Other Resources You Should Use: WASC

The Web Application Security Consortium (WASC) is a professional organization dedicated to measuring risk in web applications, and educating people in all levels of web application involvement on those risks. If you just take a look at the Officers listing, you can tell it's a very all-star cast.

Here are a few of the resources on WASC I frequent:

• The WASC Threat Classification lists the common threats against web applications, although it is approached from a 100% black-box approach, so there are no generic fixes documented.
• Thanks to several of the vendors backing WASC, the Security Statistics section is very valuable when trying to put together high-level justification for a security program, or to measure improvement versus the "internet norm".
• The WASC Mailing List is quite active with Q and A, posts about security products, full disclosure, and discussion of specific attack vectors. If you prefer to just lurk, an RSS feed is available.
• If you're in the Bay area, WASC has frequent meetups, which you can't miss if you're watching the mailing list or the news links on the WASC.

For the statistics alone, WASC is worth a pretty frequent visit. Because of vendor participation, (most notably WhiteHat Security), there are really good metrics that you can refer to for comparing measurements.

Other Resources You Should Use: OWASP

There are certainly a ton of security resources out there, and I don't do a sufficient job of sharing the excellence of these with you. I suppose a large number of my readers (er - subscribers) are actively involved with any of the groups I might mention in these other resources, but for those who aren't familiar with them (and I'm certainly not as familiar with them all as I ought to be), I'll begin to start giving a list of resources that you as a security professional or security conscious application professional should be aware of.

The first is probably the most obvious. The Open Web Application Security Project (OWASP) is most well-known for their Top Ten, the 2004 edition which is section 6.5 of PCI). But OWASP has many more resources available to you. A lot of good code comes from OWASP, and a lot of good documentation.

Some of the highlights:

• OWASP Top Ten. Everybody knows the 2004. Learn the 2007.


• Reform an excellent encoding library for Perl, Java, Python, PHP, .NET, and on and on - not just your mama's HTMLEncode() or <c:out />


• Sprajax which is certainly in its infancy, and will hopefully fill out some as a good ajax fuzzer


• OWASP Testing Guide if you want to have a standard testing methodology, but don't know where to start, a good place to start.


• CLASP is gaining a lot of traction in the industry. Again, if you want to use the work of others in figuring out how to implement security earlier in your lifecycle, a group of others like you have been documenting a way (certainly not the only way) to get things adopted.


• Local Chapters if there's a local OWASP chapter, get involved. Join the mailing list. Go to the meetups. Meet other security professionals in the area who speak your language and are facing the same challenges you are. Don't do your work in a vacuum.


• Blogs (particularly Dinis Cruz)

OWASP is made up of volunteer folks who want to see applications get more secure who are much like you are. They've been around for quite awhile, have a season of code from time to time, from which good libraries and tools come, and is an excellent resource for folks new to application security, developers trying to make things more secure, and professionals trying to standardize on processes.