Industry:Citations

From OWASP
Revision as of 08:03, 8 July 2009 by Clerkendweller (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This is a draft page containing work in progress.

OWASP Projects

Several OWASP projects maintain their own lists of citations, references and discussions.


Legislation, Standards, Guidelines and Industry Codes of Practice

Hyperlinks have not been added to citations to prevent any mis-interpretation. Please read the source documents in full to understand the context.

Organisation Scope Document Date Version Comments
GovCertUK UK SQL Injection 16 January 2009 1.0 In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab and in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", and in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence".

GovCertUK is the UK Government Emergency Response Team and is part of CESG

National Infrastructure Security Co-ordination Centre (NISCC) UK Commercially Available Penetration Testing - Best Practice Guide 8 May 2006 - In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (http://www.owasp.org)".

NISCC is now part of the UK Centre for the Protection of National Infrastructure

National Infrastructure Security Co-ordination Centre (NISCC) UK Secure web applications - Development, installation and security testing (NISCC Briefing 10/2006) 27 April 2006 - In References "OWASP Secure Web Application Guide http://www.owasp.org/documentation/guide/guide_about.html".

NISCC is now part of the UK Centre for the Protection of National Infrastructure

Payment Card Industry Security Standards Council (PCI SSC) Worldwide Data Security Standard September 2006 1.1 In Requirement 6: Develop and maintain secure systems and applications, "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines...".

Superseded by PCI DSS 1.2 (see below)

Payment Card Industry Security Standards Council (PCI SSC) Worldwide Data Security Standard October 2008 1.2 In Requirement 6: Develop and maintain secure systems and applications, "6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements." and specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org)."

Important Reports and Other Resources

Organisation Scope Document Date Version Comments
Combined Security Incident Response Team (CSIRTUK) UK CSIRTUK advisories Ongoing - OWASP Designation used in advisory categorisation.

CSIRTUK is part of the UK Centre for the Protection of National Infrastructure

Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS) USA Software Security Assurance State-of-the-Art Report (SOAR) 31 July 2007 - In Section 6: Software Assurance Initiatives, Activities, and Organizations, "6.2 Private Sector Initiatives", 6.2.1 OWASP... 6.2.1.1 Tools... WebGoat... WebScarab... 6.2.1.2 Documents and Knowledge Bases... AppSec FAQ... Guide to Building Secure Web Applications... Legal knowledge base... Top Ten Web Application Security Vulnerabilities..."
National Cyber Security Division Worldwide Common Weakness Enumeration Ongoing - OWASP Top Ten (2007) view, OWASP Top Ten (2004) view and OWASP in Taxonomies.

The National Cyber Security Division is part of the U.S. Department of Homeland Security