Developing secure applications has always been a difficult task. Software that manages critical functions once serviced only users on internal networks; today, applications run on Web servers accessible to users anywhere in the world. Not only have the scope and magnitude of Web applications increased, but so has the complexity of securing them. The Open Web Application Security Project (OWASP) comes to the rescue of Web application architects with tools, frameworks, and guidelines to improve security in applications.
Security expert Mark Curphey founded OWASP in 2000. The project is supported by the not-for-profit OWASP Foundation and has five non-paid board members and about 130 project and chapter leaders. The OWASP board members (Dinis Cruz, Jeff Williams, Dave Wichers, Tom Brennan, and Sebastien Deleersnyder) allocate the OWASP budget, manage projects and chapters, and organize OWASP conferences. The OWASP project is supported financially by the profits from conferences and membership fees, and all tools and documentation on the OWASP Web site are available for free.
"OWASP is an enabler of Web application security-related projects," OWASP board member Cruz says. The project offers guidance material and tools to help developers throughout their software development process. Cruz says OWASP also tries to help make developers' Web applications more secure. "OWASP documents and tools help all parties involved to understand better what are the security implications of their actions so that they can make correct risk decisions."
Highly regarded tools and documentation
OWASP doesn't have an official panel of security experts, although Cruz says the project has security professionals on its board, and most of the OWASP contributors are experts in their areas. According to Josh Sweeney, a security expert and editor of SecurityDistro.com, "the people at the OWASP project are heavily involved in many aspects of security. They network with multiple security vendors to get as many knowledgeable people involved as possible."
In fact, the US Federal Trade Commission recommends that companies use the OWASP Top 10 project to reduce risks to their computer systems. The Top 10 project produces an awareness document that describes the top 10 Web application security vulnerabilities.
The OWASP documentation applies not only to Linux, Apache, MySQL, and PHP (LAMP), the popular open source Web development stack, but also to all Web platforms, including Java Platform, Enterprise Edition (Java EE), Microsoft .Net Framework, ColdFusion, Apache Struts, Microsoft Internet Information Services (IIS), Apache Tomcat, and IBM WebSphere. According to Cruz, in addition to Top 10, the OWASP Testing Guide is also popular with developers. It focuses on application security-testing procedures and checklists.
Dr. Thorsten Schneider, managing director of International Institute for Training, Assessment, and Certification (IITAC) and developer of the Damn Vulnerable Linux (DVL) project, is impressed by OWASP's range of tools and documentation. "OWASP projects support the community well, and their tools help in understanding (in)security topics," he says. As part of his research, Schneider has developed a new Secure Software Engineering (S2e) development model based on OWASP's Comprehensive, Lightweight Application Security Process (CLASP) project, which focuses on defining process elements that reinforce application security.
OWASP has more than 20 tools in various stages of development. Its two most popular "release quality" applications are produced by the WebGoat Project, which is an online training environment for hands-on learning about application security, and the WebScarab Project, which is a tool for performing all types of security testing on Web applications and Web services.
"WebGoat is a great tool for students to learn about all the neat Web problems out there," says Schneider, who uses it as part of his university lectures. WebGoat is also integrated in the latest DVL release, called E605, and Schneider will add more OWASP tools in upcoming releases, including CAL9000, WebScarab, and JBroFuzzer.
To make sure the project stays on the bleeding edge of Web application security, OWASP uses the funds obtained from the paid OWASP membership fees and the profits from the OWASP AppSec conferences to sponsor development of new and existing OWASP projects.
"Although I am a big defender and believer of free information, tools, and open source, I don't agree that contributors should always work for free," says Cruz, explaining the project's motivation for the sponsorship program. "At the end of the day, time is money, and there is a physical limitation on how much time somebody is able to dedicate to a project with no financial reward. For example, it is much easier to say no to paid work if one is going from 100% of their daily rate to 30% than it is to go from 100% to 0%."
In addition to sponsoring projects directly, OWASP organizes a wide-open sponsorship program, inviting people to propose and work on their choice of security projects. In 2006, it sponsored nine projects under the banner of OWASP Autumn of Code 2006. This year, the program was called OWASP Spring of Code 2007 (SpoC) and funded more than 27 new application security projects with a budget of more than $115,000. Additionally, the SpoC budget allows OWASP to grant $1,000 each, no strings attached, to 10 popular and useful open source projects selected by OWASP members. Cruz says that with SpoC OWASP experimented a new sponsorship scheme -- it allowed new members to directly allocate their membership fees to sponsor specific projects.
Sweeney, himself a participant in SpoC, thinks the sponsorship program is a great opportunity for people with different skills to contribute to various open source security tools projects via OWASP and receive compensation for those contributions. "This year was really great," Sweeney says, "because the OWASP team had enough funds to make it possible for everyone who entered to participate. The amount of compensation that each person or group drew in was based on multiple criteria. To us, OWASP appeared to be fair and balanced with their choices. The only drawback that I have seen by taking part in the OWASP SpoC is the timeliness of the process. Many decisions were made after the dates that they were promised, and many emails either were not returned or were returned weeks after sending. However, I do understand that many members who are part of OWASP have other daily duties. It can't be easy running one of the most, if not the most, successful nonprofit open source Web application security groups in the world."
Now that the project has lots of tools and documentation under its belt, Cruz believes the main area it needs to concentrate on is quality. He thinks OWASP needs to clean up a lot of its projects and materials and maybe even consolidate some of the projects, so that it is much easier to use them. "Ideally, I would like to be able to allocate much bigger budgets to specific projects, namely to improve their usability, documentation, and security," Cruz says. "OWASP should also be performing (or enabling) a security review of all OWASP tools."
One way to do this, Cruz suggests, is through the sponsorship programs. He says OWASP might change the rules next time around and directly request work be done on specific projects. The project is also looking to get its best documents published in printed format so that they're exposed to a bigger audience, and "to motivate its authors to work on the next versions." Some titles are available as printed books via Lulu.com.
OWASP has an impressive, useful, and well-respected collection of documentation and security tools that can help you during all stages of software development. If you're new to developing Web apps or are an information security student, you'll also find educational tools to teach you all there is to know about Web application security. And if you're a seasoned developer who wants to work on a security-related tool or project, OWASP has funds to pay you for your time.