What is OWASP?
The best known secure coding standard is OWASP, or the Open Web Applications Security Project. It is an online community of development professionals focused on web application security.
The group was founded in 2001 and began publishing its best-known guide, the “OWASP Top 10,” in 2003. Its focus is on common, critical risks related to web application security. The Top 10 is updated every few years, based on feedback and new technologies. The latest version is the “OWASP Top Ten – 2017,” which was released in November 2017.
UPDATE as of August 2020: As the industry awaits a new OWASP Top Ten release, delayed due to the COVID-19 pandemic, much of the 2017 version still applies. Read “How OWASP Continues to Support Secure Coding Pending New Release” for details.
What Does “Web Application Security” Encompass?
- web applications
- web sites
- web services, such as an API
With its focus on application security, the OWASP Top 10 is commonly referenced in, and supports, other industry-level security standards and protocols which contain a software development component, including:
- Payment Card Industry Data Security Standard (PCI-DSS)
- Center for Internet Security (CIS)
- Cloud Security Alliance (CSA)
- National Institute for Standards and Technology (NIST)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes Oxley (SOX)
- International Organization of Standardization (ISO)
- General Data Protection Regulation (GDPR)
- Family Education Rights and Privacy Act (FERPA)
Although its name and description imply it is specifically for use by web application developers, the OWASP Top Ten impacts more than just your development teams. Every group that interfaces with and supports your development team(s) – designers, business analysts, project managers, product owners, etc. – should be aware of the OWASP secure coding standard and its impact on every aspect of the development lifecycle. Data and information security should be championed by leadership and developers empowered and encouraged to make the best development decisions for the product, and therefore, the organization.
As noted by OWASP, “Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.”
Secure Coding Training for Your Organization
Global Learning Systems offers role-based secure coding training that relates to the latest security threats. “Secure Coding with the OWASP Top 10 -2017” uses role-based scenarios for each of the Top 10 entries to introduce learners to the identified risk. The course offers a deep dive into the risk, including how it can introduced into code and the impact it can have. The learner also learns best practices for mitigating and/or avoiding the risk. The program is language and platform agnostic, but includes real world examples of code in multiple languages for learners to analyze.