Well-known Open Web Application Security Project (OWASP) projects, such as The OWASP Top Ten and Top 10 Proactive Controls, are the result of the work by an active community dedicated to making applications more secure.
Harold Blankenship, director of projects and technology for OWASP, reminds developers, whether OWASP members or not, that they’re welcome – and needed – to work with the community to advance these projects.
Types of OWASP Projects
OWASP application security projects fall into three categories: code, tool, and documentation. Code projects are usually a code set that a developer can include in an application. Tool projects result in executable applications, which often allow developers to test their work. OWASP documentation projects provide guidance and best practices for application security.
How an Idea Becomes an OWASP Project
“If you’re interested in creating your own tool because you’ve been using one that doesn’t quite work, here you’ll have the support of the OWASP community to develop it,” says Blankenship.
After a developer submits an idea, Blankenship reviews it and sets up a project space on OWASP’s wiki. He points out that even though a project is new to OWASP, the developer may have been working on the idea for a while, so some are far beyond the idea stage when OWASP accepts them as “Incubator” projects. The developer who initiated the project remains the project leader and looks for volunteers to contribute. If two similar projects are submitted, Blankenship says he works with the project leaders to see if they can collaborate.
An example of an Incubator project new in 2018 is the Application Security Curriculum project, led by Adrian Winckles. This documentation project is compiling information on the skills necessary to address application security with the goal of establishing a curriculum that professors can use to prepare new graduates to meet the industry’s needs.
OWASP Lab Projects
After the project progresses, the leader can recommend that it advance from Incubator to “Lab” status. Blankenship, as well as others including project leaders from other projects, will review the project using OWASP criteria to ensure the project has advanced and has earned the new designation.
One project that achieved Lab status in 2018 is the Mobile Security Testing Guide. This documentation project led by Sven Schleier and Jeroen Willemsen, establishes a set of security and testing standards for the technology used for mobile applications. It also includes a set of test cases that enables testers to deliver consistent results. You can contribute to this project in the GitHub Repo.
OWASP grants the most polished, mature projects Flagship status. For example, the OWASP Dependency-Track Project, was reviewed at AppSec US in October 2018. This Software Composition Analysis (SCA) looks at third-party components and checks them for security vulnerabilities. Designed to be used in an automated DevOps environment, this tool integrates with multiple vulnerability databases and monitors all applications in its portfolio to proactively identify vulnerabilities.
Tell Your Friends
Blankenship comments that OWASP project leaders are always looking for volunteers, both from the developer community and from people skilled in other areas, like graphic arts, UI, documentation, and translation. Anyone who is interested should contact the project leader of the project that interests you.
Now That You Know About OWASP Projects, Use Them
OWASP’s open source security applications, tools, and documentation projects are available to anyone. You can review a current list of all OWASP projects and find links to more information on OWASP’s wiki.
To learn more about OWASP and participating in projects, Blankenship suggests attending an AppSec event, which are OWASP-sponsored conferences that bring people from industry, government, security, and other sectors to discuss the state of application security.
OWASP also has regional chapters where you can network and learn how local developers are investing their time and talents to advance OWASP projects.