The Open Web Application Security Project (OWASP) is an international non-profit organization founded in 2001, with the aim of providing free and open resources to developers and security experts to protect their web applications from cyber-attacks. OWASP performs security analysis and research with around thousands of volunteers across the world.
OWASP’s resources are free and easily accessible on their website, making it feasible for anyone and everyone to create robust and secure web applications. With the help of community-led open-source software projects, educational and training conferences, thousands of members and numerous local chapters, OWASP lays the foundation of cyber security for developers across the globe.
Mark Curphey initiated the OWASP-Open Web Application Security Project on September 9, 2001. Jeff Williams was volunteer Chair of OWASP from late 2003 until September 2011. As of January, 2021, Sherif Mansour was voted as Chair, Vandana Verma as Vice Chair, Grant Ongers as Treasurer and Bil Corry as Secretary. Since 2011, OWASP has been registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.
Publications and resources
The Top Ten project was first published in 2003 with a vision of raising awareness about application security. It addresses the most critical risks organizations face by regularly updating a report on security concerns for web application security. The report is developed by a group of security experts from all over the world. Various standards, books, tools and organizations including MITRE, PCI DSS, the Defense Information Systems Agency and the United States Federal Trade Commission take the help of the Top 10 project.
The OWASP Top 10 2021 report includes the following security concerns:
A02:2021-Cryptographic Failures : Previously known as “Sensitive Data Exposure”, this type of failure deals with preserving data in transit and at rest. Such information include authentication details, personal and financial information, business secrets etc.
A07:2021-Identification and Authentication Failures : Applications not protected against automated attacks such as credential stuffing, brute force attacks, use of default, weak or well-known passwords come under this category. Common Weakness Enumerations that are more related to identification failures are now incorporated within this category.
A08:2021-Software and Data Integrity Failures : This new category relates to vulnerabilities in unverified software updates, critical data and CI/CD pipelines. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data is mapped to the 10 Common Weakness Enumerations in this category. “Insecure Deserialization” from 2017 now comes under this category.
A09:2021-Security Logging and Monitoring Failures : Previously termed as “Insufficient Logging & Monitoring”, the category is expanded to include more types of failures that can impact accountability, visibility, incident alerting and forensics.
A10:2021-Server-Side Request Forgery : SSRF issues arise when a web application does not validate the user-supplied URL while fetching a remote resource enabling attackers to force the application to send request to an unexpected destination even with a firewall, VPN or some other type of network access control list (ACL) protection.
OWASP Zad Attack Proxy (ZAP) Project is one of the most active open-source Dynamic Application Security Testing tools today. It is maintained by a team of volunteers from all over the world. ZAP is an integrated penetration testing tool with detailed documentation that can be used by beginners as well as professional pen-testers.