Why you should know about the OWASP project
I have always had a thing for security, even though in practice being a good security expert is a lot about details, you don't really want to know about. Like a vulnerability of this version of an Apache module, or a specific misconfiguration of that version of IIS.
Therefore I fell instantly in love in the idea of the Open Web Application Security Project (OWASP) when I first discovered it more than ten years ago. I was working on developing my.ITU, an IT system for administrative and student related processes at an university, when the it department was involved in an audit. Even though our team weren't part of the audit, I wanted to do an assesment of my.ITU.
The OWASP project provided us with a way to examine if we were vulnerable to different web vulnerabilities. Back then, OWASP consisted of a general description of the ten most common web vulnerability types, independent of technology used (which was good, we ran the website on a dated web server (AOL server), had written our own web server module in C, the programming language was Standard ML, compiled to bytecode using our own compiler. Pretty unique setup.
The OWASP Top 10 project (still) provides a list of the ten most critical web application security risks. And for each risk it provides:
Guidance on how to avoid
References to OWASP and other related resources
A couple of weeks ago, I was involved in another security audit, and was asked specifically about OWASP. This made me go back to the OWASP project website to download a fresh version of the top 10 document, print a few copies and hand them out to the developers on my team. I read one myself, and it still strikes me as a fantastic piece of work.
If you deal with IT systems with any presense on the web, then go and check out the OWASP top ten document. Do it now.
Go learn more about OWASP here: