Other Resources You Should Use: OWASP


There are certainly a ton of security resources out there, and I don't do a sufficient job of sharing the excellence of these with you. I suppose a large number of my readers (er - subscribers) are actively involved with any of the groups I might mention in these other resources, but for those who aren't familiar with them (and I'm certainly not as familiar with them all as I ought to be), I'll begin to start giving a list of resources that you as a security professional or security conscious application professional should be aware of.

The first is probably the most obvious. The Open Web Application Security Project (OWASP) is most well-known for their Top Ten, the 2004 edition which is section 6.5 of PCI). But OWASP has many more resources available to you. A lot of good code comes from OWASP, and a lot of good documentation.

Some of the highlights:

  • OWASP Top Ten. Everybody knows the 2004. Learn the 2007.

  • Reform an excellent encoding library for Perl, Java, Python, PHP, .NET, and on and on - not just your mama's HTMLEncode() or <c:out />

  • Sprajax which is certainly in its infancy, and will hopefully fill out some as a good ajax fuzzer

  • OWASP Testing Guide if you want to have a standard testing methodology, but don't know where to start, a good place to start.

  • CLASP is gaining a lot of traction in the industry. Again, if you want to use the work of others in figuring out how to implement security earlier in your lifecycle, a group of others like you have been documenting a way (certainly not the only way) to get things adopted.

  • Local Chapters if there's a local OWASP chapter, get involved. Join the mailing list. Go to the meetups. Meet other security professionals in the area who speak your language and are facing the same challenges you are. Don't do your work in a vacuum.

  • Blogs (particularly Dinis Cruz)

OWASP is made up of volunteer folks who want to see applications get more secure who are much like you are. They've been around for quite awhile, have a season of code from time to time, from which good libraries and tools come, and is an excellent resource for folks new to application security, developers trying to make things more secure, and professionals trying to standardize on processes.