Industry:Citations - Revision history

Brennan at 21:18, 15 November 2016

2016-11-15T21:18:27Z

Clerkendweller: Removed banner and social media spam / PCI SSC Information Supplement on Penetration testing added

2015-03-31T16:00:53Z

Removed banner and social media spam / PCI SSC Information Supplement on Penetration testing added

Clerkendweller: PCI DSS v3 added

2014-02-15T18:58:26Z

PCI DSS v3 added

Clerkendweller: Amended SANS survey link

2014-02-15T18:51:10Z

Amended SANS survey link

Clerkendweller: Added SANS Institute appsec program survey

2014-02-15T18:48:46Z

Added SANS Institute appsec program survey

Clerkendweller: Financial Services Information Sharing and Analysis Center paper added

2014-02-15T18:27:58Z

Financial Services Information Sharing and Analysis Center paper added

Clerkendweller: EU regulation added

2013-09-22T18:53:47Z

EU regulation added

Clerkendweller: Added PCIDSS E-Commerce Guidelines

2013-02-02T09:58:59Z

Added PCIDSS E-Commerce Guidelines

Achim: BSI - Sicherheit von Webanwendungen: Maßnahmenkatalog und Best Practices

2012-11-21T19:36:56Z

BSI - Sicherheit von Webanwendungen: Maßnahmenkatalog und Best Practices

Achim: BSI - IT-Grundschutzbaustein Webanwendungen

2012-11-21T19:34:04Z

BSI - IT-Grundschutzbaustein Webanwendungen

← Older revision		Revision as of 21:18, 15 November 2016
Line 4:		Line 4:
	This page captures important references to [http://www.owasp.org/index.php/Main_Page OWASP] in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.		This page captures important references to [http://www.owasp.org/index.php/Main_Page OWASP] in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.

−	Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.	+	Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending. EVERYONE is welcomed to EDIT this page to keep it updated.

@@ Line 1: / Line 1: @@
 __TOC__
@@ Line 25: / Line 22: @@
 === National &amp; International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice  ===
 {| class="prettytable"
@@ Line 455: / Line 450: @@
 | In "Milestone 3: Protect Your Network (Network Architecture) - Consider", "... Do you have custom applications facing the Internet? If so, are they protected and/or are your developers trained in writing secure code? – For guidance on writing secure Web applications, see http://www.owasp.org/index.php/Category:OWASP_Guide_Project – For guidance on testing Web applications, see http://www.owasp.org/index.php/Category:OWASP_Testing_Project ..." and listed again in the "Quick Reference".
 |- valign="top"
-| rowspan="8" | [https://www.pcisecuritystandards.org/ Payment Card Industry Security Standards Council (PCI SSC)]
+| rowspan="9" | [https://www.pcisecuritystandards.org/ Payment Card Industry Security Standards Council (PCI SSC)]
-| rowspan="8" | Worldwide
+| rowspan="9" | Worldwide
 | [https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Data Security Standard]
 | September 2006
@@ Line 502: / Line 497: @@
 | 3.0
 | In "Requirement 6: Develop and maintain secure systems and applications - 6.5", "6.5 Address common coding vulnerabilities in software-development processes as follows: Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. Develop applications based on secure coding guidelines. Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements. "
 |- valign="top"
 | rowspan="3" | [http://www.safecode.org/ SAFECode]

@@ Line 455: / Line 455: @@
 | In "Milestone 3: Protect Your Network (Network Architecture) - Consider", "... Do you have custom applications facing the Internet? If so, are they protected and/or are your developers trained in writing secure code? – For guidance on writing secure Web applications, see http://www.owasp.org/index.php/Category:OWASP_Guide_Project – For guidance on testing Web applications, see http://www.owasp.org/index.php/Category:OWASP_Testing_Project ..." and listed again in the "Quick Reference".
 |- valign="top"
-| rowspan="7" | [https://www.pcisecuritystandards.org/ Payment Card Industry Security Standards Council (PCI SSC)]
+| rowspan="8" | [https://www.pcisecuritystandards.org/ Payment Card Industry Security Standards Council (PCI SSC)]
-| rowspan="7" | Worldwide
+| rowspan="8" | Worldwide
 | [https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Data Security Standard]
 | September 2006
@@ Line 497: / Line 497: @@
 | 2.0
 | In "4 Common Vulnerabilities in E-commerce Environments", "According to the Open Web Application Security Project (OWASP)… Insecure software is already undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our digital infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10.” (Italics added.)" and "Industry best practices for vulnerability management—such as the OWASP Top 10, SANS CWE Top 25, and CERT Secure Coding—should be applied by e-commerce application/web developers.". In "5.10.1 Information Security Resources", "Open Web Application Security Project (OWASP) (www.owasp.org). OWASP is a global not-for profit charitable organization focused on improving the security of web applications. OWASP’s mission is to make application security visible so that individuals and organizations worldwide can make informed decisions about the true risks surrounding application development and security." and "OWASP provides a number of resources for training and application security awareness, including: podcasts, eBooks, online publications, news feeds, blogs, videos, conferences, and in-person classroom training." and "The OWASP Development Guide is a comprehensive reference manual for designing, developing, and deploying secure web services and applications. Individual guides include Handling ECommerce Payments, Security of Payment cards (Credit/Debit) in E-commerce Application, and Cornucopia E-commerce Web Site Edition."
 |- valign="top"
 | rowspan="3" | [http://www.safecode.org/ SAFECode]

@@ Line 537: / Line 537: @@
 |- valign="top"
-| Survey on Application Security Programs and Practices
+| [http://www.sans.org/reading-room/analysts-program/Survey-AppSec-2014 Survey on Application Security Programs and Practices]
-| [http://www.sans.org/reading-room/analysts-program/Survey-AppSec-2014 February 2014]
+| February 2014
 | 2013
 | In "Justification of Appsec Program Support", "Capability Maturity Models (Cigital’s BSIMM or OWASP’s OpenSAMM)". In 'Support of Appsec Programs", ". In 2013, OWASP added the use of insecure third-party software components to the OWASP Top 10 risk list,  a widely used application security risk management tool". In "Future Ideas and Roadmap", "Some are looking at application security practice maturity models like Cigital’s Build Security in Maturity Model (BSIMM), OWASP’s OpenSAMM or Application Security Verification Standard (ASVS) as guidelines".

@@ Line 519: / Line 519: @@
 | In "Overview" and "Section 2a) Security-focused Stories and Associated Security Tasks", "In addition, the CWE/SANS Top 25 Most Dangerous Development Errors list (plus the 16 weaknesses on the cusp list) and the OWASP Top 10 list were consulted for this section to ensure completeness of coverage.", in "Security-focused story 20", "Utilize common frameworks or libraries (such as OWASP ESAPI) that provide a secure database query functionality, as defined below., in "Security-focused story 28", "Follow best practices (e.g., OWASP Session Management Cheat Sheet) to prevent session management attacks." and "or more complete explanation of issues and test cases, please refer, e.g., to OWASP’s Testing Project, Authentication Cheat Sheet and Session Management Cheat Sheet.", in "Glossary", "OWASP: Open Web Application Security Project is a free, open-to-all community with local chapters worldwide aiming to improve the security of web applications." and in "References", "OWASP Top 10".
 |- valign="top"
-| rowspan="3" | [http://www.sans.org SANS Institute]
+| rowspan="4" | [http://www.sans.org SANS Institute]
-| rowspan="3" | USA
+| rowspan="4" | USA
 | rowspan="3" | [http://www.sans.org/top20/ Top 20]
 | November 2005
@@ Line 535: / Line 535: @@
 | 8
 | In "S1 Web Applications - S1.3 How to Protect against Web Application Vulnerabilities", "... From the developer perspective: ... Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding ... Test your apps using the OWASP Testing Guide with tools like WebScarab, ..." and in "S1 Web Applications - S1.4 References", "OWASP - Open Web Application Security Project http://www.owasp.org ... OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents ... OWASP Guide - a compendium of secure coding http://www.owasp.org/index.php/Category:OWASP_Guide_Project ... OWASP Top 10 - Top 10 web application security weaknesses http://www.owasp.org/index.php/Top_10_2007".
 |- valign="top"
 | rowspan="2" | [http://www.sharedassessments.org Shared Assessments]

@@ Line 256: / Line 256: @@
 | In "Security Check - I'm not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks?", "Yes. There are relatively simple fixes to protect your computers from some of the most common vulnerabilities.... Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or ..." and in "Additional Resources - These websites and publications have more information on securing sensitive data:", "The Open Web Application Security Project www.owasp.org".
 Also available in Spanish [http://business.ftc.gov/documents/sbus69-como-proteger-la-informacion-personal-una-gui-para-negocios En español].
 |- valign="top"

@@ Line 223: / Line 223: @@
 | -
 | In "Consulted experts", "Gunnar Peterson, OWASP".
 |- valign="top"
 | [http://www.cio.gov Federal Chief Information Officers (CIO) Council]

@@ Line 51: / Line 51: @@
 |- valign="top"
-| [https://www.bsi.bund.de/ Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security]
+| rowspan="2" | [https://www.bsi.bund.de/ Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security]
-| Germany
+| rowspan="2" | Germany
 | [https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Download/Vorabversionen/Baustein_Webanwendungen.pdf IT-Grundschutz Baustein B 5.21 Webanwendungen]
 | 17 December 2012
 | Vorabversion / Preliminary Version
 | Um Webanwendung angemessen abzusichern, wurde ein neuer Baustein für die IT-Grundschutz-Kataloge entwickelt, der vorab vom BSI zur Kommentierung veröffentlicht wurde. Daran teilgenommen hat unter anderem das Open Web Application Security Project (OWASP).
+|- valign="top"
 |- valign="top"

@@ Line 49: / Line 49: @@
 | 1.0
 | In "7.2. Normes et documents techniques", "Guides et documentation de l’Open Web Application Security Project (OWASP)"
 |- valign="top"