The OWASP Application Security Curriculum project has two initial goals and those are to provide educational, learning and training materials for:
The project hopes to do that by building or collecting resources for learning and by providing training materials (presentations, hands-on tools, and teaching notes) based on key OWASP projects.
Everything begins with awareness and in application security everything begins with the OWASP Top 10 and rightly so. TO that end we have already created the ASC101 (or Application Security Curriculum Foundational course) and you can grab the Google Presentation materials here and leverage your OWASP Member benefit with SecureFlag here to work through the hands-on secure coding exercises.
Once development teams are aware of the top issues they might face in regard to application security they need to develop an understanding of the ways that they can avoid those pitfalls.
Enter OWASP Cornucopia… but why use Cornucopia? Well, it encourages secure-by-design thinking, for developers, and because it simplifies issues described in the Top 10, while making them more generically applicable.
It gives developers tangible abuse cases to consider while planning the next feature set and can be used to evaluate the system as a whole, or to focus on getting security non-functional requirements (NFR) sorted for the next sprint.
Play the game with your development teams and let them play it as often as they want to. A digital version of the game is available for free here, provided by one of this project’s sponsors (Secure Delivery)
Now that your teams have an awareness of what they should be building for security we need to educate them in how they should build to successfully pass the OWASP standard for application security testing: The OWASP ASVS.
This is still work in progress, and we are actively looking for contributors to help us flesh this out. Review the video below if you are keen to hear about our progress.
On the pen testing side of things there is already a Crest certification called OVS that pen testers / pen testing companies can achieve that shows they understand how to test against the standard.
Once developers know how to build a secure thing, they need to understand how to do so in concert with others. The broader picture of this is the maturity level of the team performing all the security aspects of the greater SSDLC - and when we say SSDLC at OWASP, we mean OWASP SAMM.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects ,tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.
The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.