Nearly every news program, talk show and print media headline now has a security angle. If you are an IT Manager or Executive, you are probably pulling your hair out trying to secure your Information Technology systems...especially web applications. You think about firewalls. You think about hackers and terrorists. You think about your revenues if someone breaks your web based ordering system. So, while everybody talks about what to do... who really is doing something? Look to the people on the Open Web Application Security Project for many of the answers to these solutions.

The Open Web Application Security Project (OWASP) is a group of devoted volunteers that are hard at work developing platform independent tools, techniques and processes that enhance web applications. They are building a very comprehensive resource regarding security information and ways to manage potential security threats on web based systems.

Mark Curphey is the founder of the Open Web Application Security Project--a project he has been working on for a few years now.

"I created and have been moderating the webappsec mailing list (originally called www-mobile-code) at http://securityfocus.com since late 1999," Curphey said. From there, he noted a growing need in the IT community.

"Web application security has been an emerging area for quite some time and there has been a strong disconnect between application developers and security consultants. This resulted in a significant amount of FUD and hype from some vendors who were first to market with early products and lead users into either a false sense of security or an artificially heightened sense of concern. There was no place to go to get un-biased quality information about the issues and how to deal with them." Curphey illustrated his point when he talked about one of the OWASP's core documents.

"In the first two weeks since the initial release of our 'Guide To Building Secure Web Applications and Web Services', we had over 60,000 downloads. Quite impressive given that it's a 1.7Mb document. Applications usually receive a lot of attention, but this goes to show how much people are looking for knowledge, as well as tools," he said.

The reality of the business world is that there are an infinite number of hardware, software and platform components that can make up a Web application. There are multiple vendors, multiple networks and multiple operating systems thrown into the mix.

Asked about his personal choice of tools in the battle for Web Application Security, Curphey remarked, "Well I am typing this interview from a Redhat 7.3 box using my Evolution mail client! Myself and most of the volunteers are huge Open Source and Linux fans. I banned MS products from my home a while back, although I do have a work laptop with MS on it."

As far as other tools are concerned, "Part of the OWASP philosophy (and soon to be set down as principles) is to use Open Source tools and Open Source standards wherever possible and practical. All software is released under an OSI compliant license. We are in the process of building out a proper portal for the web-site which will be a Java based system on Linux," Curphey explained.

"Java and Linux are a naturally great combination, joining the power and security of two 'best of breed' technologies," he summarized.

When asked about OWASP's idea of platform independence, Curphey had a quick response. "We are very conscious of making sure our work is relevant to all people, irrespective of the platform they build on. The issues are usually not platform specific anyway." He went on to talk about Java.

"Most of us are huge Java fans. Java is a flexible language that enables cross platform development with relative ease and has an array of great security features. To date all of our development projects are being coded in Java."

Initial questions about the Open Web Application Security Project focused on why Curphey started the effort and what tools he used. The next section outlines the tools, documents, and processes that have been produced by the OWASP so far.

Next: Components of the OWASP »