This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Industry:Citations
From OWASP
Revision as of 14:10, 8 July 2009 by Clerkendweller (talk | contribs) (→Legislation, Standards, Guidelines and Industry Codes of Practice)
This is a draft page containing work in progress.
OWASP Projects
Several OWASP projects maintain their own lists of citations, references and discussions.
Legislation, Standards, Guidelines and Industry Codes of Practice
Hyperlinks have not been added to citations to prevent any mis-interpretation. Please read the source documents in full to understand the context.
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| GovCertUK | UK | SQL Injection | 16 January 2009 | 1.0 | In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, [ttp://www.owasp.org/index.php/Category:OWASP_WebScarab_Project http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project]".
GovCertUK is the UK Government Emergency Response Team and is part of CESG. |
| National Infrastructure Security Co-ordination Centre (NISCC) | UK | Commercially Available Penetration Testing - Best Practice Guide | 8 May 2006 | - | In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (http://www.owasp.org)".
NISCC is now part of the UK Centre for the Protection of National Infrastructure. |
| National Infrastructure Security Co-ordination Centre (NISCC) | UK | Secure web applications - Development, installation and security testing (NISCC Briefing 10/2006) | 27 April 2006 | - | In References "OWASP Secure Web Application Guide http://www.owasp.org/documentation/guide/guide_about.html".
NISCC is now part of the UK Centre for the Protection of National Infrastructure. |
| Payment Card Industry Security Standards Council (PCI SSC) | Worldwide | Data Security Standard | September 2006 | 1.1 | In Requirement 6: Develop and maintain secure systems and applications, "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines...".
Superseded by PCI DSS 1.2 (see below). |
| Payment Card Industry Security Standards Council (PCI SSC) | Worldwide | Data Security Standard | October 2008 | 1.2 | In Requirement 6: Develop and maintain secure systems and applications, "6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements." and specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org)." |
Important Reports and Other Resources
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| Combined Security Incident Response Team (CSIRTUK) | UK | CSIRTUK advisories | Ongoing | - | OWASP Designation used in advisory categorisation.
CSIRTUK is part of the UK Centre for the Protection of National Infrastructure |
| Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS) | USA | Software Security Assurance State-of-the-Art Report (SOAR) | 31 July 2007 | - | In Section 6: Software Assurance Initiatives, Activities, and Organizations, "6.2 Private Sector Initiatives", 6.2.1 OWASP... 6.2.1.1 Tools... WebGoat... WebScarab... 6.2.1.2 Documents and Knowledge Bases... AppSec FAQ... Guide to Building Secure Web Applications... Legal knowledge base... Top Ten Web Application Security Vulnerabilities..." |
| National Cyber Security Division | Worldwide | Common Weakness Enumeration | Ongoing | - | OWASP Top Ten (2007) view, OWASP Top Ten (2004) view and OWASP in Taxonomies.
The National Cyber Security Division is part of the U.S. Department of Homeland Security |
