3

I'm a Java EE developer and I was wondering if anybody has had experience with the OWASP Project and could weigh-in as to how it measures up as a security standards organization. They have a huge website with multitudes of documents, sub-projects, frameworks/APIs, etc., and I just want to be sure that they are well-regarded before I start heading down the path of learning about it from the ground-up. I would hate to spend the next couple of weeks investing time & energy in this group only to find out that they aren't credible for whatever reason.

Are there other project bodies that are also open source that I should consider, as well?

Jeff Ferland
  • 38,329
  • 9
  • 96
  • 174
zharvey
  • 951
  • 3
  • 10
  • 15

2 Answers2

4

OWASP itself does have a large number of projects, some at greater maturity than others. As an organisation OWASP does have key initiatives which have been accepted globally, so you wouldn't be alone in choosing to learn more.

My main market includes global banks and other financial services organisations, as well as some other industries such as oil and gas, and aside from standards such as PCI-DSS, ISO 27001 etc, the single de-facto standard across their web security teams is the OWASP Top Ten.

ESAPI is also extensively used across the IT Security space, along with a few others.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
1

Official "standards" are largely independent of actual bugs, and instead focus on the "process" for dealing with bugs. For example, they generally don't mention something specific like "SQL injection".

OWASP is the reverse. It's all about the Top 10 most common problems, but light on the processes you might use to fix them.

Certainly, there is considerable overlap, but that's the general idea.

Robert David Graham
  • 3,923
  • 1
  • 16
  • 14