Web Application Security

Open Web Application Security Project (OWASP):

The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Ø  OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations. Many standards, books, tools, and organizations reference the Top 10 project, including MITRE, PCI DSS, the Defense Information Systems Agency (DISA-STIG), the United States Federal Trade Commission(FTC), and many more.

Ø  OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.

Ø  OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.

Ø  OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.

Ø  OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.

Ø  Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices. Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.