As it happens,Dinis Cruz, the chief evangelist of OWASP and leader of the OWASP .NET project, will be our guest blogger for this month. Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET Application Security, Active Directory deployments, Application Security audits and .NET Security Curriculum Development. Dinis and I had a number of conversations in the past about the purpose of OWASP. In this post he is summarizing his view and experience. Thanks. These are his words:
Hello, on this guest blog post (thanks pdp) I would like to talk something that is very important to me (I will write about .NET's partial trust next time. OWASP is the Open Web Application Security Project which is an worldwide open community of like-minded security professionals focused on improving the current state of Web Application Security.
At OWASP I take the role of Chief OWASP Evangelist, and although I don't like the title it gives me a good excuse to talk about OWASP , to promote its projects and to speak at OWASP conferences and chapters. I am also part of the OWASP board (together with Jeff Williams, Andrew van der Stock and Dave Wichers), lead the .Net Project (help needed) and organize the London Chapter meetings.
Professionally I have been generously rewarded for my contributions to OWASP. In addition to the learning, meeting new people and conferences participations, I can say that for the past 18 months every single paid project that I was contracted to do, originated from contacts that I meet via OWASP. So I have authority to say that actively participating in OWASP can be very beneficial to your career (even if you don't care about the great kudos and karma that will come with that participation).
At the OWASP projects page you will find numerous projects some of which I am sure you will find very interesting:
- OWASP Top Ten 2004 and the new (still in consultation mode) OWASP T10 207 RC1
- OWASP Testing Guide - newly release document about application security testing procedures and checklists
- Web Goat - an online training environment for hands-on learning about application security
- WebScarab a tool for performing all types of security testing on web applications and web services (check out the new version: WebScarab NG)
- CLASP (Comprehensive, Lightweight Application Security Process) - a project focused on defining process elements that reinforce application security
- Live CD - a Linux based Live CD containing ready to use versions of OWASP tools and documents
- Other tools projects: Site Generator, Report Generator, CAL 9000, Encoding Project, Pantera, LAPSE, Sprajax, SQLiX, WSFuzzer, JBroFuzz, Interceptor, Stinger, Orizon
- Other documentation projects: Code Review, App Sec FAQ, Guide Project, Legal Project, AJAX Security Guide, Application Security Assessment Standards, Application Security Metrics, Carrer Development, HoneyComb, Logging, Validation, WASS (Web Application Security Standards) Guide, XML Security Gateway Evaluation Criteria, Education
- Technological specific projects: Java, .Net and PhP
OWASP Foundation is a USA based 501c3 not-for-profit charitable organization where all money made (from conferences, memberships and website advertisement) goes back into OWASP. For example last year OWASP gave sponsorships worth 35,000 USD under the OWASP Autumn of Code (AoC) activity to 9 individuals (from around the world) to improve 9 OWASP projects. The AoC was so successful that we are about to launch the SpoC (Spring of Code) which will sponsor a larger number of projects (and hopefully take OWASP to the next level).
Speaking from personal experience, the more you put in OWASP the more you get out of it. Due to its openness and 'no-vendor-bullshit-here-please' attitude (thanks Mark for that) OWASP tends to attract highly intelligent, interesting and professional individuals (I am always humbled by the talent that I meet at our conferences and chapter meetings). So if you haven't already, please join us and make us better.
The first place to start should be a local OWASP chapter. As you can see in the OWASP Chapter page there are currently 85 chapters around the world so you have plenty to chose from (_Argentina, Atlanta, Austin, Austria (Vienna), Bangalore, Barcelona, Belgium, Boston, Boston, Brazil, Brisbane, Australia, Buffalo, Charlotte, Chennai, Chicago, Chile, Cleveland, Colombia, Columbus, Delhi, Denmark, Denver, Edmonton, Canada, France, Ft Lauderdale, Germany, Greece, Helsinki, Hong Kong, Houston, Hyderabad, Israel, Italy, Kansas City, Kerala, Kolkata, Kuwait, London, Long Island, Los Angeles, Luxembourg, Madison, Malaysia, Manila, Melbourne, Memphis, Mexico City, Minneapolis/St. Paul, Mumbai, Nashville, Netherlands, New York City, New Zealand, Northern New Jersey, Omaha, Ottawa, Pakistan, Panama, Philadelphia, Phoenix, Pittsburgh, Riyadh, Rochester, Sacramento, Saint Louis, San Antonio, San Francisco, San Jose, Seattle, Singapore, South Korea, Switzerland, Sydney, Tainan, Tokyo, Toronto, Turkey, Vancouver, Washington (Maryland), Washington (Virginia), Winnipeg Manitoba_). And if you are not close to one, check out the Chapter Leader Handbook and start one.
Since everything at OWASP is (and always will be) open and free (as in beer and speech) you (and your companies) DON'T have to become OWASP members to benefit from it (and to edit our WIKI based website). BUT, if you (and your companies) benefit from OWASP, you should join as a member mainly for two reasons: 1) publicly associate yourself with OWASP's goals and 2) financially support the projects that you use (starting this year we are asking new members to indicate which OWASP projects they would like their membership fees to be used on).
And for the sceptics amongst you that are now asking, "humm.... what is the catch? there must be a catch? there always is a catch!!!", I think I will disappoint you when I say that there is no catch. OWASP is an open community, and we are just trying to make our online world safer and more secure.
Just a final word to say that I am here to help, so feel free to contact me on
dinis.cruz at owasp dot net (and if I don't reply in a couple days, just keep re-sending that email.