OWASP

OWASP, the Open Worldwide Application Security Project (formerly Open Web Application Security Project), is an online community that publishes open-source information and resources on IoT, system software and web application security.^[5] It is led by a non-profit called The OWASP Foundation.

OWASP

Founded	2001[1]
Founders	Mark Curphey[1]
Type	501(c)(3) nonprofit organization
Purpose	Web security, application security, vulnerability assessment
Method	Industry standards, conferences, workshops
Membership	approx. 13,000 volunteers (2017)[2]
Key people	Andrew van der Stock, Executive Director; Kelly Santalucia, Director of Events and Corporate Support; Harold Blankenship, Director of Technology and Projects; Jason C. McDonald, Director of Community Development; Dawn Aitken, Operations Manager; Lauren Thomas, Event Coordinator[3]
Revenue	$2.3 million (2017)[4]
Website	owasp.org

History

Mark Curphey started OWASP on September 9, 2001.^[1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015^[update], Matt Konda chaired the Board.^[6] The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.^[7] In February 2023, it was reported by Bil Corry, a OWASP Foundation Global Board of Directors officer,^[8] on Twitter that the board had voted for renaming from the Open Web Application Security Project to its current name, replacing Web with Worldwide.^[9]

Resources

Tools

• OWASP ZAP: a penetration testing tool.
• Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.^[1]

Publications

• OWASP Top Ten
  • The "Top Ten", first published in 2003, is an annual listing of critical application security risks.^{[10][11][12][13][14]} Many standards, books, tools, and many organizations reference the Top 10 project, including MITRE, PCI DSS,^[15] the Defense Information Systems Agency (DISA-STIG), and the United States Federal Trade Commission.^[16][17]
• OWASP Development Guide
• OWASP Testing Guide
• OWASP Code Review Guide
• OWASP Top 10 Incident Response Guidance.^[18]

Models and standards

• OWASP Software Assurance Maturity Model^[19]
• OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.^[20]

Other projects

• OWASP XML Security Gateway (XSG) Evaluation Criteria Project.^[21]
• OWASP AppSec Pipeline^[22]
• OWASP Automated Threats to Web Applications^[23][24]
• OWASP API Security Project^[25]
• OWASP AI Maturity Assessment Project (AIMA)^[26]

Certifications

They also several certification schemes.^[27][28][29]

Awards

The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award.^[30][31]

See also

• Open Source Security Foundation