Tuesday, April 26, 2011

What is OWASP

Four years back, I was looking help for security testing and I found OWASP with many presentations, books and testing guides. It helps me lot for my deliverables. OWASP's top 10 is a popular one and reflects the current trend.

OWASP by the numbers (Last year report)

  • 420,000 page views per month
  • 6,381 Articles
  • 15,000 downloads per month
  • 21,000 members on mailing lists
  • 2,600 wiki users
  • 1,500 wiki updates per month
  • 160 chapters worldwide
  • 75 individual memberships
  • 118 tool and documentation projects
  • 17 Books
  • 43 corporate/educational memberships
  • 7 Board members (Jeff, Tom, Dave, Seb. Dinis, Matt, Eoin)
  • 39 Committee Volunteers
  • 3 Employees (Paulo, Kate, Alison)
  • 25 projects funded

OWASP - Open Web Application Security Project
OWASP is a community of people passionate about application security. It is a non-profit(501c3 not-for-profit worldwide charitable organization), volunteer driven organization. All members are volunteers and all work is donated by sponsors. They all share a vision of a world where you can confidently trust the software you use. Unfortunately, the current software market doesn’t encourage security – that’s something they are trying to change. One of primary missions is to make application security visible so that people can make informed decisions about risk.

You can find lots of free and open source tools, documents, basic information, guidelines, presentations, video, and blogs at OWASP to help you get started.

  • Worldwide free and open community
  • Focused on improving the security of Web applications
  • Promotes secure software development
  • An open forum for discussion
  • Publications, Articles, Standards
  • Testing and Training Software
  • Local Chapters and Mailing Lists
  • Software libraries and tools

OWASP Software - WebGoat - Training application
WebGoat Project
  • Cross Site Scripting
  • SQL Injection Attacks
  • Thread Safety
  • Field & Parameter Manipulation
  • Session Hijacking and Management
  • Weak Authentication Mechanisms
  • Many more attacks added

OWASP Software - WebScarab - framework for analyzing HTTP/HTTPS traffic
WebScarab Project
  • Fragment Analysis – extract scripts and html as presented to the browser, instead of source code presented by the browser post render
  • Proxy – observe traffic between the browser and server, includes the ability to modify data in transit, expose hidden fields, and perform bandwidth manipulation
  • BeanShell – the ability to execute Java code on requests and responses before being transmitted between the browser and server; allows runtime extension of WebScarab
  • Spider – identifies new URLs within each page viewed
  • SessionID Analysis – Collection and analysis of cookies to determine predictability of session tokens

My Previous posts on Security
Security Attacks - OWASP Top 10
Security Testing - Webscarab tool
Security Testing - CSS or XSS

No comments: