Most security people seem to have at least heard of OWASP, but a lot of developers have not. This by itself is a little scary, but it is also too bad, because one of the singular great things about OWASP is that it is a very developer friendly project that produces lots of tools, code and code level guidance (rather than just policy statements). So it is a great playground for developers to learn about building more secure web apps.
There is a great summary here by Christian Scholz on Rogan Dawes' talk at FOSDEM 2008, where he summarizes a lot of what OWASP is about and what some of the more interesting project are. If you are just learning about OWASP it is a great place to start. The author concludes
Everybody interested should have a look at WebGoat and WebScarab themselves.
Could not agree more. It is great to see OWASP getting out of the security community and into the wider developer communities. The security people can only take it so far, developers have to be on board.
**
Gunnar Peterson teaching Web Services Security training, NYC, March 10-11
Comments