The Open Web Application Security Project (OWASP) is a not-for-profit charitable organization focused on improving software security. OWASP works on the principles of open source software, particularly the idea that the community is the force of creation and contribution. The unique aspect here is that OWASP is not software, rather a set of guidelines created by the community to help developers plug security holes in their code.

Security has become a very important aspect of software development lately, but not everyone is aware of ways to write secure code. You may think, "my team of developers is very experienced/skilled/efficient, they can write 100% secure code," but if you follow the news you are aware that even bigshot websites are regularly brought down or have their user data compromised. Your website should be well-prepared to avoid such attacks by following these guidelines by OWASP.

For example: Jim is a developer working on a software tool which lets people save their daily routine and track their fitness regime. Of course, this app has a login/sign up mechanism and a database to save the users' details, among other features. With deadlines closing in, Jim has little time to care about the code security, and he finishes the functionality. Later, during internal security review (or worse in the production phase) several gaping holes are found. Jim had to bear the brunt of the criticism, but was he to blame?

The vast field that software development has grown into, combined with shrinking deadlines, is the perfect storm for producing code that is prone to security attacks. Even other factors like ignorance or laziness on the part of the developer can introduce security holes. While there is little to be done about the size of the growing software field or about shrinking deadlines, developers can be trained to write inherently secure code with OWASP guidelines.

Developers, security analysts, and others can use OWASP guidelines and at the same time, contribute knowledge back to the guidelines. How?

4 ways to use OWASP

Cheat sheets

Cheat sheets contain high quality, concise data that is relevant to a specific feature. You spend less time searching for the answers and more time understanding them.

Suppose you are developing a "Forgot Password" feature for your website and are curious to know what guidelines should be followed. In the "Cheat Sheets" section on the OWASP website, look up the "Forgot Password Cheat Sheet."

Developer guide

Find comprehensive information on software development, from "foundation" and "architecture" to "configuration" and "operation."

The developer guide was the original OWASP project, started in 2002.

Appsec tutorial series

This is the video tutorial section on the website aimed at delivering the more complex information in an easy to digest format. Videos are typically 5 --- 10 minutes in length and based on security concepts, tools, or methodologies.

Testing guide

Like the developer's guide, there is also a tester's guide which aims to train testers on how to find bugs in security critical areas of the software.