Aspect's Free and Open Application Security Documentation
Aspect has contributed many interesting guidance and standards documents to the application security community. Many of these documents have been built into processes and standards in companies all over the world.
OWASP Top Ten Most Critical Application Vulnerabilities
First released externally in 2003, the OWASP Top Ten project is led by application security experts at Aspect Security. The Top Ten has been adopted by the FTC, DISA, PCI Council, most commercial organizations, and dozens of book authors. We actively encourage people to use the Top Ten to raise awareness, and then to quickly move on to a responsible application security program.
OWASP Application Security Verification Standard (ASVS)
With many organizations performing application security testing, code reviews, analysis, and verification of all kinds, we saw a need in the market for a standard to allow comparison of the different approaches. The ASVS provides four levels of verification (automated, manual, architecture, and internal) and indicates exactly what requirements are covered by each one. The ASVS can be used to help select a verification vendor, or used internally to guide your verification approach or application security requirements.
OWASP Secure Software Contract Annex
Achieving a meeting of the minds between software buyers and sellers is critical to achieving application security. This "contract annex" walks the parties through the relevant issues and suggests a reasonable compromise on most issues. This annex has been adopted by the Department of Homeland Security in their guide to software acquisition and also by SANS and the State of New York, who use it in their software acquisition policy.
OWASP Software Contract Annex Project Page
OWASP Risk Rating Methodology
When Aspect uncovers a vulnerability in our client's software, we take great care to clearly describe to our client the likelihood of an attacker exploiting this vulnerability and the impact to their business. In order to help others properly analyze the risk associated with software vulnerabilities, we published a simple, yet expressive system for rating risk.
OWASP Prevention Cheat Sheet Series
There are numerous 'cheat sheets' on the internet on how to exploit vulnerabilities, but none on how to prevent them. Aspect initiated the OWASP Prevention Cheat Sheet Series to provide developers simple actionable steps they can take to avoid the most common web application security flaws. We have produced the first two articles in this series on Cross Site Scripting and SQL Injection and plan to expand it to cover many other common web application security flaws.
Cross Site Scripting (XSS) Prevention Cheat Sheet (Prevention Article #1)
XSS is the most prevalent software vulnerability of all time, yet very few people truly understand what it takes to prevent it. To make it simpler for developers, we created a safe-harbor, five simple rules that define where untrusted data can be placed in HTML documents with the proper escaping. Following these five rules will make applications invulnerable to XSS. We have also built the escaping routines required by these rules into ESAPI.
OWASP XSS Prevention Cheat Sheet
SQL Injection Prevention Cheat (Prevention Article #2)
SQL injection is very prevalent in web applications and extremely dangerous, placing it at the top of the OWASP Top Ten. SQL injection is also VERY easy to prevent. I'ts so prevalent because developers simply aren't aware of the vulnerability and the techniques to avoid this. This 2nd article in the prevention cheat sheet series explains the numerous options developers can take to avoid SQL injection flaws in their applications.
OWASP SQL Injection Prevention Cheat Sheet
OWASP Code Review Guide
Aspect is a strong advocate of Code Review as one of the best techniques for finding security weaknesses. We were active participants in the creation of the OWASP Code Review Guide to bring this technique to more developers and security experts worldwide.
OWASP Code Review Guide Project Page
OWASP Testing Guide
Penetration Testing is another of the most productive application security verification techniques. Aspect has contributed to the testing guide, which is now widely used by application testers around the world.
OWASP Testing Guide Project Page
OWASP Development Guide
Software architects and developers need to know more about application security than just testing and verification. The developers' guide discusses selecting, placing, and building security controls into your applications to avoid the common errors that lead to software vulnerabilities.
OWASP Development Guide Project Page
OWASP Application Security Desk Reference (ASDR)
There is a huge body of knowledge that application developers need to know about security. Aspect created this project at OWASP to assemble and interlink all the foundational knowledge about application security threats, attacks, vulnerabilities, controls, technical impacts, and business impacts.