Projects Summit 2013/Projects Participating
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
The Code Review Guide focuses on secure code reviews and tools that aim to support the developer community. Such an activity is very powerful as it gives the developer community a place to start regarding secure application development.
The Development Guide is aimed at architects, developers, consultants, and auditors. It is a comprehensive manual for designing, developing, and deploying secure Web Applications and Web Services. The OWASP Developer Guide 2013 aims to focus the content from countermeasures and weaknesses to secure software engineering.
The OWASP Education Projects
The OWASP Education project is meant to centralize all educational initiatives of OWASP. The project will not deliver education material as such, but define standards and guidelines on education material. Furthermore, this project aims to create an easy entrance towards understanding application security and usage of the OWASP tooling. By creating education documentation papers, screen scrape video courses, and setting up an OWASP Boot camp, a controlled education process of a standardized quality can be created continuously.
- OWASP Boot Camp
- OWASP Training Events
- OWASP Academy Portal
- OWASP University Outreach
- OWASP Student Chapter
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications.
The Software Assurance Maturity Model (SAMM) is an open framework that aims to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development.
This Testing Guide Project’s goal is to create a “best practices” web application penetration testing framework which users can implement in their own organizations. Contributors of this project are currently writing Version 4 of the guide, and are actively seeking authors.
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience, and as such, is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
The primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.