application security testing suite

; [[:Category:OWASP DirBuster Project|OWASP DirBuster Project]]
:DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.

; [[:Category:OWASP Encoding Project|OWASP Encoding Project]]
: a project focused on the development of encoding best practices for web applications.

; [[:Category:OWASP LAPSE Project|OWASP LAPSE Project]]
: an Eclipse-based source-code static analysis tool for Java

; [[:Category:OWASP Live CD Project|OWASP Live CD Project]]
: a CD containing ready to use versions of application security analysis and testing tools

; [[:Category:OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
: an educational supplement project containing tutorials, challenges and videos detailing the use of tools contained within the OWASP LiveCD - LabRat.

; [[:Category:OWASP .NET Project|OWASP .NET Research]]
: a project focused on helping .NET developers build secure applications

; [[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]
: a project focused on combining automated capabilities with complete manual testing to get the best results

; [[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]
: an open source black box security scanner used to assess the security of AJAX-enabled applications

; [[:Category:OWASP SQLiX Project|OWASP SQLiX Project]]
: a project focused on the development of SQLiX, a full perl-based SQL scanner

; [[:Category:OWASP WSFuzzer Project|OWASP WSFuzzer Project]]
: a project focused on the development of WSFuzzer, a full python-based Web Services SOAP fuzzer

; [[ORG_%28Owasp_Report_Generator%29|OWASP Report Generator]]
: a project giving security professionals a way to report and keep track of their projects

; [[Owasp_SiteGenerator|OWASP Site Generator]]
: a project allowing users to create dynamic sites for use in training, web application scanner testing, etc...

; [[OWASP_Tiger|OWASP Tiger]]
: OWASP Tiger is a Windows application originally intended to be used for automating the process of testing various known ASP.NET security issues in hosted environments. However, it is much more versatile than that: it can help you construct and send a HTTP requests, receive and analyze the responses, match them against a set of conditions to produce alerts, notifications that something is wrong with the application(s) or service(s) being tested.

; [[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]
: OWASP WeBekci is a web based ModSecurity 2.x management tool. WeBekci is written in PHP, Its backend is powered by MySQL and the frontend by XAJAX framework.
</td><td>

; [[:Category:OWASP CLASP Project|OWASP CLASP Project]]
: a project focused on defining process elements that reinforce application security

; [[:Category:OWASP Code Review Project|OWASP Code Review Project]]
: a project to capture best practices for reviewing code

; [[:Category:OWASP Tools Project|OWASP Tools Project]]
: The OWASP Tools Project's goal is to provide unbiased, practical information and guidance about application security tools.

</td></tr></table>

==Alpha Status Projects==

<table valign="top"><tr><th width="50%">Tools</th><th>Documentation</th></tr><tr valign="top"><td>

; [[:Category:OWASP PHP AntiXSS Library Project|OWASP PHP AntiXSS Library Project]]
: reduce cross-site scripting vulnerabilities by encoding your output

; [[:Category:OWASP Insecure Web App Project|OWASP Insecure Web App Project]]
: a web application that includes common web application vulnerabilities

; [[:Category:OWASP Interceptor Project|OWASP Interceptor Project]]
: a testing tool for XML web service and Ajax interfaces

; [[:Category:OWASP JBroFuzz|OWASP JBroFuzz Project]]
: a fuzzer application, supporting a number of automated security checks including basic cross site scripting checks (XSS) as well as basic SQL injection testing.

; [[:Category:OWASP Orizon Project|OWASP Orizon Project]]
: a project focused on the development of a flexible code review engine

; [[:Category:OWASP Stinger Project|OWASP Stinger Project]]
: a project focus on the development of a centralized input validation mechanism which can be easily applied to existing or developmental applications

; [[:Category:OWASP_Web_2.0_Project|OWASP Web 2.0 Project]]
: A place for advanced research of security in the Web 2.0 world

; [[SpoC_007_-_SqlMap|SqlMap]]
: Automatic SQL injection tool entirely developed in Python

</td><td>

; [[:Category:OWASP AJAX Security Project|OWASP AJAX Security Guide]]
: investigating the security of AJAX enabled applications

; [[:Category:OWASP Application Security Assessment Standards Project|OWASP Application Security Assessment Standards Project]]
: establish a set of standards defining baseline approaches to conducting differing types/levels of application security assessment

; [[:Category:OWASP Application Security Requirements Project|OWASP Application Security Requirements]]

; [[:Category:OWASP Application Security Metrics Project|OWASP Application Security Metrics Project]]
: identify and provide a set of application security metrics that have been found by contributors to be effective in measuring application security

; [[:Category:OWASP Career Development Project|OWASP Career Development Project]]
: The OWASP Career Development project is focused on helping application security professionals understand the job market, roles, career paths, and skills to work in the field.

; [[:Category:OWASP Certification Criteria Project|OWASP Certification Criteria Project]]

; [[:Category:OWASP Certification Project|OWASP Certification Project]]
: our challenge is to create a plan for certification: a set of OWASP Certification for Developers and Testers.

; [[:Category:OWASP Communications Project|OWASP Communications Project]]

; [[:Category:OWASP Honeycomb Project|OWASP Honeycomb Project]]
: a comprehensive and integrated guide to the fundamental building blocks of application security

; [[:Category:OWASP Java Project|OWASP Java Project]]
: a project focused on helping Java and J2EE developers build secure applications

; [[:Category:OWASP Logging Project|OWASP Logging Guide]]
: a project to define best practices for logging and log management

; [[:Category:OWASP PHP Project|OWASP PHP Project]]
: a project focused on helping PHP developers build secure applications

; [[:Category:OWASP SASAP Project|OWASP Scholastic Application Security Assessment Project]]
: a project that is intended to be the first step towards integrating security requirements in academic course curriculum

; [[:Category:OWASP Validation Project|OWASP Validation Project]]
: a project that provides guidance and tools related to validation

; [[:Category:OWASP WASS Project|OWASP WASS Guide]]
: a standards project to develop more concrete criteria for secure applications

; [[:Category:OWASP Web Application Security Put Into Practice|OWASP Web Application Security Put Into Practice]]
: real-world web application security for Ruby on Rails, Apache and MySQL

; [[:Category:OWASP XML Security Gateway Evaluation Criteria Project|OWASP XML Security Gateway Evaluation Criteria]]
: a project to define evaluation criteria for XML Security Gateways

; [[:Category:OWASP Education Project|OWASP Education Project]]
: a project to build educational tracks and modules for different audiences

; [[:Category:OWASP on the Move Project|OWASP on The Move Project]]
: a project to match offer and demand regarding OWASP (related) presentations by speakers on web application security events or chapter meetings.

; [[:Category:OWASP Fuzzing Code Database|OWASP Fuzzing Code Database]]
: a project to collect, share and compose statements used as code injections like SQL, SSI, XSS, Formatstring and as well directory traversal statements.

</td></tr></table>

__NOTOC__

Education Module Why WebAppSec Matters

2007-11-12T17:54:51Z

Notinsanjose:

= Module Description =
This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]].
It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
* What goes wrong
* WebAppSec Defined
* Current trends

= Target audience =
Novice.

= Presentation =
The presentation can be found in [[:Image:Education_Module_Why_WebAppSec_Matters.ppt|Why WebAppSec Matters]].

= Resources =

= Presentation Notes =
Comment: It would be good to have speaker notes so that the presenter knows the objective of each slide

== OWASP pointers ==

== External pointers ==
* [http://cve.mitre.org cve.mitre.org]

[[Category:OWASP Education Modules]]

Education Module Why WebAppSec Matters

2007-11-12T17:38:39Z

Notinsanjose: Undo revision 23351 by Notinsanjose (Talk)

= Module Description =
This module explains why security should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]].
It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
* What goes wrong
* WebAppSec Defined
* Current trends

= Target audience =
Novice.

= Presentation =
The presentation can be found in [[:Image:Education_Module_Why_WebAppSec_Matters.ppt|Why WebAppSec Matters]].

= Resources =
== OWASP pointers ==

== External pointers ==
* [http://cve.mitre.org cve.mitre.org]

[[Category:OWASP Education Modules]]

Education Module Why WebAppSec Matters

2007-11-12T17:36:46Z

Notinsanjose:

= Module Description =
This module explains why security Doesn't matter and we should all go home!!!!!

Hi Sebastien :)

should be considered when developping or deploying web applications as part of the [[:Category:OWASP Education Project|Education Project]].
It identifies the current security problems with web applications. During the introduction a definition of web application security is given. Trends that are influencing the current state of web application insecurity are also explained.
* What goes wrong
* WebAppSec Defined
* Current trends

= Target audience =
Novice.

= Presentation =
The presentation can be found in [[:Image:Education_Module_Why_WebAppSec_Matters.ppt|Why WebAppSec Matters]].

= Resources =
== OWASP pointers ==

== External pointers ==
* [http://cve.mitre.org cve.mitre.org]

[[Category:OWASP Education Modules]]