The scope, depth and amount of useful information about web application security produced by the OWASP is staggering. Fortunately, Curphey has organized the sub-project tools, documents and processes into several broad categories:

• WebScarab - a web application vulnerability scanner. The tool will crawl a web site searching for potentially vulnerable web applications and then dynamically build a set of security tests for problems based on scenarios it finds. Types of problems will include SQL Injection, Cross Site Scripting, Cookie Poisoning and Parameter Tampering. The tool have an interactive proxy for manual examination as well as using the VulnXML format for 1,000's of static checks.
• Filters - a component based approach to sanitizing malicious user input and output used in attacks like SQL Injection or Cross Site Scripting. These API's would be released as Open Source to help protect all user's applications and serve as a reference implementation for those developers wanting to build their own. Common vulnerabilities would be widely known among developers allowing easily designed-in common safeguards.
• VulnXML - a proof of concept project developing a common format from which security researchers can describe static vulnerabilities in web applications. They are things like how a known vulnerable CGI is installed or how a known URL will give admin access to an application. Conceivably, all new tools (commercial or free) would be able to share a common, open source, free and up to date repository of checks developed, maintained and QA'd by the community in the open. Time to market, quality of checks and access to security data would be controlled by the open source community and be available to everyone.
• Web Maven - an intentionally insecure fake Internet Bank application donated to OWASP by David Rhoades of MavenSecurity. Web Maven will be an interactive learning environment for user training. It will demonstrate specific web application security holes, show models of the problem and how the security hole can be fixed. It will also be a test platform and can serve as an application honey pot. The first release of WebMaven slated for end of August 2002.

• Guide to Building Secure Web Applications and Web Services - a documentation project to show how to design a secure web application.

• Guide to Testing Security of Web Applications and Web Services - a definition of the structured framework to ensure that the appropriate security requirements have been implemented by a web application.
• Application Security Attack Components Common Language and Definitions - The Web Application security dictionary.

The list of sub-projects looks deceptively simple. That doesn't mean that the OWASP team has not had it's hands full. Another round of questions provided a window into the future of the OWASP.

Next: The Short-Term and Funding »