This page captures important references to OWASP in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.
Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.
Some OWASP projects maintain their own lists of citations, quotations, recommendations, testimonials and users:
- OWASP Application Security Verification Standard (ASVS) Project - Users
- OWASP Enterprise Security API (ESAPI) Project - Users and Adopters
- OWASP ModSecurity Core Rule Set Project - Contributors, Users and Adopters
- OWASP Security Spending Benchmarks (SSB) Project - News Coverage
- OWASP Testing Guide Quotes
- OWASP Top Ten Project - Users and Adopters and How Are Companies/Projects/Vendors Using the OWASP Top_10
National & International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice
|L'Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)||France||Sécurité et langage Java - Guide de Règles et de Recommandations Relatives au Développement d’Applications de Sécurité en Java||6 November 2009||1.3|| In "3 Définitions et Présentation de la Démarche", "l’OWASP fournit également des informations de sensibilisation des développeurs d’applications Java EE aux problématiques de sécurité. Bien que la plupart de ces informations sortent du périmètre de l’étude JAVASEC qui se concentre sur Java SE, ce document constitue un complément intéressant. Il est accessible à l’adresse http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#J2EE_Security_for_Developers." and in "4.8 Gestion des entrées/sorties - Identifiant : 16 Nom : Vérification des données en entrée", "Références :  http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents#
|Canadian Cyber Incident Response Centre||Canada||TR08-001 Alleviating the Threat of Mass SQL Injection Attacks (also in French)||18 June 2008||1.0.0|| In "3.2 Application security best practices", "... The following elements should be considered as part of the SDLC for application security: ... Adopt and apply secure design and coding practices for web application software development. Guidance is available from numerous sources including ... and the Open Web Application Security Project (OWASP) http://www.owasp.org." and in "5 Resources", "Open Web Application Security Project (OWASP): http://www.owasp.org ... OWASP Testing Guide v2: http://www.owasp.org/images/e/e0/OWASP_Testing_Guide_v2_pdf.zip".
The Canadian Cyber Incident Response Centre is part of Public Safety Canada.
|Center for Internet Security (CIS)||USA||Apache Benchmark for Unix||October 2006||1.4 & 1.5||"... added reference to Web Application Security Consortium along with OWASP ..." - see revision history in version 1.6 below|
|Apache Benchmark for Unix||November 2006||1.6||In "Introduction", "... For Web Application security issues, visit the Open Web Application Security Project (OWASP) website - http://www.owasp.org and ...", in "L1 20 Implementing Secure Socket Layer (SSL) with Mod_SSL", "The openssl command can be very useful in debugging and testing the SSL configurations. See http://www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips http://www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers" and in "Appendix C - References", "The Open Web Application Security Project. 'A Guide To Building Secure Web Applications', September 22, 2002. http://www.cgisecurity.com/owasp/html/index.html".|
|Apache Benchmark for Unix||July 2007||1.7||(As above in version 1.6)|
|Benchmark for Apache Web Server||December 2007||2.0||In "Pre-configuration Checklist", "Educated developers about writing secure code ... OWASP Top Ten - http://www.owasp.org/index.php/OWASP_Top_Ten_Project", and in "1.3 ModSecurity Core Rules Overview", "... Description ... You can learn more about the pros and cons of a negative security model in the presentation 'The Core Rule Set: Generic detection of application layer', presented at OWASP Europe 2007 ... Attack Detection ... Generic Attack Detection - Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:...", and in "1.15 Implementing Mod_SSL", "... Action ... The openssl command can be very useful in debugging and testing the SSL configurations. See http://www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips http://www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers ...".|
|Benchmark for Apache Web Server||January 2008||2.1||(As above in version 2.0)|
|Benchmark for Apache Web Server||November 2008||2.2||(As above in version 2.0)|
|The CIS Security Metrics - Consensus Metric Definitions||11 May 2009||1.0||In "Defined Metrics - Information Security Budget as % of IT Budget - References", "... Open Web Application Security Project, Security Spending Benchmark Project https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks ..." and in "Defined Metrics - Information Security Budget Allocation - References", "Open Web Application Security Project, Security Spending Benchmak Project https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks".|
|Cloud Security Alliance (CSA)||Worldwide||Security Guidance for Critical Areas of Focus in Cloud Computing||April 2009||1.0||In "Section III. Operating in the Cloud - Domain 10: Incident Response, Notification, and Remediation", "There are other types of incidents that can affect an application in the cloud, which relate to data access, but stand alone as potentially serious for a user, and they are the OWASP Top 10 security vulnerabilities." and "The application framework can also provide components that provide protection against OWASP vulnerabilities.", and in "Domain 11: Application Security", "References... OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".|
|Security Guidance for Critical Areas of Focus in Cloud Computing||December 2009||2.1||In "References", "OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".|
|Cloud Controls Matrix||27 April 2010||1.0||In "Security Architecture - Application Security (SA-04)", "Applications shall be designed in accordance with industry accepted security standards (i.e., OWASP for web applications) and complies with applicable regulatory and business requirements.".|
|Domain 10 Guidance for Application Security||July 2010||2.1||In "PaaS - Tools and Services", "Web-based, n-Tier applications have a rich body of knowledge about common types of vulnerabilities and their mitigation through groups such as the Open Web Application Security Project (OWASP), but similar knowledge bases for PaaS environments are scarce and will need time to mature." and in "References" "OWASP Top Ten Project, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".|
|Club de la Sécurité de l'Information Français (CLUSIF)||France||Sécurité des applications Web - Comment maîtriser les risques liés à la sécurité des applications Web? (also in English) Translation: How to control the risks related to Web Application Security?||September 2009||-|| In "II - Les technologies Web, incontournables, mais porteuses de nouveaux risques - II.3 - Des réglementations et des responsabilités", "Par voie de conséquence, la mise à disposition d’un service applicatif par une société peut engager la responsabilité  ...  https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex : Cette annexe de contrat est destinée à aider les développeurs de logiciels et leurs clients à négocier d’importantes conditions contractuelles relatives à la sécurité du logiciel à développer ou à livrer. La raison en est que rien n’est prévu dans la plupart des contrats, les parties ayant souvent des points de vue radicalement différents sur ce qui a été initialement effectivement convenu. De fait, la définition claire des responsabilités et limites de chacun est la meilleure façon de s'assurer que les parties puissent prendre des décisions éclairées sur la façon de procéder.", in "IV - Les principales failles de sécurité des applications Web - IV.3 - Les fuites d’information", "Pour plus de précision sur les failles de sécurité des applications Web, le lecteur pourra se référer au Top Ten de l’OWASP  ...  http://www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Quelles bonnes pratiques pour mettre en oeuvre une application Web sécurisée ? - V.2 - Identification des besoins et appréciation des risques", "Une première évaluation du coût peut être réalisée à ce stade afin de rester cohérent avec les objectifs de la maîtrise d’ouvrage, en utilisant une méthodologie comme OpenSAMM, qui permet d’estimer des coûts pour les différentes étapes du cycle de développement  ...  http://www.opensamm.org/" and "Des méthodes et des outils de modélisation de menaces accessibles existent afin de faciliter cette démarche.  ...  http://www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Conception et implémentation", "Les équipes peuvent également se référer au Guide de conception et d’implémentation d’applications Web sécurisées de l’OWASP  ...  http://www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Vérification de la sécurité des applications Web - VI.2.2 - Audit de code", "L’OWASP a publié un manuel de revue de code des applications Web  ...  http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - Test d’intrusion", "Pour plus d’information, on pourra consulter le manuel de test de la sécurité des applications Web publié par l’OWASP  ...  http://www.owasp.org/index.php/Category:OWASP_Testing_Project".
Translation: In "II - Web technologies, essential, but carrying new risks - II.3 - Regulations and responsibilities", "Consequently, the provision of an application service by a company may engage the responsibility  ...  https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex : This appendix of contract is intended to help the developers of software and their customers to negotiate important contractual conditions relating to the integrity of the software to be developed or deliver. The reason is that nothing is envisaged in most contracts, the parties having often radically different points of view on what was initially indeed agreed. In fact, the clear definition of the responsibilities and limits for each one are the best way of ensuring itself than the parts can make decisions informed on the way of proceeding.", in "IV - The main vulnerabilities of Web applications - IV.3 - The information leakage", "For more details on the vulnerabilities of Web applications, the reader may refer to the Top Ten of the OWASP  ...  http://www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Which good practices for implementing a secure Web application? - V.2 - Identification of needs and risk assessment", "A first costing can be realized at this stage in order to remain coherent with the objectives of the control of work, by using a methodology like OpenSAMM, which makes it possible to estimate costs for the various stages of the development cycle  ...  http://www.opensamm.org/" and "Methods and modeling tools available threats exist to facilitate this.  ...  http://www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Design and Implementation", "The teams can also refer to the OWASP Guide to Build and Implement Secure Web Applications  ...  http://www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Web Application Security checking - VI.2.2 - Code Review", "The OWASP published a Web Applications' code review' handbook  ...  http://www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - PenTest", "For more information, one can consult the Web Applications Security test' handbook published by the OWASP  ...  http://www.owasp.org/index.php/Category:OWASP_Testing_Project".
|Defense Information Systems Agency (DISA)||USA||Recommended Standard Application Security Requirements (Draft)||11 March 2003||2.0 (draft)||In "Appendix B References", "B.5 Best Practices... 32. Open Web Application Security Project (OWASP): “The Ten Most Critical Web Application Security Vulnerabilities” (13 January 2003)".|
|Web Server Technical Implementation Guide||11 December 2006||6 Rel 1||In "1.1 Background", "Major security forums (e.g., SysAdmin, Audit, Network, Security (SANS) Institute and the Open Web Application Security Project (OWASP)) publish reports describing the most critical Internet security threats. From these reports, some threats unique to web server technology are as follows...".|
|Application Security and Development - Security Technical Implementation Guide||24 July 2008||2 Rel 1||In "Appendix A References", "Open Web Application Security Project http://www.owasp.org/" and "Open Web Application Security Project Threat Risk Modeling http://www.owasp.org/index.php/Threat_Risk_Modeling".|
|Application Security and Development Checklist||24 July 2008||2 Rel 1.1|| Multiple OWASP website references providing vulnerability examples.
Superseded (see below).
|Application Security and Development Checklist||26 June 2009||2 Rel 1.5||OWASP referenced in "APP3020 Threat model not established or updated... Detailed information on threat modeling can be found at the OWASP website. http://www.owasp.org/index.php/Threat_Risk_Modeling", "APP3550 Application is vulnerable to integer overflows... Examples of Integer Overflow vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Integer_overflow", "APP3560 Application contains format string vulnerabilities... Examples of Format String vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Format_string_problem", "APP3570 Application vulnerable to Command Injection... Examples of Command Injection vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Command_Injection", "APP3580 Application vulnerable to Cross Site Scripting... Examples of Cross Site Scripting vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Cross_Site_Scripting", "APP3600 Vulnerable to canonical representation attacks... Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. http://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode", "APP3630 Application vulnerable to race conditions... Examples of Race Conditions vulnerabilities can be obtained from the OWASP website. https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions", and "APP5100 Fuzz testing is not performed... The following website provides an overview of fuzz testing and examples: http://www.owasp.org/index.php/Fuzzing".|
|Defence Signals Directorate||Australia||Australian Government Information and Communications Technology Security Manual (ACSI 33)||September 2008||-||In "Web applications - Guidance", "G#101 22.214.171.124. Agencies are recommended to follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.", in "Web applications - Rationale", "Web applications 126.96.36.199. The OWASP guide provides a comprehensive resource to consult when developing Web applications." and in "Web applications - References", "188.8.131.52. Further information on Web application security is available from the OWASP at http://www.owasp.org.".|
|European Network and Information Security Agency (ENISA)||Europe||Web 2.0 Security and Privacy Position Paper||10 December 2008||-||In '6.1.6 Developer Issues/Browser Vendors', 'There already exists quite a large body of development best-practice and descriptions of common pitfalls so, rather than re-inventing the wheel, we would refer the reader to the following as examples: The OWASP Guide to Building Secure Web Applications (84), ...', in '5.5.1 Fraudulent Pedigree/Provenance - 184.108.40.206 Example 2: Control of Botnets via Mashups', 'Mashups are perfectly suited to massively distributed systems with untraceable control structures and are therefore likely to lead to a variety of related attacks (see Use of Web 2.0 technologies to control botnets (38) and ...' and in '8 References and Links', '38. Use of Web 2.0 technologies to control botnets. http://www.owasp.org/images/0/02/OWASP_Day_Belgium_2007-pdp.ppt ' and '84. The OWASP Guide to Building Secure Web Applications v2. http://www.owasp.org/index.php/Category:OWASP_Guide_Project '.|
|Cloud Computing Risk Assessment||20 November 2009||-||In "Application Security in Infrastructure as a Service", "... They must be designed or be embedded with standard security countermeasures to guard against the common web vulnerabilities (see OWASP top ten (40)). ... In summary: enterprise distributed cloud applications must run with many controls in place to secure the host (and network – see previous section), user access, and application level controls (see OWASP (41) guides relating to secure web/online application design). ... ", in "Software Assurance", "Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48)." and in References, "40. OWASP [Online] http://www.owasp.org/index.php/OWASP_Top_Ten_Project ... 41. — [Online] http://www.owasp.org/index.php/Category:OWASP_Guide_Project ... 46. OWASP [Online] http://www.owasp.org/index.php/Main_Page".|
|Federal Chief Information Officers (CIO) Council||USA||Guidelines for Secure Use of Social Media by Federal Departments and Agencies||September 2009||1.0|| In "The Threat - Web Application Attacks", "The Open Web Application Security Project (OWASP) has published
guidance to improve the level of web application security, but it is not easy to determine if a social media website is following OWASP principles and building more secure web applications ... OWASP Foundation, A Guide to Building Secure Web Applications and Web Services, in What are web applications? 2006, © 2001 – 2006 OWASP Foundation.".
|Federal Financial Institutions Examination Council (FFIEC)||USA||Information Technology Examination Handbook||July 2006||-||In "Information Security - Systems Development, Acquisition, and Maintenance - Security Control Requirements", "Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. For example, for externally facing Web applications the Open Web Application Security Project (www.owasp.org) produces one commonly accepted guideline.".|
|GovCertUK||UK||SQL Injection||16 January 2009||1.0|| In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, and educate developers in how to avoid them. A web proxy, such as OWASP’s WebScarab, is needed to complete some of the WebGoat activities. Such a proxy is used to intercept communications between the browser and application, providing a means of changing the data in each message. Where appropriate examples have been taken (with permission) from the WebGoat application and WebScarab proxy output.", extensive use of screen captures from WebGoat and WebScarab, in "6.4 Education", "The key contributors in SQL injection protection are usually the application and web developers and system administrators... There are free resources on the Internet to encourage a better awareness of SQL injection techniques and guides on how to avoid it. Two examples of such free resources are OWASP Foundation’s WebGoat and ...", in "7 Acknowledgements", "Thanks to the OWASP Foundation’s WebGoat Project and WebScarab Project for their permission to use examples from these tools in this paper. They are published under the Creative Commons Licence" and in "8 References", "[i] OWASP WebGoat Project, OWASP Foundation, 15 January 2009, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project [j] OWASP WebScarab Project, OWASP Foundation, 17 November 2008, http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project".
GovCertUK is the UK Government Emergency Response Team and is part of CESG.
|Information-Technology Promotion Agency (IPA)||Japan||Secure Programming Course from the IPA Information-technology SEcurity Center (ISEC)||2002||-|| In SQL Argument Validation, "...Direct SQL Command Injection (English), Open Web Application Security Project
http://www.owasp.org/projects/asac/iv-sqlinjection.shtml http://www.owasp.org/projects/asac/iv-sqlinjection.shtml", in Dangerous Perl Functions, "...Direct OS Command Injection (English), Open Web Application Security Project http://www.owasp.org/projects/asac/iv-dosinjection.shtml", and in Unix Path Security, "...Directory Traversal (English)，Open Web Application Security Project http://www.owasp.org/projects/asac/iv-directorytraversal.shtml".
|Study of Web Server Mandatory Access Control||March 2005||-||In section 3.3, "...様 々 な 方 針 が 考 え ら れ る が、 こ こ で は、 The Open Web Application Security Project の 示 す Web ア プ リ ケーシ ョ ンに お ける セ キ ュ リ テ ィの 指 針 を 元 に 脆 弱 性 対 策 の 方 向 性 を 示 す http://www.owasp.org/documentation/guide/guide_about.html"|
|Symfoware ST (Symfo-06-DS3001) in the JISEC Certified/Validated Products List.||9 May 2007||2.3||In Table 6.2 on vulnerability assessment information assurance measures "ＡＶＡ＿ＶＬＡ．２ ... ＯＷＡＳＰ （Ｏｐｅｎ Ｗｅｂ Ａｐｐｌｉｃａｔｉｏｎ Ｓｅｃｕｒｉｔｙ Ｐｒｏｊｅｃｔ） が 発 表 し て い る、 Ｗｅｂ サ イ ト の セ キ ュ リ テ ィ 脆 弱 性 の 情 報 "|
|Open Source Software Evaluation Lab Environment||November 2007||-||In "Intercepting proxies" of the "Security evaluation" category, "...WebScarab ... http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project".|
|International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)||Worldwide||ISO/IEC TR24729-4, Information technology — Radio frequency identification for item management — Implementation guidelines — Part 4: Tag data security||March 2009||-||In "Normative references", "Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Main_Page". See http://www.grifs-project.eu/db/?q=node/129|
|ISM3 Corporation||Worldwide||Information Security Management Maturity Model||April 2009||2.10|| In "OSP-8 Software Development Lifecycle Control - Related Methodologies", "OWASP" and in "OSP-19 Internet Technical Audit - Related Methodologies", "OWASP".
Superseded (see below).
|Information Security Management Maturity Model||November 2007||2.3||(As above in version 2.10)|
|Ministère de l’Écologie, de l’Énergie, du Développement durable et de l’Aménagement du territoire||France||Guide de réalisation Java Translation: Java Development Guide||July 2009||2.1|| In "Commun-24-01", "... ou de l'OWASP (Open Web Application Security Project) pour la lutte contre les causes d'insécurité(http://www.owasp.org) font référence."
Translation: In "Commun-24-01", "... or of OWASP (Open Web Application Security Project) for the fight against the causes of insecurity (http://www.owasp.org) are a reference."
|Guide de réalisation PHP Translation: PHP Development Guide||July 2009||2.1||(As above)|
|National Infrastructure Security Co-ordination Centre (NISCC)||UK||Secure web applications - Development, installation and security testing (NISCC Briefing 10/2006)||27 April 2006||-|| In References "OWASP Secure Web Application Guide http://www.owasp.org/documentation/guide/guide_about.html".
NISCC is now part of the UK Centre for the Protection of National Infrastructure.
|Commercially Available Penetration Testing - Best Practice Guide||8 May 2006||-|| In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (http://www.owasp.org)".
NISCC is now part of the UK Centre for the Protection of National Infrastructure.
|National Institute of Standards and Technology (NIST)||USA||Framework and Roadmap for Smart Grid Interoperability Standards||September 2009||1.0 (draft)|| In "6.4 Smart Grid Cyber Security Strategy", "The initial draft list of vulnerability classes was developed using information from several existing documents and websites, e.g., NIST SP 800-82 and the Open Web Application Security Project (OWASP) vulnerabilities list." and in "8 List of Acronyms", "OWASP Open Web Application Security Project".
See also NISTIR 7628 below.
|Interagency Report 7628 (draft) - Smart Grid Cyber Security Strategy and Requirements||September 2009||Draft|| In "1.4.2 Performance of a risk assessment of the Smart Grid, including assessing vulnerabilities, threats and impacts.", "The initial draft list of vulnerability classes was developed using information from several existing documents and websites, e.g., NIST SP 800-82 and the Open Web Application Security Project (OWASP) vulnerabilities list.", in "Appendix C - NIST CSCTG Vulnerability Classes", "As input to the classification process, we used many sources of vulnerability information, including NIST 800-82 and 800-53, OWASP vulnerabilities, CWE vulnerabilities, attack documentation from INL, input provided by the NIST CSCTG Bottoms-Up group, and the NERC CIP standards.", in "C.3.1.1. Code Quality Vulnerability", "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways (OWASP page)", in "C.3.1.2. Arbitrary code execution Authentication Vulnerability", "Examples... Enrollment attacks (OWASP page Comprehensive list of Threats to Authentication Procedures and Data)", in "C.3.1.5. Environmental Vulnerability", "This category includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms. (OWASP page)", in "C.3.1.11. Path Vulnerability", "This category is for tagging path issues that allow attackers to access files that are not intended to be accessed. Generally, this is due to dynamically construction of a file path using unvalidated user input (OWASP page).", in "C.3.1.14. Sensitive Data Protection Vulnerability", "Please note that this category is intended to be different from access control problems, although they both fail to protect data appropriately. Normally, the goal of access control is to grant data access to some users but not others. In this category, we are instead concerned about protection for sensitive data that are not intended to be revealed to or modified by any application users. Examples of this kind of sensitive data can be cryptographic keys, passwords, security tokens or any information that an application relies on for critical decisions (OWASP page).", in "C.4.1.1. API Abuse", "An API is a contract between a caller and a callee. The most common forms of API abuse are
caused by the caller failing to honor its end of this contract (OWASP page)" and "For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated (OWASP page)." and in "References", "Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Category:Vulnerability".
Issued by the Computer Security Division (CSD).
|Interagency Report 7581 - System and Network Security Acronyms and Abbreviations||September 2009||-|| "OWASP Open Web Application Security Project".
Issued by the Computer Security Division (CSD).
|National Security Agency/Central Security Service||USA||Oracle Application Server on Windows 2003 Security Guide (I733-032R-2006)||December 2006||-||In "References", "Stock, A., July 2005, A Guide to Building Secure Web Applications and Web Services, 2.0, The Open Web Application Security Project (OWASP).".|
|Web Application Security Overview and Web Application Security Vulnerabilities (I733-034R-2007)||2007||-||"... One well-respected industry source is the Open Web Application Security Project (OWASP), an open community dedicated to application security. OWASP's extensive library and collection of tools is freely available at http://www.owasp.org. A great place to start is the OWASP Top Ten Project (http://www.owasp.org/index.php/OWASP_Top_Ten_Project). The OWASP document provides a list of critical web application security flaws and detailed suggestions for remediation. See inset box for a brief summary" and "... The Open Web Application Security Project (OWASP), an open community dedicated to application security, has developed a list of the top ten web application vulnerabilities. This list serves to educate managers, developers, and administrators to these most common vulnerabilities in the hopes of improving security. The list is summarized below...".|
|Minimize the Effectiveness of SQL Injection Attacks (I733-021R-2008)||May 2008||-|| In "What can an Application Programmer do?", "A well-respected source of information on web application security, to include SQL injection issues, is the Open Web Application Security Project (OWASP). At a minimum, implement the following OWASP recommendations: ..." and in "Detecting SQL Injection Vulnerabilities and Attacks", "... Information on how to go about testing for SQL injection vulnerabilities can be found on the OWASP website at http://www.owasp.org/index.php/Testing_for_SQL_Injection.".
This is one of a series of fact sheets from the NSA - see also SOA/Web Services below.
|Service Oriented Architecture Security Vulnerabilities Web Services||November 2008||-|| In "References", "OWASP Top 10 2007 – http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".
This is one of a series of fact sheets from the NSA - see also SQL Injection above.
|Manageable Network Plan||8 July 2009||1.1||In "Milestone 3: Protect Your Network (Network Architecture) - Consider", "... Do you have custom applications facing the Internet? If so, are they protected and/or are your developers trained in writing secure code? – For guidance on writing secure Web applications, see http://www.owasp.org/index.php/Category:OWASP_Guide_Project – For guidance on testing Web applications, see http://www.owasp.org/index.php/Category:OWASP_Testing_Project ..." and listed again in the "Quick Reference".|
|Payment Card Industry Security Standards Council (PCI SSC)||Worldwide||Data Security Standard||September 2006||1.1|| In Requirement 6: Develop and maintain secure systems and applications, "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines..." and OWASP Top Ten 2004 listed as "Cover prevention of common coding vulnerabilities in software development processes, to include the following: 6.5.1 Unvalidated input, 6.5.2 Broken access control (for example, malicious use of user IDs), 6.5.3 Broken authentication and session management (use of account credentials and session cookies), 6.5.4 Cross-site scripting (XSS) attacks, 6.5.5 Buffer overflows, 6.5.6 Injection flaws (for example, structured query language (SQL) injection), 6.5.7 Improper error handling, 6.5.8 Insecure storage, 6.5.9 Denial of service, 6.5.10 Insecure configuration management".
Superseded by PCI DSS 1.2 (see below).
|Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified||15 April 2008||1.1|| In "Requirement 6.6 Option 2 – Application Firewalls - Recommended Capabilities", "React appropriately (defined by active policy or rules) to threats against relevant vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI DSS Requirement 6.5.", and in "Additional Sources of Information", "This list is provided as a starting point for more information on web application security... OWASP Top Ten ... OWASP Countermeasures Reference ... OWASP Application Security FAQ ...".
Superseded by v1.2 (see below).
|Data Security Standard||October 2008||1.2||In Requirement 6: Develop and maintain secure systems and applications, "6.3.7 Review of custom code..." mention in "6.3.7b ...Code reviews ensure code is developed according to secure coding guidelines such as the Open Web Security Project Guide...". And "6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements.", specifically "6.5.a Obtain and review software development processes for any web-based applications. Verify that processes require training in secure coding techniques for developers, and are based on guidance such as the OWASP guide (http://www.owasp.org)." and the OWASP Top Ten 2007 listed as "6.5.1 Cross-site scripting (XSS), 6.5.2 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws, 6.5.3 Malicious file execution, 6.5.4 Insecure direct object references, 6.5.5 Cross-site request forgery (CSRF), 6.5.6 Information leakage and improper error handling, 6.5.7 Broken authentication and session management, 6.5.8 Insecure cryptographic storage, 6.5.9 Insecure communications, 6.5.10 Failure to restrict URL access".|
|Information Supplement: Application Reviews and Web Application Firewalls Clarified||October 2008||1.2|| In "Requirement 6.6 Option 2: Web Application Firewalls - Recommended Capabilities", "React appropriately (defined by active policy or rules) to threats against relevant vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI
DSS Requirement 6.5." and in "Additional Sources of Information", "This list is provided as a starting point for more information on web application security. ... OWASP Top Ten ... OWASP Countermeasures Reference ... OWASP Application Security FAQ ...".
|SAFECode||Worldwide||Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.||8 October 2008||-||Links to "OWASP Top Ten", "OWASP PHP AntiXSS Library", "OWASP Canonicalization, Locale and Unicode", "OWASP Reviewing Code for Logging Issues", and "OWASP Error Handling, Auditing and Logging".|
|SANS Institute||USA||Top 20||November 2005||6||In "C3. PHP-based Applications - C3.6 References", "OWASP Webpage (Contains tools and documents for testing Web Application Vulnerabilities) http://www.owasp.org ...".|
|November 2006||7|| In "C1 Web Applications - C1.3 How to Protect against Web Application Vulnerabilities ", "... From the developer perspective: ... Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding ... Test your apps using the OWASP Testing Guide with tools like WebScarab, ..." and in "C1 Web Applications - C1.4 References", "OWASP - Open Web Application Security Project http://www.owasp.org ...
OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents ... OWASP Guide - a compendium of secure coding http://www.owasp.org/index.php/Category:OWASP_Guide_Project ... OWASP Top 10 - Top 10 web application security weaknesses http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project".
|November 2007||8||In "S1 Web Applications - S1.3 How to Protect against Web Application Vulnerabilities", "... From the developer perspective: ... Join secure coding organizations, such as OWASP (see references) to boost skills, and learn about secure coding ... Test your apps using the OWASP Testing Guide with tools like WebScarab, ..." and in "S1 Web Applications - S1.4 References", "OWASP - Open Web Application Security Project http://www.owasp.org ... OWASP Testing Guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents ... OWASP Guide - a compendium of secure coding http://www.owasp.org/index.php/Category:OWASP_Guide_Project ... OWASP Top 10 - Top 10 web application security weaknesses http://www.owasp.org/index.php/Top_10_2007".|
|Shared Assessments||Worldwide||Agreed Upon Procedures (AUP)||-||2.0-4.0||OWASP referenced - exact text unknown|
|November 2009||5.0||In "I. Information Systems Acquisition, Development and Maintenance - I.1 Application Vulnerability Assessments/Ethical Hacking - Objective", "An organization should perform application penetration tests or ethical hacking of proprietary web-facing applications. Industry standards such as OWASP should be utilized as a foundation for detecting vulnerabilities in the applications, and measuring the effectiveness of the application security controls in place." and in the following section "Procedure", the OWASP Top ten 2007 are listed "For the application selected in step b, obtain the most recent ethical hack or application penetration test and inspect for evidence of the following attributes: 1. Cross Site Scripting (XSS) 2. Injection Flaws 3. Malicious File Execution 4. Insecure Direct Object Reference 5. Cross Site Request Forgery (CSRF) 6. Information Leakage and Improper Error Handling 7. Broken Authentication and Session Management 8. Insecure Cryptographic Storage 9. Insecure Communications 10. Failure to Restrict URL Access".|
|Trusted Information Sharing Network for Critical Infrastructure Protection (TISN)||Australia||Information Security Principles for Enterprise Architecture||June 2007||-||In "Recommendation 2.6: Implement security based on transparent, trusted and proven solutions", "...Best practice information system development and management processes such as: ... Open Web Application Security Project (OWASP)—an open-source project dedicated to finding and fighting the causes of insecure software. The OWASP Guide provides methodology and processes for..." and in the checklist "Trusted and proven information system development processes such as ITIL, OWASP and CIS (see page 44 for a definition)—are used or considered when developing information systems".|
|Defence in Depth||June 2008||-|| In "Risk Analysis methodology - Identify risk", "...After threat classification, threat rating is performed using the DREAD model ... Open Web Application Security Forum (OWASP), Threat Risk Modelling, March 2008,
www.owasp.org/index.php/Threat_Risk_Modeling#DREAD", in "Assessing technology risks - Approaches", "Application review—analyse critical applications for compliance with secure application development standards (e.g. OWASP) ... Open Web Application Security Project (OWASP), OWASP Guide 2.1, accessed 2008: www.owasp.org", in "Implementing technology controls - Application (client and server)", "...As the application security space (in particular the web application security) has matured over the past decade, many resources have become available for detailing the breadth of controls available ... Open Web Application Security Project (OWASP), OWASP Guide 2.1, accessed 2008: http://www.owasp.org/" and in "Implementing technology controls - Control analysis - Focus area guideline: Application security - implementation", "Adopt secure application development and review processes ... Best-practice processes/tools (OWASP, OASIS) ...".
|User-access management||June 2008||-|| In "Trends & Emerging Threats - Migration to browser-based web applications", "...Web application vulnerabilities may
leave data and applications at risk of unauthorised access or tampering, and allow circumvention of access controls ... Open Web Application Security Project (OWASP), Top 10 2007, 2007, http://www.owasp.org/index.php/Top_10_2007".
|World Wide Web Consortium (W3C)||Worldwide||Mobile Web Application Best Practices||1 September 2010||Working draft||In "3 Best Practice Statements - 3.2 Security and privacy", "For example, see OWASP for a good summary of common Web security Best Practices".|
Important Reports and Other Resources
|Australian Computer Emergency Response Team (AusCERT)||Australia||Submission to House of Representatives Standing Committee on Communications – Inquiry into Cyber Crime||2009||-||In "Goal to prevent cyber attacks from occurring", "At the national level, implement regulations which require 1. any organisation hosting a commercial web site (as opposed to a web page) to adhere to web application security standards, such as those by OWASP..."|
|Canadian Cyber Incident Response Centre||Canada||Security publications||Ongoing||-||OWASP materials reference e.g. in "IN08-002: SQL Injection Attacks", "... Additional mitigation techniques may be found at Open Web Application Security Project (OWASP) website: http://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java#Defence_Strategy ..."|
|Centre d'Expertise Gouvernemental de Réponse et de Traitement des Attaques Informatiques (CERTA)||France||Notes d'information||Ongoing||-|| OWASP materials reference e.g. in "CERTA-2008-INF-003 - Les attaques de type 'cross-site request forgery'", "... Documentation ... CSRF Guard : http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project"
CERTA is part of Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) in France's Secrétariat Général de la Défense Nationale.
|Combined Security Incident Response Team (CSIRTUK)||UK||CSIRTUK advisories||Ongoing||-|| OWASP designation used in advisory categorisation.
CSIRTUK is part of the UK Centre for the Protection of National Infrastructure.
|Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS)||USA||Software Security Assurance State-of-the-Art Report (SOAR)||31 July 2007||-||In Section 6: Software Assurance Initiatives, Activities, and Organizations, "6.2 Private Sector Initiatives", 6.2.1 OWASP... 220.127.116.11 Tools... WebGoat... WebScarab... 18.104.22.168 Documents and Knowledge Bases... AppSec FAQ... Guide to Building Secure Web Applications... Legal knowledge base... Top Ten Web Application Security Vulnerabilities...".|
|National Cyber Security Division||USA||Common Weakness Enumeration||Ongoing||-|| OWASP Top Ten (2007) view, OWASP Top Ten (2004) view and OWASP in Taxonomies.
The National Cyber Security Division is part of the U.S. Department of Homeland Security.
|Office of the Privacy Commissioner of Canada||Canada||Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. (also in French)||16 July 2009||-||In the section "Industry Review" of "Summary of Investigation", OWASP mentioned in paragraph 344 "we learned that an organization known as the Open Web Application Security Project (OWASP) promotes the development of secure applications and has created several guidelines addressing issues of session management... OWASP recommends to website creators that sessions should timeout after 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. Although OWASP has not provided actual definitions for high-, medium-, or low-value data, it does cite ... as examples of high-value data and ... as examples of low-value data." and in paragraph 345 "...our Office's review of how various websites manage sessions indicates that the OWASP guidelines are not widely used in the industry..."|
International, national governmental and other significant specification, invitation to tender (ITT) and request for proposal (RFP) documents.
|Banco Central Do Brasil||Brasil||Processo no: 0701385050 (penetration testing for web applications)||19 February 2008||-||In paragraph 5.3 "... testar a presença das vulnerabilidades descritas pelo OWASP (http://www.owasp.org/index.php/Category:Vulnerability) que possam ser detectadas através de testes caixa-preta remotos.", in paragraph 5.4.2 "a classificação OWASP da vulnerabilidade, conforma a página http://www.owasp.org/index.php/Category:Vulnerability;" and in paragraph 5.6 "... recomendações do OWASP Testing Guide (http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents)."|
Return to Global Industry Committee