Fantastic OWASP Projects and where to find them!
Background
In 2016, when I began my career as a pentester, I discovered the OWASP Foundation, Initially, I was only familiar with the OWASP TOP 10 series, specifically the Top 10 Web Application Security Risks. Later, I learned about the OWASP Mobile Top 10 a list of the top 10 mobile risks and eventually, the OWASP API Security Project which outlines the top 10 security risks of APIs. However, this post is not intended to delve into these specific projects. Rather, my goal is to highlight other OWASP projects that have been beneficial to me in my efforts to learn about building and scaling application security programs.
Cheat Sheet Series
- Project Link
- GitHub Link
- How to contribute?
- Project Leaders
The Cheatsheet series provides detailed information on specific application security topics that align with the ASVS, MASVS, Proactive Controls, OWASP Top 10, and other resources. Recently, I’ve been using this project to educate developers about vulnerabilities and how to implement mitigations. If you’re just starting out in security and learning about the OWASP Top 10, I highly recommend you check out the OWASP Top Ten 2021 : Related Cheat Sheets
Secure Headers Project(OSHP)
- Project Link
- GitHub Link
- Project Leaders
The OWASP Secure Headers Project (also known as OSHP) outlines HTTP response headers that can be used to increase the security of your application. It provides guidance on recommended HTTP security headers that can be leveraged, headers that should be removed, and much more.
Application Security Verification Standard(ASVS)
- Project Link
- GitHub Link
- How to Contribute?
- Project Leaders
The ASVS contains requirements that help the community prepare security requirements for application security testing or building web applications to ensure that necessary security controls are in place. There is also the MASVS for mobile applications.
I am currently reading the ASVS to learn about how to create application security requirements and turn them into user stories. To learn more about the project, I recommend checking out the project link and also these two talks:
Proactive Controls
- Project Link
- GitHub Link
- Project Leaders:
The OWASP Proactive Controls can be used as a training guideline when teaching developers about secure coding practices and various application security controls. When paired with the ASVS and the Top 10 Web Application Security Risks, this can help developers understand the vulnerabilities, associated risks, and how to mitigate them.
Security Culture
- Project Link
- GitHub Link
- Project Leaders
- Nick Miller: Github
When implementing or scaling a security program, culture plays an important role for the security team because it helps us influence the engineering teams to adopt security tools, processes, policies, etc. This documentation project discusses the importance and benefits of establishing a security culture when building an application security program. It covers various activities that should be performed at each stage of the SDLC to help create secure development practices. It also discusses topics such as Security Champions, Threat Modeling, Metrics, and more.
Software Assurance Maturity Model(SAMM)
- Project Link
- Project Website
- GitHub Link
- Project Leaders
The OWASP SAMM is a maturity model for software assurance that provides a measurable and effective way to analyze and improve the secure development lifecycle. It can be used as a guideline for starting or scaling a security program to decide which activities should be carried out and how to measure progress.
Application Security FAQ
This is not a project itself, but I have found the questions answered here to be helpful when teaching developers about application security. It answers many frequently asked questions. Here are a few examples:
- What best practices I should remember while designing login pages?
- Is it required to redirect the user to a new page after login?
- How can my “Forgot Password” feature be exploited?
- In “Forgot Password”, is it safe to display the old password?
- I’m using stored procedures for authentication, am I vulnerable?
- I’m using client side JavaScript code for checking user input. Isn’t that enough?
- Are Java servlets vulnerable to SQL injection?
- Why can’t I trust the information coming from the browser?
OWASP also has a variety of automated application security tools. You can check some of them out in the Application Security Tools list
More details about the OWASP projects can be found here
I plan to keep updating this list as I learn more about application security. If you come across any projects that you think should be on this list and that I should check out, please let me know on Twitter.