OWASP – what it can give you beyond the Top Ten
You've probably heard of the OWASP Top Ten. Let's see what other resources it does offer to help you secure your apps!
Most developers and security experts have heard about the OWASP Top Ten. But the organization that puts the list together also offers a lot of other resources for securing your web applications.
The Open Web Application Security Project (OWASP) is a non-profit foundation backed by a community of over 46.000 security experts. Their goal is to improve the state of web application security by producing free and open source (FLOSS) materials, documentation and tools via a large variety of activities. The individuals behind OWASP work at a large variety of software security-related companies. OWASP and its local chapters usually get funding from such companies, too. To maintain fairness and impartiality, it is their policy to not endorse commercial products or services – though they do display corporate advertising for their supporters on each page.
A little something from OWASP for everyone
Most of the knowledge is concentrated in Projects in the form of Tools (standalone software to identify vulnerabilities or assist in testing), Code (libraries to protect against certain vulnerabilities), or Documentation (information about vulnerabilities, security standards, or best practices). They generally target one or more of three main user groups: Builders, Breakers and Defenders. Builders’ interest is in secure coding practices and prevention of issues. Breakers’ interest is in security testing and finding issues. And last but not least, Defenders’ interest is in creating security software to make the job of attackers more difficult.
There are close to a hundred OWASP projects, but only a few of them qualify as top-quality “Flagship” projects. Here are some of the most commonly used resources we’d recommend for secure coding and security testing:
OWASP Tools
- OWASP Amass is a penetration testing tool for mapping the target application’s attack surface.
- The OWASP Zed Attack Proxy (ZAP) is a useful tool for testing web applications, comparable to widely-used penetration testing proxies such as Burp or Fiddler.
- OWASP WebGoat (Java), Security Shepherd (Java/Android) and OWASP Juice Shop (Node.js) are intentionally vulnerable applications to help practice your application security skills.
- Dependency-Check and Dependency-Track allow automated detection of vulnerable project dependencies in a number of programming languages and build systems, with CI/CD integration.
Code
- The OWASP CSRFGuard protects against Cross-Site Request Forgery attacks for Java web apps.
- The OWASP ModSecurity Core Rule Set is a set of generic attack detection rules to be used with web application firewalls to protect against many common attacks.
Documentation
- The Top Ten is a very important document to learn more about the most critical web application security risks. Find the current version at owasp.org.
- The OWASP Cheat Sheet Series condenses the most important things to know about various vulnerabilities – as well as security features – into an easily-digestible format. It is also reasonably up-to-date.
- The OWASP Security Knowledge Framework provides guidance for designing secure web applications.
- For testers, the OWASP Application Security Verification Standard as well as the OWASP Web Security Testing Guide and the Mobile Security Testing Guide give guidance about what to target during a security test, and – more importantly – how to test for certain weaknesses.
- The OWASP Software Assurance Maturity Model (SAMM) is one of the commonly-used methodologies to build security into your software development process (alongside BSIMM and Microsoft SDL).
Needles and haystacks
Before OWASP migrated to Github pages in 2020, its main site was a community-edited wiki. Thousands of security experts – frequently with full-time jobs – made contributions over the years but did not always keep them up to date. Therefore, a significant main challenge for OWASP was to maintain a sprawling and aging knowledgebase with numerous abandoned projects (e.g. AntiSamy.NET). With the new GitHub page, this is not a problem (yet). However, it may come up if a page from the wiki shows up in a search or an older article references it.
If unsure about the validity of the information on a particular page, look at the History page to see the date of publishing and last update as well as yellow template text indicating deprecation. In general, when looking for security information on owasp.org, it’s a good idea to start from a related flagship project page and progress to pages from the links you can find there, since those projects need to go through a strict review process.
Beyond the OWASP Top Ten
Of course, you will not find all information on the wiki. The organization has local chapters in many parts of the world regularly holding meetups. Visiting these gatherings is a good way to keep up with recent trends in software security, as well as possibly getting involved with OWASP as a volunteer yourself!
We cover OWASP guidance and best practices in in our courses that deal with web application security.