OWASP - User contributions [en]

OWASP Project Mailing Lists

2006-09-01T21:02:32Z

Varunvnair: Linked to the mailing list subscription page.

The OWASP mailing lists can be found at http://sourceforge.net/mail/?group_id=64424

Category:OWASP Guide Project

2006-09-01T20:17:46Z

Varunvnair: Linked to the mailing list subscription page.

[[Guide Table of Contents]]__TOC__
==Overview==

The OWASP Guide to Building Secure Web Applications v2 is now released. Its release was announced at Black Hat in Las Vegas in late July 2005. This new version of the OWASP Guide is a major overhaul of the original document, containing nearly three times as much material. The project is currently steered by Andrew van der Stock.

The original OWASP Guide had become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for web application security.

The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications.

==Announcements==

==Volunteers Needed==
Much work remains to be done in these sections:
*[[Distributed Computing]]
*[[Deployment]]

==OWASP Guide 2.0 Downloads==

If you need a stable edition of the Guide, you should use one of these editions:

OWASP Guide 2.0.1 (English)
* [http://prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.pdf?download PDF (3 MB)]
* [http://prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.zip?download Word (zip file, 1.4 MB)]

OWASP Guide 1.1.1 (Japanese, にほんご)
* [http://prdownloads.sourceforge.net/owasp/OWASPGuideV1.1.1-jp.pdf?download PDF (1.4 MB)]

Earlier versions of the Guide (1.0 and 1.1.1) can be found at our [http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=62287 file download center], and in [http://sourceforge.net/cvs/?group_id=64424 CVS].

==OWASP Guide 3.0 (Current)==

If you'd like a point in time version of the Guide 3.0 in PDF format:
* [http://owasp.cvs.sourceforge.net/*checkout*/owasp/guide/current%20draft.pdf Guide 3.0 draft as of March 2006]

This file is regenerated from time to time.

===OWASP Guide 3.0===

This is the working (current) draft of the OWASP Guide 3.0. Please login to make changes as you see fit. Changes will be vetted by the OWASP Guide Project team.

[http://www.owasp.org/index.php/Guide_Table_of_Contents OWASP Guide 3.0 Table of Contents]

===OWASP Guide 3.0 (Spanish)===

This will hold the working (current) draft of the translation of the OWASP Guide 3.0 to Spanish. Please help us in this translation effort!!! Login and make changes as you see fit. Changes will be vetted by the OWASP Guide Project team.
''NEED LINKS''

==Roadmap==
[[OWASP Guide Project Roadmap]]

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Document]]

==Mailing List==
Subscribe to the mailing list go at https://lists.sourceforge.net/lists/listinfo/owasp-guide

Category talk:Vulnerability Scanning

2006-07-03T03:57:25Z

Varunvnair:

I feel that this article should have
# Basic definition
# Strengths and limitations of vulnerability scanning.
# Difference between vulnerability scanning and vulnerability assessment.
# Some FLOSS and commercial vulnerability scanners.

--[[User:Varunvnair|Varunvnair]] 23:57, 2 July 2006 (EDT)

Category:Vulnerability Scanning

2006-07-03T03:51:55Z

Varunvnair: Basic defn from http://www.webappsec.org/projects/glossary/#WebApplicationVulnerabilityScanner and http://en.wikipedia.org/wiki/Vulnerability_scanner

The process of searching for software vulnerabilities in applications using an automated security program is called vulnerability scanning. Vulnerability scanning can be used either to find holes and plug them before they are exploited or to find holes and exploit them.

{{Template:Stub}}

Getting Started

2006-07-03T03:46:19Z

Varunvnair: /* About threats, vulnerabilities, and countermeasures */ Removed an extraneous 's'.

==Getting started in application security==

Application security is simply the process of developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them.

As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.

==If you're wondering if your code has vulnerabilities...==

If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do an [[CLASP_Best_Practices#Perform_application_assessments|application assessment]] of a few of your applications. The review should analyze all the major security areas by using a combination of [[Vulnerability Scanning|vulnerability scanning]], [[:Category:OWASP Code Review Project|code review]], [[:Category:OWASP Testing Project|penetration testing]], and [[Perform source-level security review|static analysis]]. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.

==If you already know your code is vulnerable...==

If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what [[:Category:Activity|organizational improvements]] are most likely to improve your ability. One popular place to start is [[CLASP_Best_Practices#Institute_awareness_programs|instituting an awareness program]] for developers and managers, as it is relatively inexpensive and has immediate effects. However, you may want to consider doing an [[:Category:OWASP CLASP Project|application security capability appraisal]] of your organization to find out what changes are likely to be the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.

==About threats, vulnerabilities, and countermeasures==

A good way to start learning about application security is by understanding software [[:Category:Threat|threats]], [[:Category:Attack|attack]], [[:Category:Vulnerability|vulnerabilities]], and [[:Category:Countermeasure|countermeasures]]. A good overview of the most critical of these is the [[OWASP_Top_Ten_Project|OWASP Top Ten]] awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.

Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[:Category:OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[:Category:OWASP_WebScarab_Project|WebScarab]] is a powerful web application penetration testing tool that can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.

==What are the root causes of application vulnerabilities?==

Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:OWASP CLASP Project|OWASP CLASP Project]].

__NOTOC__

Talk:OWASP Application Security FAQ

2006-07-03T03:19:36Z

Varunvnair: should we rename the OWASP AppSec FAQ article?

I feel that this page/article should be renamed to "OWASP Application Security FAQ". The complete form is usually preferred in Wikipedia articles and it does make the page title more readable and probably more search engine friendly. --[[User:Varunvnair|Varunvnair]] 23:19, 2 July 2006 (EDT)