Industry:Citations
From OWASP
- 1 OWASP Projects and Events
- 2 National & International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice
- 3 Important Reports and Other Resources
- 4 Project Requirements
This page captures important references to OWASP in official, or otherwise important, documents. It does not include presentational or educational materials, sales literature, forum messages, blog postings, news stories or press releases.
Hyperlinks have not been added within the text, other than those automatically added by the wiki, to reduce the risk of mis-interpretation. Please read the source documents in full to understand the context. Entries in each each category are ordered by organisation name ascending, then date ascending.
OWASP Projects and Events
Some OWASP projects maintain their own lists of citations, quotations, recommendations, testimonials and users:
- OWASP Application Security Verification Standard (ASVS) Project - Users
- OWASP Enterprise Security API (ESAPI) Project - Users and Adopters
- OWASP ModSecurity Core Rule Set Project - Contributors, Users and Adopters
- OWASP Security Spending Benchmarks (SSB) Project - News Coverage
- OWASP Testing Guide Quotes
- OWASP Top Ten Project - Users and Adopters and How Are Companies/Projects/Vendors Using the OWASP Top_10
- Notícias publicadas sobre o AppSec Brasil 2010
National & International Legislation, Standards, Guidelines, Committees and Industry Codes of Practice
| Organisation | Scope | Document | Date | Version | Comments |
|---|---|---|---|---|---|
| L'Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) | France | Sécurité et langage Java - Guide de Règles et de Recommandations Relatives au Développement d’Applications de Sécurité en Java | 6 November 2009 | 1.3 | In "3 Définitions et Présentation de la Démarche", "l’OWASP fournit également des informations de sensibilisation des développeurs d’applications Java EE aux problématiques de sécurité. Bien que la plupart de ces informations sortent du périmètre de l’étude JAVASEC qui se concentre sur Java SE, ce document constitue un complément intéressant. Il est accessible à l’adresse www.owasp.org/index.php/OWASP_Java_Table_of_Contents#J2EE_Security_for_Developers." and in "4.8 Gestion des entrées/sorties - Identifiant : 16 Nom : Vérification des données en entrée", "Références : [1] www.owasp.org/index.php/OWASP_Java_Table_of_Contents#
Input_Validation_Overview" |
| Prestataires D’Audit de la Securite des Systemes D’Information (Information System Security Audit Guide) | 31 October 2011 | 1.0 | In "7.2. Normes et documents techniques", "Guides et documentation de l’Open Web Application Security Project (OWASP)" | ||
| Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security | Germany | IT-Grundschutz Baustein B 5.21 Webanwendungen | 17 December 2012 | Vorabversion / Preliminary Version | Um Webanwendung angemessen abzusichern, wurde ein neuer Baustein für die IT-Grundschutz-Kataloge entwickelt, der vorab vom BSI zur Kommentierung veröffentlicht wurde. Daran teilgenommen hat unter anderem das Open Web Application Security Project (OWASP). |
| Sicherheit von Webanwendungen: Maßnahmenkatalog und Best Practices | 31 May 2007 | 1.0 | "Weitere umfassende Quellen zur Sicherheit von Webanwendungen sind frei im Internet verfügbar, so z.B.: OWASP Guide to Building Secure Web Applications and Web Services. Version 2.0 und Version 3.0 Working Draft." | ||
| Canadian Cyber Incident Response Centre | Canada | TR08-001 Alleviating the Threat of Mass SQL Injection Attacks (also in French) | 18 June 2008 | 1.0.0 | In "3.2 Application security best practices", "... The following elements should be considered as part of the SDLC for application security: ... Adopt and apply secure design and coding practices for web application software development. Guidance is available from numerous sources including ... and the Open Web Application Security Project (OWASP) www.owasp.org." and in "5 Resources", "Open Web Application Security Project (OWASP): www.owasp.org ... OWASP Testing Guide v2: www.owasp.org/images/e/e0/OWASP_Testing_Guide_v2_pdf.zip".
The Canadian Cyber Incident Response Centre is part of Public Safety Canada. |
| Center for Internet Security (CIS) | USA | Apache Benchmark for Unix | October 2006 | 1.4 & 1.5 | "... added reference to Web Application Security Consortium along with OWASP ..." - see revision history in version 1.6 below |
| Apache Benchmark for Unix | November 2006 | 1.6 | In "Introduction", "... For Web Application security issues, visit the Open Web Application Security Project (OWASP) website - www.owasp.org and ...", in "L1 20 Implementing Secure Socket Layer (SSL) with Mod_SSL", "The openssl command can be very useful in debugging and testing the SSL configurations. See www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers" and in "Appendix C - References", "The Open Web Application Security Project. 'A Guide To Building Secure Web Applications', September 22, 2002. www.cgisecurity.com/owasp/html/index.html". | ||
| Apache Benchmark for Unix | July 2007 | 1.7 | (As above in version 1.6) | ||
| Benchmark for Apache Web Server | December 2007 | 2.0 | In "Pre-configuration Checklist", "Educated developers about writing secure code ... OWASP Top Ten - www.owasp.org/index.php/OWASP_Top_Ten_Project", and in "1.3 ModSecurity Core Rules Overview", "... Description ... You can learn more about the pros and cons of a negative security model in the presentation 'The Core Rule Set: Generic detection of application layer', presented at OWASP Europe 2007 ... Attack Detection ... Generic Attack Detection - Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:...", and in "1.15 Implementing Mod_SSL", "... Action ... The openssl command can be very useful in debugging and testing the SSL configurations. See www.openssl.org/docs/apps/ciphers.html as well as OWASP testing tips www.owasp.org/index.php/SSL/TLS_Testing:_support_of_weak_ciphers ...". | ||
| Benchmark for Apache Web Server | January 2008 | 2.1 | (As above in version 2.0) | ||
| Benchmark for Apache Web Server | November 2008 | 2.2 | (As above in version 2.0) | ||
| The CIS Security Metrics - Consensus Metric Definitions | 11 May 2009 | 1.0 | In "Defined Metrics - Information Security Budget as % of IT Budget - References", "... Open Web Application Security Project, Security Spending Benchmark Project https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks ..." and in "Defined Metrics - Information Security Budget Allocation - References", "Open Web Application Security Project, Security Spending Benchmak Project https://www.owasp.org/index.php/Category:OWASP_Security_Spending_Benchmarks". | ||
| Centre for the Protection of National Infrastructure (CPNI) | UK | Secure web applications - Development, installation and security testing (NISCC Briefing 10/2006) | 27 April 2006 | - | In References "OWASP Secure Web Application Guide www.owasp.org/documentation/guide/guide_about.html".
Originally published by the former National Infrastructure Security Co-ordination Centre (NISCC). |
| Commercially Available Penetration Testing - Best Practice Guide | 8 May 2006 | - | In "Methodologies", "There are a number of open source penetration testing methodologies that can be used as a reference when examining provider methodologies. Examples include... OWASP - Open Web Application Security Project (www.owasp.org)".
Originally published by the former National Infrastructure Security Co-ordination Centre (NISCC). | ||
| Development and Implementation of Secure Web Applications | August 2011 | - | In "Introduction to web application security", "Organisations such as the Open Web Application Security Project (OWASP) have expanded and have been involved in a large number of projects to promote many different aspects of web application security from risk assessment guides to security testing tools. One of these projects, OWASP Top Ten aims to provide a list of the most critical web application security risks. It is not surprising that such a list evolves dramatically over time as shown in the table below" and in "References", "OWASP Top Ten www.owasp.org/index.php/Category:OWASP_Top_Ten_Project", "Threat Risk Modelling www.owasp.org/index.php/Threat_Risk_Modeling", "HTTP Parameter Pollution www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf", "Transport Layer Protection Cheat Sheet www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet" and "Curphy, Mark et al, A Guide to Building Secure Web Applications and Web Services, OWASP, 2005 www.owasp.org/index.php/Category:OWASP_Guide_Project". | ||
| Cloud Security Alliance (CSA) | Worldwide | Security Guidance for Critical Areas of Focus in Cloud Computing | April 2009 | 1.0 | In "Section III. Operating in the Cloud - Domain 10: Incident Response, Notification, and Remediation", "There are other types of incidents that can affect an application in the cloud, which relate to data access, but stand alone as potentially serious for a user, and they are the OWASP Top 10 security vulnerabilities." and "The application framework can also provide components that provide protection against OWASP vulnerabilities.", and in "Domain 11: Application Security", "References... OWASP Top Ten Project, www.owasp.org/index.php/Category:OWASP_Top_Ten_Project". |
| Security Guidance for Critical Areas of Focus in Cloud Computing | December 2009 | 2.1 | In "References", "OWASP Top Ten Project, www.owasp.org/index.php/Category:OWASP_Top_Ten_Project". | ||
| Cloud Controls Matrix | 27 April 2010 | 1.0 | In "Security Architecture - Application Security (SA-04)", "Applications shall be designed in accordance with industry accepted security standards (i.e., OWASP for web applications) and complies with applicable regulatory and business requirements.". | ||
| Domain 10 Guidance for Application Security | July 2010 | 2.1 | In "PaaS - Tools and Services", "Web-based, n-Tier applications have a rich body of knowledge about common types of vulnerabilities and their mitigation through groups such as the Open Web Application Security Project (OWASP), but similar knowledge bases for PaaS environments are scarce and will need time to mature." and in "References" "OWASP Top Ten Project, www.owasp.org/index.php/Category:OWASP_Top_Ten_Project". | ||
| Club de la Sécurité de l'Information Français (CLUSIF) | France | Sécurité des applications Web - Comment maîtriser les risques liés à la sécurité des applications Web? (also in English) Translation: How to control the risks related to Web Application Security? | September 2009 | - | In "II - Les technologies Web, incontournables, mais porteuses de nouveaux risques - II.3 - Des réglementations et des responsabilités", "Par voie de conséquence, la mise à disposition d’un service applicatif par une société peut engager la responsabilité [4] ... [4] https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex : Cette annexe de contrat est destinée à aider les développeurs de logiciels et leurs clients à négocier d’importantes conditions contractuelles relatives à la sécurité du logiciel à développer ou à livrer. La raison en est que rien n’est prévu dans la plupart des contrats, les parties ayant souvent des points de vue radicalement différents sur ce qui a été initialement effectivement convenu. De fait, la définition claire des responsabilités et limites de chacun est la meilleure façon de s'assurer que les parties puissent prendre des décisions éclairées sur la façon de procéder.", in "IV - Les principales failles de sécurité des applications Web - IV.3 - Les fuites d’information", "Pour plus de précision sur les failles de sécurité des applications Web, le lecteur pourra se référer au Top Ten de l’OWASP [6] ... [6] www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Quelles bonnes pratiques pour mettre en oeuvre une application Web sécurisée ? - V.2 - Identification des besoins et appréciation des risques", "Une première évaluation du coût peut être réalisée à ce stade afin de rester cohérent avec les objectifs de la maîtrise d’ouvrage, en utilisant une méthodologie comme OpenSAMM, qui permet d’estimer des coûts pour les différentes étapes du cycle de développement [7] ... [7] www.opensamm.org/" and "Des méthodes et des outils de modélisation de menaces accessibles existent afin de faciliter cette démarche. [8] ... [8] www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Conception et implémentation", "Les équipes peuvent également se référer au Guide de conception et d’implémentation d’applications Web sécurisées de l’OWASP [9] ... [9] www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Vérification de la sécurité des applications Web - VI.2.2 - Audit de code", "L’OWASP a publié un manuel de revue de code des applications Web [10] ... [10] www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - Test d’intrusion", "Pour plus d’information, on pourra consulter le manuel de test de la sécurité des applications Web publié par l’OWASP [11] ... [11] www.owasp.org/index.php/Category:OWASP_Testing_Project".
Translation: In "II - Web technologies, essential, but carrying new risks - II.3 - Regulations and responsibilities", "Consequently, the provision of an application service by a company may engage the responsibility [4] ... [4] https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex OWASP Secure Software Contract Annex : This appendix of contract is intended to help the developers of software and their customers to negotiate important contractual conditions relating to the integrity of the software to be developed or deliver. The reason is that nothing is envisaged in most contracts, the parties having often radically different points of view on what was initially indeed agreed. In fact, the clear definition of the responsibilities and limits for each one are the best way of ensuring itself than the parts can make decisions informed on the way of proceeding.", in "IV - The main vulnerabilities of Web applications - IV.3 - The information leakage", "For more details on the vulnerabilities of Web applications, the reader may refer to the Top Ten of the OWASP [6] ... [6] www.owasp.org/index.php/OWASP_Top_Ten_Project", in "V - Which good practices for implementing a secure Web application? - V.2 - Identification of needs and risk assessment", "A first costing can be realized at this stage in order to remain coherent with the objectives of the control of work, by using a methodology like OpenSAMM, which makes it possible to estimate costs for the various stages of the development cycle [7] ... [7] www.opensamm.org/" and "Methods and modeling tools available threats exist to facilitate this. [8] ... [8] www.owasp.org/index.php/Threat_Risk_Modeling", in "V.3 - Design and Implementation", "The teams can also refer to the OWASP Guide to Build and Implement Secure Web Applications [9] ... [9] www.owasp.org/index.php/Category:OWASP_Guide_Project", in "VI - Web Application Security checking - VI.2.2 - Code Review", "The OWASP published a Web Applications' code review' handbook [10] ... [10] www.owasp.org/index.php/Category:OWASP_Code_Review_Project", in "VI.2.3 - PenTest", "For more information, one can consult the Web Applications Security test' handbook published by the OWASP [11] ... [11] www.owasp.org/index.php/Category:OWASP_Testing_Project". |
| Defense Information Systems Agency (DISA) | USA | Recommended Standard Application Security Requirements (Draft) | 11 March 2003 | 2.0 (draft) | In "Appendix B References", "B.5 Best Practices... 32. Open Web Application Security Project (OWASP): “The Ten Most Critical Web Application Security Vulnerabilities” (13 January 2003)". |
| Web Server Technical Implementation Guide | 11 December 2006 | 6 Rel 1 | In "1.1 Background", "Major security forums (e.g., SysAdmin, Audit, Network, Security (SANS) Institute and the Open Web Application Security Project (OWASP)) publish reports describing the most critical Internet security threats. From these reports, some threats unique to web server technology are as follows...". | ||
| Application Security and Development - Security Technical Implementation Guide | 24 July 2008 | 2 Rel 1 | In "Appendix A References", "Open Web Application Security Project www.owasp.org/" and "Open Web Application Security Project Threat Risk Modeling www.owasp.org/index.php/Threat_Risk_Modeling". | ||
| Application Security and Development Checklist | 24 July 2008 | 2 Rel 1.1 | Multiple OWASP website references providing vulnerability examples.
Superseded (see below). | ||
| Application Security and Development Checklist | 26 June 2009 | 2 Rel 1.5 | OWASP referenced in "APP3020 Threat model not established or updated... Detailed information on threat modeling can be found at the OWASP website. www.owasp.org/index.php/Threat_Risk_Modeling", "APP3550 Application is vulnerable to integer overflows... Examples of Integer Overflow vulnerabilities can be obtained from the OWASP website. www.owasp.org/index.php/Integer_overflow", "APP3560 Application contains format string vulnerabilities... Examples of Format String vulnerabilities can be obtained from the OWASP website. www.owasp.org/index.php/Format_string_problem", "APP3570 Application vulnerable to Command Injection... Examples of Command Injection vulnerabilities can be obtained from the OWASP website. www.owasp.org/index.php/Command_Injection", "APP3580 Application vulnerable to Cross Site Scripting... Examples of Cross Site Scripting vulnerabilities can be obtained from the OWASP website. www.owasp.org/index.php/Cross_Site_Scripting", "APP3600 Vulnerable to canonical representation attacks... Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. www.owasp.org/index.php/Canonicalization,_locale_and_Unicode", "APP3630 Application vulnerable to race conditions... Examples of Race Conditions vulnerabilities can be obtained from the OWASP website. https://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions", and "APP5100 Fuzz testing is not performed... The following website provides an overview of fuzz testing and examples: www.owasp.org/index.php/Fuzzing". | ||
| Defence Signals Directorate | Australia | Australian Government Information and Communications Technology Security Manual (ACSI 33) | September 2008 | - | In "Web applications - Guidance", "G#101 3.6.2.14. Agencies are recommended to follow the documentation provided in the Open Web Application Security Project (OWASP) guide to building secure Web applications and Web services.", in "Web applications - Rationale", "Web applications 3.6.2.16. The OWASP guide provides a comprehensive resource to consult when developing Web applications." and in "Web applications - References", "3.6.2.17. Further information on Web application security is available from the OWASP at www.owasp.org.". |
| 2012 Australian Government Information and Communications Technology Security Manual - Controls | 2012 | - | In "Software Security - Web application Development - Controls",
"The Open Web Application Security Project guide provides a comprehensive resource to consult when developing web applications. Control: 0971; Revision: 3; Updated: Sep-11; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA Agencies should follow the documentation provided in the Open Web Application Security Project guides to building secure web applications and web services." and in "Software Security - Web application Development - References", "Further information on web application security is available from the Open Web Application Security Project at https://www.owasp.org/index.php/Main_Page." | ||
| European Network and Information Security Agency (ENISA) | Europe | Web 2.0 Security and Privacy Position Paper | 10 December 2008 | - | In '6.1.6 Developer Issues/Browser Vendors', 'There already exists quite a large body of development best-practice and descriptions of common pitfalls so, rather than re-inventing the wheel, we would refer the reader to the following as examples: The OWASP Guide to Building Secure Web Applications (84), ...', in '5.5.1 Fraudulent Pedigree/Provenance - 5.5.1.2 Example 2: Control of Botnets via Mashups', 'Mashups are perfectly suited to massively distributed systems with untraceable control structures and are therefore likely to lead to a variety of related attacks (see Use of Web 2.0 technologies to control botnets (38) and ...' and in '8 References and Links', '38. Use of Web 2.0 technologies to control botnets. www.owasp.org/images/0/02/OWASP_Day_Belgium_2007-pdp.ppt ' and '84. The OWASP Guide to Building Secure Web Applications v2. www.owasp.org/index.php/Category:OWASP_Guide_Project '. |
| Cloud Computing Risk Assessment | 20 November 2009 | - | In "Application Security in Infrastructure as a Service", "... They must be designed or be embedded with standard security countermeasures to guard against the common web vulnerabilities (see OWASP top ten (40)). ... In summary: enterprise distributed cloud applications must run with many controls in place to secure the host (and network – see previous section), user access, and application level controls (see OWASP (41) guides relating to secure web/online application design). ... ", in "Software Assurance", "Include any standards that are followed, e.g., OWASP (46), SANS Checklist (47), SAFECode (48)." and in References, "40. OWASP [Online] www.owasp.org/index.php/OWASP_Top_Ten_Project ... 41. — [Online] www.owasp.org/index.php/Category:OWASP_Guide_Project ... 46. OWASP [Online] www.owasp.org/index.php/Main_Page". | ||
| Smartphones: Information Security Risks, Opportunities and Recommendations for Users | December 2010 | - | In "Consulted experts", "Gunnar Peterson, OWASP". | ||
| European Union Regulations | Member states of the European Union | 32011R1179: Commission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 Laying Down Technical Specifications for Online Collection Systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the Citizens’ Initiative | 17 November 2011 | - | "(4) The Open Web Application Security Project’s (OWASP) Top 10 2010 project provides an overview of the most critical web application security risks as well as tools for addressing these risks; the technical specifications therefore draw upon the findings of this project." used to contribute to "2.7 Application level security" and specifically "2.7.6. Proper security configuration is in place, which requires, at least, that: ... (e) security settings in the development frameworks and libraries are configured in accordance with best practices, such as the guidelines of OWASP.". |
| Federal Chief Information Officers (CIO) Council | USA | Guidelines for Secure Use of Social Media by Federal Departments and Agencies | September 2009 | 1.0 | In "The Threat - Web Application Attacks", "The Open Web Application Security Project (OWASP) has published
guidance to improve the level of web application security, but it is not easy to determine if a social media website is following OWASP principles and building more secure web applications[20] ... OWASP Foundation, A Guide to Building Secure Web Applications and Web Services, in What are web applications? 2006, © 2001 – 2006 OWASP Foundation.". Issued by the Information Security and Identity Management Committee (ISIMC). |
| Federal Financial Institutions Examination Council (FFIEC) | USA | Information Technology Examination Handbook | July 2006 | - | In "Information Security - Systems Development, Acquisition, and Maintenance - Security Control Requirements", "Management may also refer to published, widely recognized industry standards as a baseline for establishing their security requirements. For example, for externally facing Web applications the Open Web Application Security Project (www.owasp.org) produces one commonly accepted guideline.". |
| Federal Trade Commission | USA | Protecting Personal Information: A Guide for Business | October 2007 | - | In "Security Check - I'm not really a “tech” type. Are there steps our computer people can take to protect our system from common hack attacks?", "Yes. There are relatively simple fixes to protect your computers from some of the most common vulnerabilities.... Bookmark the websites of groups like the Open Web Application Security Project, www.owasp.org, or ..." and in "Additional Resources - These websites and publications have more information on securing sensitive data:", "The Open Web Application Security Project www.owasp.org".
Also available in Spanish En español. |
| Financial Services Information Sharing and Analysis Center | USA | Appropriate Software Security Control Types for Third Party Service and Product Providers | September 2013 | - | In "Security Policy Selection", "... an enterprise may want to consider specific vulnerabilities that must be detected (i.e. OWASP top 10)..." and " . The Working Group recommends using a combination of OWASP Top 10 and PCI compliance as a baseline policy ". |
| Financial Services Roundtable | USA | BITS Software Assurance Framework | January 2012 | - | In "Chapter 4: Coding Practices", "Several secure coding practices processes are available in the marketplace (e.g., OWASP Secure Coding Practices Guide, ...", in "Chapter 8: Post Implementation Phase Controls", "All of these controls today are based on either OWASP Top 10 or SANS Top 25 Application Programming Errors." and four places in "Appendix A - Education & Training". |
| GovCertUK | UK | SQL Injection | 16 January 2009 | 1.0 | In "3.2 SQL Injection", "The OWASP Foundation has produced two tools that can be used to learn about and analyse attacks. The WebGoat application has been developed to demonstrate web application security errors, including SQL injection, |