OWASP: Application Security is Everyone’s Responsibility

The Open Web Application Security Project (OWASP) bridges the gap between security professionals and developers with valuable resources, tools, and events.

It may be time for you to evaluate application security from a new perspective. According to Martin Knobloch, Chair of the OWASP Global Board of Directors, application security starts even before the first line of code. “It’s the same as any process where safety is at stake. A chef in a kitchen needs the proper tools and ingredients to prepare food that’s safe. An automobile manufacturer needs the proper parts and tools to build a car that’s safe. We need to put everything in place so a developer can do safe work,” Knobloch says.

The Open Web Application Security Project (OWASP), the worldwide nonprofit focused on software security, approaches the issues as a “people, process, and technology problem” because it takes improvement in all of those areas to develop applications that are secure. Although perhaps best known for its top ten lists such as Top Ten Most Critical Web Application Security Lists and Top 10 Proactive Controls, a list of security techniques that should be included in every software development project, Knobloch points out “Security is not only a developer problem. It’s everyone’s problem.” He encourages businesses to also reference OWASP’s other resources, such as it Software Assurance Maturity Model (SAMM) project, for example, that helps tailor software security to the specific risks an organization faces.

Meet OWASP in San Jose

ISVs in the U.S. have the opportunity to attend OWASP’s AppSec USA 2018, scheduled for October 8-12 in San Jose, CA. The conference features best practices and industry topics including: privacy, secure development, security assessment, mobile security, browser security, OWASP tools or projects in practice, secure coding, container security, and ethical hacking. Tracks are available specifically for developers as well as for security professionals and executives.

Keynote speakers include:

Karen Staley, OWASP Executive Director, points out that OWASP is committed to diversity, both among event presenters — and attendees. OWASP is establishing a scholarship fund to help more women in more diverse roles attend OWASP conferences.

AppSec is a prime opportunity to experience OWASP’s passionate community that “lives and breathes security culture,” Staley says. “Anyone who attends the conference will benefit and return to their jobs inspired and recharged.”

A list of future OWASP events is available on the organization’s website.

Knobloch says attending conferences and events also result in the most rewarding part of his job. It gives him the opportunity to meet people face to face who have benefitted from OWASP’s work. “They’ll tell us they used security testing and found an issue or were able to make changes to their organization based on an OWASP project,” Knobloch says.

A Free and Open Organization

Organized in 2001 as an open community, OWASP welcomes anyone to use its resources, including cheat sheets, which help software engineers and security professionals find problems and fix them, and testing tools that address a wide range of vulnerabilities.

In addition, anyone can submit ideas for and participate in OWASP projects. Knobloch says, “There are no barriers, whether you are a new developer or a 20-year veteran, we can all work together for security.” He says he and the other board members see their primary function as to guide, not to be in charge. “No one is more important than another person. We are a community. It’s about sharing knowledge with no barriers.”

Staley, who joined the organization last year, says one of her goals is for OWASP to keep pace by advancing projects from the incubator stage to the flagship stage so they’ll be available when needed.  “Some of our projects are referenced in PCI Compliance Standards. We want to continue to stay in the forefront,” Staley says.

Although engaging with OWASP and participating in projects is open to anyone, software developers and others are encouraged to join. OWASP has more than 3,500 paying members who are eligible to vote for board members, attend conferences at a discount, and receive a variety of other benefits.

Meet OWASP in Your Hometown

There are 226 OWASP chapters around the world that hold regional meetings with speakers or events including hackathons. Again, membership isn’t required —only a desire to contribute to the work of the community. “Go, meet your peers, and share your knowledge,” Knobloch says.