File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes OWASP: conformity Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "OWASP: conformity" Watch "OWASP: conformity" New topic
Author

OWASP: conformity

Gian Franco
blacksmith
Ranch Hand

Joined: Dec 16, 2003
Posts: 975
Hello,

Some time ago I had to evaluate some proposals of companies
that would have built a web site for my organisation.

Some of these companies were mentioning OWASP as part of
their arsenal in tackling security.

Is it possible for a company to get some kind of certification
in OWASP or how can one verify that OWASP's principles are
actually followed during implementation?

Cheers,

Gian


"Eppur si muove!"
Joachim Rohde
Ranch Hand

Joined: Nov 27, 2006
Posts: 423

As far as I know, there was once a plan for a certification (look here). But it was canceled (for reasons that I'm not familiar with. It's mentioned on the overview-page here)
Ferdinand Vroom
Owasp member
Greenhorn

Joined: Feb 08, 2011
Posts: 3
Gian Franco wrote:Hello,

Some time ago I had to evaluate some proposals of companies
that would have built a web site for my organisation.

Some of these companies were mentioning OWASP as part of
their arsenal in tackling security.

Is it possible for a company to get some kind of certification
in OWASP or how can one verify that OWASP's principles are
actually followed during implementation?

Cheers,

Gian


Gian,

This Thursday, the certification subject will be discussed at the OWASP Summit.
You can watch the video streak live at:
http://videos.sapo.pt/owaspsummit

OWASP Summit homepage:
http://www.owasp.org/index.php/OWASP_Summit_2011

Jc Li
Owasp member
Greenhorn

Joined: Feb 08, 2011
Posts: 8
OWASP does NOT endorse or certiry any commercial products or services.

At the moment, we also do not "certify" any individuals though as Ferdinand mentioned, there is an active effort to explore this possibility.

What you have most likely run into is company literature that states that their product "conforms to" or "protects against" the OWASP Top 10.

In some ways, this is akin to a web browser stating they are ACID2 compliant, or a website stating they are W3C-standards compliant.

The reality though is that the OWASP Top 10 project is not a "standard" - it is a document whose goal is "to raise awareness about application security by identifying some of the most critical risks facing organizations."

What most commercial products mean when they allude to the Top 10 or to OWASP in general is that they believe their tool or product can help a company identify application security vulnerabilities such as those frequently cited by OWASP. As with any commercial product or service, obviously your mileage may vary.

OWASP will occasionally issues statements applauding companies for recognizing the importance of application security and secure development principles, but OWASP does NOT make any evaluation on the quality of any commercial product or service.

-Jason
OWASP Global Projects Committee Chair
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: OWASP: conformity
 
Similar Threads
OWASP team for security check
ContentSpoofing
General question on preventing malicious code promotion
Can OWASP be used with Microsoft technologies?
OWASP - Questions