Category:OWASP Guide Project

Welcome to the OWASP Guide Project

The OWASP Guide to Building Secure Web Applications v2 is now released. Its release was announced at Black Hat in Las Vegas in late July 2005. This new version of the OWASP Guide is a major overhaul of the original document, containing nearly three times as much material. The project is currently steered by Andrew van der Stock.

The original OWASP Guide had become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for web application security.

The Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications. Among the 28 chapters and around 210 pages, some of the highlights include:


 * An Overview – describing what web applications and web services are.
 * How Much Security Do You Really Need ? – explaining how to assess the security need and perform risk assessments.
 * Phishing - Peer reviewed technical and process controls to reduce the risk from this most insidious form of fraud.
 * Architecture – Discussion on how Architecture considerations can ensure security where it's needed.
 * Authentication – Describes the different types of authentication possible and the common problems.
 * Authorization – Describes access control concepts.
 * Session Management – Describes the right way to manage sessions and generate session tokens.
 * Audit, Traceability and Logging – Describes what to log and how to log user and system events.
 * Data Validation – Describes strategies for dealing with unexpected input and what you need to block.
 * Injections - includes all form of injections: SQL, XML, LDAP, ORM, code, user agent (includes XSS) and more.
 * Privacy – Discusses privacy issues that may face your application.
 * Cryptography – How to use cryptography and describes some common mistakes.
 * File system - how to protect your most sensitive of files from being destroyed or made visible.
 * Canonicalization and Unicode issues
 * Deployment, Configuration, and more

In total, the new guide is nearly three times as long, but has nearly 10 times as many controls as the OWASP Guide 1.1.1. This major new release brings OWASP to the forefront of web application security research. The Guide is currently published in Word, HTML and PDF. You can find these files in the download section.

We plan to release a hardcopy version of the Guide (version 2.1) by the end of November when we go to print with the help of No Starch Press.