The Open Web Application Security Project was setup to build an industry standard framework for testing the security of web applications. We have several main objectives including to;

• define the security requirements for secure web applications
• develop an industry standard web application security testing framework
• build quality open source tools to support the testing framework
• define a standard data exchange format to allow commercial, open source and research tools to communicate and interoperate

We will be developing the www.owasp.org website into a place where;

• people can learn about the common security problems that occur with web applications and web services
• developers and system architects can learn about security requirements to build secure web applications and web services
• security professionals and developers can learn how to effectively test the security of web applications and web services
• system owners can learn what to expect of a security company or tool testing their applications
• security professionals can understand if tools are appropriate and doing what they should be doing

Application security is still relatively immature and there is significant FUD (Fear, Uncertainty and Doubt) being purveyed by the industry. This project aims to be an open source reference point for system architects, developers, vendors, consumers and security professionals involved in the Design, Development, Deployment and Testing the security of web applications and web services. Security professionals will be able to use the work to incorporate in their work. Security vendors will be able to base services and software on this project and consumers will be able to baseline and test applications or services they receive.

In short the project aims to help everyone build more secure web applications and a web services. We will be covering a wide range of related work over the coming years and have initially defined three areas to concentrate on.

Application Security Attack Components

The Application Security Attack Components project was started as an attempt to create common language and definitions for which much of the other work planned at OWASP could benefit. When describing security issues in web applications or when attempting to model security it is very easy to describe the same issue in many different ways, seemingly creating new problems. When analyzing problems described on Bugtraq it is evident that most problems are simply variants of common issues, but on different applications or systems. Also when testing security you often find yourself using the same basic technique to test different problems only with different parameters or targets. The Application Security Attack Components projects aim is to define and document those primary attacks components that everyday hacks are made up of.

Most of the real-world hacks you will see in the media will of course be a series of several attacks, usually in a certain sequence. By using these descriptions people can describe issues in an unambiguous manner and reference descriptive write-ups of the problems without having to re-hash the same ground. An example of how the initial work is already stating to be used can be found in this posting to Bugtraq on November 5th.

Eventually we aim to have documented and described all of the common attack components used. This will also help to create a list of what to protect against and how to protect against them in future work we may do. Currently the list is heavily focused on "black-box" pen test type issues, however we are expanding this into classic white-box issues issues like cryptanalysis and Open API's etc. The aim is definitely not to build the biggest list of problems or describe attacks like Nimda or Code Red; but to document the underlying primary attack components that are used in attacks so people can learn to avoid developing them and others can learn to test for them.

This project is setting out to define a structured framework to ensure that the appropriate security requirements have been implemented by a web application. By providing a structured community derived methodology covering both "white box" (source code analysis) and "black box" (penetration test) analysis, along with open source testing tools to support the framework, we hope to be able to improve the quality of security testing for all web applications.

At a minimum the testing framework will include;

• Why, when, what and how to test
• A comprehensive list of each potential problem
• Guidelines on how to test each problem
• Open source tools to conduct those tests
• Guidelines on how to analyze the results
• Sample reports

We want to seek widespread adoption of the framework, and are driving towards an official standards body. This work will be able to be used by a variety of people; from security professionals looking to adopt an industry derived and proven methodology, through to system owners looking to conduct tests themselves or seeking to ensure their consultants are comprehensively checking their applications.

Web Application Security XML Data Exchange Format- (Due to Start 2002)

This project is setting out to define a data format and procedures that can be used to exchange web application security vulnerability information between both systems and users.The goal is to encourage interoperability between commercial, open source and research tools and ensure that all users can consume a credible, up to date and open set of knowledge. A formal XML specification will be published with a reference implementation of a testing tool written in Java.

Today knowledge about a security problem and exactly how its being testing is typically buried deep inside tools. This leads to a high degree of false positives and false negatives. Most security processionals use a suite of tools but without a data exchange format, and open unambiguous testing knowledge it is almost impossible to choose the best tool for the job and keep a consistent set of tests and results persisted across applications.This project will facilitate putting a comprehensive set of technical data about web applications into the public domain as well as facilitate its open exchange and expansion.

We believe it may be possible in the future to create SOAP services based on such a XML specification to allow the open source community to publish new vulnerabilities in real-time to tools which are capable of reading the specification.