The Open Web Application Security Project (OWASP): An online community with a virtuous goal

January 13, 2015
No Comment

By Bob Gourley

One of our CTOvision Pro subscribers requested we provide more context on web based and mobile application security and referenced the good work underway by OWASP. Over the next few weeks we will be publishing more on this topic, but wanted to start with an introduction to OWASP itself. It is an open community we hold in the highest regard and you may want to consider contributing to their efforts yourself (or perhaps ensuring the right people in your enterprise are engaged with them).

The Open Web Application Security Project is a non-profit online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world. It was founded by Mark Curphey and Dennis Groves in Sep 2001 when an announcement was sent to a mailing list of the web application security community (WebAppSec). Since then, due largely to the open and collaborative nature of Mark and Dennis, the group has grown to include hundreds of volunteers organized into chapters around the globe, with over 42,000 active members in the organization.

The mission and vision of OWASP, from their website, is:

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.

OWASP has a tremendous knowledgebase of best practices maintained in wiki-format. This wiki has references for organizations just starting out a web application security program and also best practices for those with very mature programs. It is a key resource that should be known by any developer and most technical executives in today’s organization.

For more on OWASP, visit their website at

In the coming weeks we will be focusing more on web based and mobile application security and OWASP will be a key source for that (there is also great work at SANS and the CMU SEI to cite on that).