Despite my rather arty farty post image, the authentic OWASP logo is this:
What is OWASP?
The Open Web Application Security Project, or OWASP to keep it catchy, is a global community of like-minded information security people, who make efforts to help ensure that web applications are secure and safe places for people to go about doing their stuff.
Be it through sharing knowledge, skills, tools, technical documentation and the like, OWASP is generally respected as the foremost place to go to not only gain a better understanding of web application security, but to also properly implement it.
How did I find out about it?
In previous posts, I mentioned that my mate Carl put on some developer training around security, crafted and delivered by Troy Hunt. These courses were specifically around the 'OWASP Top 10 2013', this being the top 10 web application vulnerabilities of the time. OWASP itself doesn't prescribe what makes it into this particularly dodgy hit parade. No, it calls out to industry and asks for feedback on the most typical or common types of attack experienced by web application operators and essentially makes a list based on numbers.
So, each course covered one through 10. What each vulnerability is, how it manifests and is exploited, the damage it can cause and of course how to successfully mitigate against it.
That's how I found out about OWASP.
When we bought our first license of Netsparker, one of the first things I noticed was that certain vulnerability reports it provided were specifically tailored around the 'OWASP Top 10'. It began to feel important. Like some sort of manuscript by which people could follow good, no great software security principles.
Because the 'Top 10' has remained largely static in recent years, it's made it far easier for me to kick off dialogues with developers and architects and managers alike. So, for example, injection has been at number one for ages and rightly so, with XSS and poorly implemented auth and / or session management wrestling for second and third spots over that time.
It's helped me to keep things simple, if stark; if we don't prevent this stuff, we potentially lose data, customers are compromised, we lose reputation, we lose money, we lose our company. People lose jobs. Those concepts help galvanise attention and OWASP doesn't sugar coat any of that.
To bring a more positive vibe, OWASP not only gives you the warnings, risks and so on, it gives you plenty to help you work up the solutions, especially when you combine its wisdom and seemingly endless material with the courses available, such as those mentioned earlier.
Has it helped?
Where I work, OWASP has now become a 'thing' that I can use to discuss security with developers, architects and some managers. It's like an access all areas pass in some ways - "Guys, DOM based XSS vulnerabilities are present in our CMS, and it's in the OWASP TOP THREE!!!". That usually gets enough attention to see a fix in place inside a day. Or this - "We've got a badly baked session cookie in our Portal and if it gets intercepted, then Alice is gonna be Bob and we won't even know!"...
And as a result, I'm seeing developers do things like this:
Set-Cookie:ASP.NET_SessionId=; path=/; Secure; HttpOnly; SameSite=Strict
And I'm like "Wow!". The guys are getting it.
OWASP contains a lot of deep theory, tonnes of examples, megatons of guidance and tooling, but for me, the 'Top 10' itself is powerful enough a tool to get good practice onto the agenda and give software people and their leaders a place to head towards.
So, I'm now an OWASP member
A month or so back, I decided to apply to become a member. By doing so, I gained access to people, as in fellow members of the project. This is important, because I believe most of my fellow members are there for similar reasons as I am; making the web a safer place to be. There's an OWASP chapter local to me that I'm now a part of, where I can rock up at meetings to share my experiences and valuably learn new things. This is important to me, because I give a shit about striving towards a safer web and working with like-minded people in doing so.
OWASP provides members with a .owasp.org email account and this provides a level of authenticity, so I can use this to open dialogue with people, in the knowledge that they see me as part of this positive force. It's all good, as far as I'm concerned.
OK, summing up
OWASP is a community based and led authority on web application security that everyone in the business of making software should really have membership of, or at least have its many Wiki articles bookmarked in their secure coding documentation.
Being a member doesn't make me something special, but it's important to me, as it provides me with a vast array of new things to consider and also the opportunity to contribute and do my bit.
The 'Top 10' is due to be refreshed this year, but is snagged on conjecture over a couple of changes, but you can bet your arse that injection, XSS and shit auth / session management will still hold the top three positions and rightly so.
Thanks for reading.