This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Industry:Citations
This draft page tries to capture important references to OWASP in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.
Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries are ordered by organisation name ascending, then date ascending within each category.
OWASP Projects
Some OWASP projects maintain their own lists of citations, users and references:
- OWASP Application Security Verification Standard (ASVS) Project - Users
- OWASP Enterprise Security API (ESAPI) Project - Users and Adopters
- OWASP Security Spending Benchmarks (SSB) Project - News Coverage
- OWASP Top Ten Project - Users and Adopters
National & International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| Defense Information Systems Agency (DISA) | USA | Recommended Standard Application Security Requirements (Draft) | 11 March 2003 | 2.0 (draft) | In "Appendix B References", "B.5 Best Practices... 32. Open Web Application Security Project (OWASP): “The Ten Most Critical Web Application Security Vulnerabilities” (13 January 2003)". |
| Web Server Technical Implementation Guide | 11 December 2006 | 6 Rel 1 | In "1.1 Background", "Major security forums (e.g., SysAdmin, Audit, Network, Security (SANS) Institute and the Open Web Application Security Project (OWASP)) publish reports describing the most critical Internet security threats. From these reports, some threats unique to web server technology are as follows...". | ||
| Application Security and Development - Security Technical Implementation Guide | 24 July 2008 | 2 Rel 1 | In "Appendix A References", "Open Web Application Security Project http://www.owasp.org/" and "Open Web Application Security Project Threat Risk Modeling http://www.owasp.org/index.php/Threat_Risk_Modeling". | ||
| Application Security and Development Checklist | 24 July 2008 | 2 Rel 1.1 | Multiple OWASP website references providing vulnerability examples.
Superseded (see below) | ||
| Application Security and Development Checklist | 26 June 2009 | 2 Rel 1.5 | OWASP referenced in "APP3020 Threat model not established or updated... Detailed information on threat modeling can be found at the OWASP website. http://www.owasp.org/index.php/Threat_Risk_Modeling", "APP3550 Application is vulnerable to integer overflows... Examples of Integer Overflow vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Integer_overflow", "APP3560 Application contains format string vulnerabilities... Examples of Format String vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Format_string_problem", "APP3570 Application vulnerable to Command Injection... Examples of Command Injection vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Command_Injection", "APP3580 Application vulnerable to Cross Site Scripting... Examples of Cross Site Scripting vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Cross_Site_Scripting", "APP3600 Vulnerable to canonical representation attacks... Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode", "APP3630 Application vulnerable to race conditions... Examples of Race Conditions vulnerabilities can be obtained from the OWASP website. https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions", and "APP5100 Fuzz testing is not performed... The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing" | ||
| GovCertUK | UK | SQL Injection | 16 January 2009 | 1.0 | In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project".
GovCertUK is the UK Government Emergency Response Team and is part of CESG. |
| Information-Technology Promotion Agency (IPA) | Japan | Secure Programming Course from the IPA Information-technology SEcurity Center (ISEC) | 2002 | - | In SQL Argument Validation, "...Direct SQL Command Injection (English), Open Web Application Security Project
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml http://www.owasp.org/projects/asac/iv-sqlinjection.shtml", in Dangerous Perl Functions, "...Direct OS Command Injection (English), Open Web Application Security Project http://www.owasp.org/projects/asac/iv-dosinjection.shtml", and in Unix Path Security, "...Directory Traversal (English),Open Web Application Security Project http://www.owasp.org/projects/asac/iv-directorytraversal.shtml" |
| Study of Web Server Mandatory Access Control | March 2005 | - | In section 3.3, "...様 々 な 方 針 が 考 え ら れ る が、 こ こ で は、 The Open Web Application Security Project の 示 す Web ア プ リ ケーシ ョ ンに お ける セ キ ュ リ テ ィの 指 針 を 元 に 脆 弱 性 対 策 の 方 向 性 を 示 す http://www.owasp.org/documentation/guide/guide_about.html" | ||
| Symfoware ST (Symfo-06-DS3001) in the JISEC Certified/Validated Products List | 9 May 2007 | 2.3 | In Table 6.2 on vulnerability assessment information assurance measures "AVA_VLA.2 ... OWASP (Open Web Application Security Project) が 発 表 し て い る、 Web サ イ ト の セ キ ュ リ テ ィ 脆 弱 性 の 情 報 " | ||
| Open Source Software Evaluation Lab Environment | November 2007 | - | In "Intercepting proxies" of the "Security evaluation" category, "...WebScarab ... http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project" | ||
| International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) | Worldwide | ISO/IEC TR24729-4, Information technology — Radio frequency identification for item management — Implementation guidelines — Part 4: Tag data security | March 2009 | - | In "Normative references", "Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Main_Page". See http://www.grifs-project.eu/db/?q=node/129 |
| National Infrastructure Security Co-ordination Centre (NISCC) | UK | Secure web applications - Development, installation and security testing (NISCC Briefing 10/2006) | 27 April 2006 | - | In References "OWASP Secure Web Application Guide http://www.owasp.org/documentation/guide/guide_about.html".
NISCC is now part of the UK Centre for the Protection of National Infrastructure. |
| Commercially Available Penetration Testing - Best Practice Guide | 8 May 2006 | - | In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (http://www.owasp.org)".
NISCC is now part of the UK Centre for the Protection of National Infrastructure. | ||
| Payment Card Industry Security Standards Council (PCI SSC) | Worldwide | Data Security Standard | September 2006 | 1.1 | In Requirement 6: Develop and maintain secure systems and applications, "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines...".
Superseded by PCI DSS 1.2 (see below). |
| Data Security Standard | October 2008 | 1.2 | In Requirement 6: Develop and maintain secure systems and applications, "6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements." and specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org)." | ||
| SAFECode | Worldwide | Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today | 8 October 2008 | - | Links to "OWASP Top Ten", "OWASP PHP AntiXSS Library", "OWASP Canonicalization, Locale and Unicode", "OWASP Reviewing Code for Logging Issues", and "OWASP Error Handling, Auditing and Logging". |
| Trusted Information Sharing Network for Critical Infrastructure Protection (TISN) | Australia | Information Security Principles for Enterprise Architecture | June 2007 | - | In "Recommendation 2.6: Implement security based on transparent, trusted and proven solutions", "...Best practice information system development and management processes such as: ... Open Web Application Security Project (OWASP)—an open-source project dedicated to finding and fighting the causes of insecure software. The OWASP Guide provides
methodology and processes for..." and in the checklist "Trusted and proven information system development processes such as ITIL, OWASP and CIS (see page 44 for a definition)—are used or considered when developing information systems" |
| Defence in Depth | June 2008 | - | In "Risk Analysis methodology - Identify risk", "...After threat classification, threat rating is performed using the DREAD model ... Open Web Application Security Forum (OWASP), Threat Risk Modelling, March 2008,
www.owasp.org/index.php/Threat_Risk_Modeling#DREAD", in "Assessing technology risks - Approaches", "Application review—analyse critical applications for compliance with secure application development standards (e.g. OWASP) ... Open Web Application Security Project (OWASP), OWASP Guide 2.1, accessed 2008: www.owasp.org", in "Implementing technology controls - Application (client and server)", "...As the application security space (in particular the web application security) has matured over the past decade, many resources have become available for detailing the breadth of controls available ... Open Web Application Security Project (OWASP), OWASP Guide 2.1, accessed 2008: http://www.owasp.org/" and in "Implementing technology controls - Control analysis - Focus area guideline: Application security - implementation", "Adopt secure application development and review processes ... Best-practice processes/tools (OWASP, OASIS) ...". | ||
| User-access management | June 2008 | - | In "Trends & Emerging Threats - Migration to browser-based web applications", "...Web application vulnerabilities may
leave data and applications at risk of unauthorised access or tampering, and allow circumvention of access controls ... Open Web Application Security Project (OWASP), Top 10 2007, 2007, http://www.owasp.org/index.php/Top_10_2007" |
Important Reports and Other Resources
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| Australian Computer Emergency Response Team (AusCERT) | Australia | Submission to House of Representatives Standing Committee on Communications – Inquiry into Cyber Crime | 2009 | - | In "Goal to prevent cyber attacks from occurring", "At the national level, implement regulations which require 1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP..." |
| Combined Security Incident Response Team (CSIRTUK) | UK | CSIRTUK advisories | Ongoing | - | OWASP designation used in advisory categorisation.
CSIRTUK is part of the UK Centre for the Protection of National Infrastructure. |
| Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS) | USA | Software Security Assurance State-of-the-Art Report (SOAR) | 31 July 2007 | - | In Section 6: Software Assurance Initiatives, Activities, and Organizations, "6.2 Private Sector Initiatives", 6.2.1 OWASP... 6.2.1.1 Tools... WebGoat... WebScarab... 6.2.1.2 Documents and Knowledge Bases... AppSec FAQ... Guide to Building Secure Web Applications... Legal knowledge base... Top Ten Web Application Security Vulnerabilities...". |
| National Cyber Security Division | USA | Common Weakness Enumeration | Ongoing | - | OWASP Top Ten (2007) view, OWASP Top Ten (2004) view and OWASP in Taxonomies.
The National Cyber Security Division is part of the U.S. Department of Homeland Security. |
| Office of the Privacy Commissioner of Canada | Canada | Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. | 16 July 2009 | - | In the section "Industry Review" of "Summary of Investigation", OWASP mentioned in paragraph 344 "we learned that an organization known as the Open Web Application Security Project (OWASP) promotes the development of secure applications and has created several guidelines addressing issues of session management... OWASP recommends to website creators that sessions should timeout after 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. Although OWASP has not provided actual definitions for high-, medium-, or low-value data, it does cite ... as examples of high-value data and ... as examples of low-value data." and in paragraph 345 "...our Office's review of how various websites manage sessions indicates that the OWASP guidelines are not widely used in the industry..." |
Project Requirements
International, national governmental and other significant specification, invitation to tender (ITT) and request for proposal (RFP) documents.
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| Banco Central Do Brasil | Brasil | Processo no: 0701385050 (penetration testing for web applications) | 19 February 2008 | - | In paragraph 5.3 "... testar a presença das vulnerabilidades descritas pelo OWASP (http://www.owasp.org/index.php/Category:Vulnerability) que possam ser detectadas através de testes caixa-preta remotos.", in paragraph 5.4.2 "a classificação OWASP da vulnerabilidade, conforma a página http://www.owasp.org/index.php/Category:Vulnerability;" and in paragraph 5.6 "... recomendações do OWASP Testing Guide (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents)." |
