Getting Started - Revision history

Sam.stepanyan: /* How Can I Get Involved At OWASP? */

2016-11-07T16:15:54Z

‎How Can I Get Involved At OWASP?

Sam.stepanyan: /* How Can I Get Involved At OWASP? */ added link

2016-10-28T13:33:47Z

‎How Can I Get Involved At OWASP?: added link

Sam.stepanyan: /* How Can I Get Involved At OWASP? */ hyperlinked the word "Member"

2016-10-28T13:32:28Z

‎How Can I Get Involved At OWASP?: hyperlinked the word "Member"

Sam.stepanyan: /* What are the root causes of application vulnerabilities? */ spacing

2016-10-28T13:30:40Z

‎What are the root causes of application vulnerabilities?: spacing

Sam.stepanyan: /* What are the root causes of application vulnerabilities? */ -replaced reference to obsolete CLASP with SAMM

2016-10-28T13:30:01Z

‎What are the root causes of application vulnerabilities?: -replaced reference to obsolete CLASP with SAMM

Sam.stepanyan: /* About threats, vulnerabilities, and countermeasures */ - replaced reference to obsolete WebScarab with ZAP

2016-10-28T13:26:30Z

‎About threats, vulnerabilities, and countermeasures: - replaced reference to obsolete WebScarab with ZAP

Sam.stepanyan: /* How Can I Get Involved At OWASP? */ added chapter and membership bullet points

2016-10-28T13:22:47Z

‎How Can I Get Involved At OWASP?: added chapter and membership bullet points

Sam.stepanyan: /* Searching for application security information */ - removed Google engine which was a dead link

2016-10-28T13:14:22Z

‎Searching for application security information: - removed Google engine which was a dead link

Abarbanel: /* Getting started in application security */

2015-07-02T17:59:30Z

‎Getting started in application security

MichaelCoates at 23:36, 5 March 2013

2013-03-05T23:36:18Z

@@ Line 12: / Line 12: @@
 * Global Initiatives - The [https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus OWASP Global Initiates] program was established to provide easy access for volunteers interesting in helping advance OWASP. There are a variety of items that need volunteers - some with security focus, others that focus on the OWASP organization or an event.
 * Join a project - Everyone is welcomed to contribute to any of our open projects. Check out the [https://www.owasp.org/index.php/Category:OWASP_Project list of projects] and join the mailing list to find out more.
-* Join your local [[OWASP_Chapter|OWASP Chapter]] - Everyone is welcome to attend any of our local Chapter meetings which are FREE and OPEN to attend to anyone who wished to listen to talks and participate in discussions on the topic of application security. Check out the [https://www.owasp.org/index.php/OWASP_Chapter OWASP Chapters] in your area.
+* Join your local [[OWASP_Chapter|OWASP Chapter]] - Everyone is welcome to attend any of our local Chapter meetings which are FREE and OPEN to attend to anyone who wishes to listen to talks and participate in discussions on the topic of application security. Check out the [https://www.owasp.org/index.php/OWASP_Chapter OWASP Chapters] in your area.
 * Become a [[Membership|Member]] of OWASP -  support the growth of OWASP and the development of new and improved OWASP Materials and projects, get discounts on major cyber security conference registration fees. Individual and Corporate [[Membership]] is available: [https://www.owasp.org/index.php/Membership]
 * Edit a page - This is a wiki, if you see a page that needs some clarification or better information then please edit it. There are a variety of links to page that need some assistance within the [https://www.owasp.org/index.php/Special:SpecialPages Maintenance Report]

@@ Line 12: / Line 12: @@
 * Global Initiatives - The [https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus OWASP Global Initiates] program was established to provide easy access for volunteers interesting in helping advance OWASP. There are a variety of items that need volunteers - some with security focus, others that focus on the OWASP organization or an event.
 * Join a project - Everyone is welcomed to contribute to any of our open projects. Check out the [https://www.owasp.org/index.php/Category:OWASP_Project list of projects] and join the mailing list to find out more.
-* Join your local OWASP chapter - Everyone is welcome to attend any of our local Chapter meetings which are FREE and OPEN to attend to anyone who wished to listen to talks and participate in discussions on the topic of application security. Check out the [https://www.owasp.org/index.php/OWASP_Chapter OWASP Chapters] in your area.
+* Join your local [[OWASP_Chapter|OWASP Chapter]] - Everyone is welcome to attend any of our local Chapter meetings which are FREE and OPEN to attend to anyone who wished to listen to talks and participate in discussions on the topic of application security. Check out the [https://www.owasp.org/index.php/OWASP_Chapter OWASP Chapters] in your area.
 * Become a [[Membership|Member]] of OWASP -  support the growth of OWASP and the development of new and improved OWASP Materials and projects, get discounts on major cyber security conference registration fees. Individual and Corporate [[Membership]] is available: [https://www.owasp.org/index.php/Membership]
 * Edit a page - This is a wiki, if you see a page that needs some clarification or better information then please edit it. There are a variety of links to page that need some assistance within the [https://www.owasp.org/index.php/Special:SpecialPages Maintenance Report]

@@ Line 13: / Line 13: @@
 * Join a project - Everyone is welcomed to contribute to any of our open projects. Check out the [https://www.owasp.org/index.php/Category:OWASP_Project list of projects] and join the mailing list to find out more.
 * Join your local OWASP chapter - Everyone is welcome to attend any of our local Chapter meetings which are FREE and OPEN to attend to anyone who wished to listen to talks and participate in discussions on the topic of application security. Check out the [https://www.owasp.org/index.php/OWASP_Chapter OWASP Chapters] in your area.
-* Become a Member of OWASP -  support the growth of OWASP and the development of new and improved OWASP Materials and projects, get discounts on major cyber security conference registration fees. Individual and Corporate [[Membership]] is available: [https://www.owasp.org/index.php/Membership]
+* Become a [[Membership|Member]] of OWASP -  support the growth of OWASP and the development of new and improved OWASP Materials and projects, get discounts on major cyber security conference registration fees. Individual and Corporate [[Membership]] is available: [https://www.owasp.org/index.php/Membership]
 * Edit a page - This is a wiki, if you see a page that needs some clarification or better information then please edit it. There are a variety of links to page that need some assistance within the [https://www.owasp.org/index.php/Special:SpecialPages Maintenance Report]

← Older revision		Revision as of 13:30, 28 October 2016
Line 36:		Line 36:
	=What are the root causes of application vulnerabilities?=		=What are the root causes of application vulnerabilities?=

−	Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity\|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:Software_Assurance_Maturity_Model\|~~Software_Assurance_Maturity~~ Model(OWASP SAMM) Project]].	+	Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity\|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:Software_Assurance_Maturity_Model\|Software Assurance Maturity Model(OWASP SAMM) Project]].

← Older revision		Revision as of 13:30, 28 October 2016
Line 36:		Line 36:
	=What are the root causes of application vulnerabilities?=		=What are the root causes of application vulnerabilities?=

−	Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity\|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:~~OWASP CLASP Project~~\|OWASP ~~CLASP~~ Project]].	+	Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity\|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:Software_Assurance_Maturity_Model\|Software_Assurance_Maturity Model(OWASP SAMM) Project]].

@@ Line 32: / Line 32: @@
 A good way to start learning about application security is by understanding software [[:Category:Principle|principles]], [[:Category:Threat Agent|threats]], [[:Category:Attack|attack]], [[:Category:Vulnerability|vulnerabilities]], and [[:Category:Countermeasure|countermeasures]]. A good overview of the most critical of these is the [[OWASP_Top_Ten_Project|OWASP Top Ten]] awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
-Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[:Category:OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[:Category:OWASP_WebScarab_Project|WebScarab]] is a powerful web application penetration testing tool that you can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.
+Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[:Category:OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[OWASP_Zed_Attack_Proxy_Project|OWASP ZAP]] is a powerful web application penetration testing tool that you can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.
 =What are the root causes of application vulnerabilities?=
 Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:OWASP CLASP Project|OWASP CLASP Project]].

@@ Line 11: / Line 11: @@
 =How Can I Get Involved At OWASP?=
 * Global Initiatives - The [https://www.owasp.org/index.php/OWASP_Initiatives_Global_Strategic_Focus OWASP Global Initiates] program was established to provide easy access for volunteers interesting in helping advance OWASP. There are a variety of items that need volunteers - some with security focus, others that focus on the OWASP organization or an event.
 * Edit a page - This is a wiki, if you see a page that needs some clarification or better information then please edit it. There are a variety of links to page that need some assistance within the [https://www.owasp.org/index.php/Special:SpecialPages Maintenance Report]
 =Why is application security so hard?=

@@ Line 5: / Line 5: @@
 =Searching for application security information=
-We are working hard to organize the world's application security information. But it's fair to say we have a very long way to go. There is a [[Special:Search|simple search engine]] built into the OWASP site, but it's not that great.
+We are working hard to organize the world's application security information. But it's fair to say we have a very long way to go. There is a [[Special:Search|simple search engine]] built into the OWASP site.
 As a last resort, you can also just [[Special:Allpages|get a list]] of all the pages if you know a word in the title.

@@ Line 1: / Line 1: @@
 =Getting started in application security=
-Application security is simply everything involved in developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them. As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.
+Application security is simply everything involved in developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them. As the saying goes, when it comes to application security, there are really two types of organizations - those who don't know their code is insecure, and those that do.
 =Searching for application security information=

@@ Line 1: / Line 1: @@
-==Getting started in application security==
+=Getting started in application security=
 Application security is simply everything involved in developing, maintaining, and purchasing applications that your organization can trust. However, application security is inextricably tied into almost every aspect of your organizations' information technology, and can be maddeningly difficult to tackle. This "Getting Started" page is intended to provide a roadmap of the various topics in application security and where OWASP materials can help you and your organization master them. As the saying goes, when it comes to application security, there are really two types of organization - those who don't know their code is insecure, and those that do.
-==Searching for application security information==
+=Searching for application security information=
 We are working hard to organize the world's application security information. But it's fair to say we have a very long way to go. There is a [[Special:Search|simple search engine]] built into the OWASP site, but it's not that great.
@@ Line 11: / Line 11: @@
 As a last resort, you can also just [[Special:Allpages|get a list]] of all the pages if you know a word in the title.
-==Why is application security so hard?==
+=How Can I Get Involved At OWASP?=
 If you haven't read it lately, check out Fred Brooks' great article, "[http://www.cs.nott.ac.uk/~cah/G51ISS/Documents/NoSilverBullet.html No Silver Bullet]". In it, Brooks discusses both "accidental" and "essential" difficulties of producing software. We created the accidental difficulties ourselves, by making our languages, compilers, and environments more difficult than they need to be. But the essential difficulties are fundamental problems that will always be with us. Brooks considers four inherent properties of software that help explain the difficulty of software security - complexity, conformity, changeability, and invisibility.
-==If you're wondering if your code has vulnerabilities...==
+=If you're wondering if your code has vulnerabilities...=
 If you're wondering whether your software really has application security weaknesses, then the best thing to do is to find out. You can do this in a number of ways, but the simplest is to do an [[CLASP_Best_Practices#Perform_application_assessments|application assessment]] of a few of your applications. The review should analyze all the major security areas by using a combination of [[Vulnerability Scanning|vulnerability scanning]], [[:Category:OWASP Code Review Project|code review]], [[:Category:OWASP Testing Project|penetration testing]], and [[Perform source-level security review|static analysis]]. Then based on some actual results, which should verify areas that are well designed and built as well as identify weaknesses, you can make an informed decision about how to proceed.
-==If you already know your code is vulnerable...==
+=If you already know your code is vulnerable...=
 If you've already come to the conclusion that your project or organization is not producing secure code, then you should consider what [[:Category:Activity|organizational improvements]] are most likely to improve your ability. One popular place to start is [[CLASP_Best_Practices#Institute_awareness_programs|instituting an awareness program]] for developers and managers, as it is relatively inexpensive and has immediate effects. However, you may want to consider doing an [[:Category:OWASP CLASP Project|application security capability appraisal]] of your organization to find out what changes are likely to be the most effective. Also, you might consider defining a risk model, creating organization roles and teams, establishing standards or coding guidelines, or introducing some security activities into your software development lifecycle before doing the training.
-==About threats, vulnerabilities, and countermeasures==
+=About threats, vulnerabilities, and countermeasures=
 A good way to start learning about application security is by understanding software [[:Category:Principle|principles]], [[:Category:Threat Agent|threats]], [[:Category:Attack|attack]], [[:Category:Vulnerability|vulnerabilities]], and [[:Category:Countermeasure|countermeasures]]. A good overview of the most critical of these is the [[OWASP_Top_Ten_Project|OWASP Top Ten]] awareness document. This is a short paper that describes the most critical vulnerabilities, how to find them, and what to do to protect against them in your application.
@@ Line 29: / Line 34: @@
 Another great way to learn about application security is to study some real vulnerabilities and learn how they work. OWASP has developed [[:Category:OWASP_WebGoat_Project|WebGoat]] to provide hands-on examples of application security to learn from. WebGoat is a full J2EE application and training environment that contains real vulnerabilities to experiment with and learn from. [[:Category:OWASP_WebScarab_Project|WebScarab]] is a powerful web application penetration testing tool that you can use to test applications. For further reference, you can read all about each of the [[:Category:Vulnerability|vulnerabilities]] on the OWASP website to learn more.
-==What are the root causes of application vulnerabilities?==
+=What are the root causes of application vulnerabilities?=
 Once you've learned about risk model, you should think about how those problems come into existence. Every application security problem has a root cause somewhere in the organization. It may be that the project didn't have the right [[:Category:Activity|activities]] in their development process, or it may be that the developers didn't have the right training, or it might even be that the team didn't have the right tools for the job. But every vulnerability is a reason to investigate, find out why it happened, and make some organizational changes. You can find more information about improving your capability in the [[:Category:OWASP CLASP Project|OWASP CLASP Project]].