OWASP Corporate Application Security Pledge

NB: This page is a rough draft of an idea we are working on and should not be used yet

Background

OWASP recognizes that many organizations are doing the hard work to become capable of repeatably producing secure applications. These organizations deserve a way to promote the fact that they are doing the right things.

We have created the "OWASP Corporate Application Security Pledge" to recognize these organizations and set a goal for other organizations to

There is much more that organizations can do, but we believe that these are the most critical steps that all organizations should have in place.

Participation

Use the LOGO - IF you register with us and confirm

The OWASP Corporate Application Security Pledge

To demonstrate our commitment to building applications that are trustworthy enough for our business and our customers, we hereby confirm that:

1. We have established an ongoing application security awareness and training program.

Our training program ensures that software developers, architects, and testers have been exposed to application security and understand how to find and prevent the common vulnerabilities. Leaders and managers are trained in how to lead projects and teams to produce secure applications.

2. We review all applications for common vulnerabilities

All of our applications, including internal applications) receive some level of scrutiny for common vulnerabilities before they are deployed. Our most critical applications receive a detailed code review and penetration test, while less critical applications receive at least an automated security scan.

3. We have established a dedicated application security team

Our application security team supports ...

4. We perform security activities as a part of our software development lifecycle

(at a minimum sec req and testing) - understand the threat and make informed decisions about risks

5. We have assigned responsibility for application security on each project and up to executive management