Open Worldwide Application Security Project (OWASP)

---

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software applications and services.

• fka Open Web Application Security Project
• founded 2001
• mission is to provide free, open-source tools and resources to help developers and organizations create more secure applications
• international organization
• promotes awareness of web application security issues
• develops resources to educate developers and users
• offers various testing tools to help organizations identify and fix security vulnerabilities
• provides the OWASP Zed Attack Proxy (ZAP) to help fix security vulnerabilities

OWASP Projects

OWASP Top 10

The OWASP Top 10 guides describe and prioritize the top 10 web application security vulnerabilities.

• represents a consensus view of the most pressing and critical web application security issues based on various sources
• found here: https://owasp.org/Top10/
• 2021 Top 10:
  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery

OWASP ESAPI (Enterprise Security API)

The OWASP ESAPI (Enterprise Security API) is an application security framework that specifies an implementation approach for crucial security controls.

• includes
  • authentication and authorization
  • session management
  • cybersecurity hygiene
  • and secure coding practices

OWASP ModSecurity

OWASP ModSecurity is a web application firewall that protects web applications against malicious traffic.

• provides real-time detection of attacks and malicious user behavior that might otherwise go unnoticed and unhandled by standard security controls

The Open Crypto Audit Project (OCAP)

The Open Crypto Audit Project (OCAP) provides resources to help organizations identify and address risks related to cryptography.

• established to help organizations understand the security of their systems while using cryptography to protect their data and assets

OWASP Web Security Testing Guide (WSTG)

The OWASP Testing Guide is a comprehensive guide for testing the security of web applications.

• designed to help developers, testers, and security professionals identify and address security vulnerabilities in web applications
• https://owasp.org/www-project-web-security-testing-guide/
• provides a structured approach to web app security testing:
  1. Information Gathering
  2. Configuration and Deployment Management Testing
  3. Identity Management Testing
  4. Input Validation Testing
  5. Testing for Error Handling and Logging
  6. Testing for Cryptography
  7. Business Logic Testing
  8. Client-side Testing
  9. Testing for Web Services
  10. Testing for Mobile Security

OWASP Cheat Sheet Series

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

• https://cheatsheetseries.owasp.org/index.html
• The OWASP cheat sheet for authentication lists best practices to ensure that authentication is implemented correctly