Testing Guide Foreword

Forward by Jeff Williams, OWASP Chair
DRAFT - in progress

The problem of insecure software is perhaps the most important technical challenge of our time. Security is now the key limiting factor on what we are able to create with information technology.

At OWASP, we're trying to make the world a place where insecure software is the anomoly, not the norm, and the OWASP Testing Guide is an important piece of the puzzle. It goes without saying that you can't build a secure application without performing security testing on it. Yet many software development organizations do not include security testing as part of their standard software testing process.

Security testing is one piece of a complex set of teams, roles, activities, policies, standards, tools, and technologies that make building a secure application possible. Testing, by itself, isn't a particularly good measure of how secure an application is. The reason is that there are an infinite number of ways that an attacker might be able to make an application break, and it simply isn't possible to test them all.

However, security testing has the unique power to absolutely convince naysayers that there is a problem. Security testing has proven itself as a key ingredient in any organization attempting to produce secure software.

Why OWASP?
Creating a guide like this is a massive undertaking, representating decades of work.

It's impossible to underestimate the importance of having this guide available in a completely free and open way. There are simply too many applications and too many lines of code for individual

Security guidance is very susceptible to commercial pressures.

How the problem keeps evolving. Goal is to reduce the time lag

We've set up the best system for keeping this up to date. Books, etc... are all ephemeral.

Tailoring and Prioritizing
Need to tailor to YOUR organization's technologies, processes, and organizational structure.

The key is prioritizing. You have limited testing time and resources. Be sure you spend it wisely.

Use Automated Tools with Caution
they're generic they're seductive they can be a huge distraction

Call to Action
If you're building software, I strongly encourage you to get familiar with the security testing guidance in this document.

Join us.