• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

OWASP: conformity

 
blacksmith
Posts: 979
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Some time ago I had to evaluate some proposals of companies
that would have built a web site for my organisation.

Some of these companies were mentioning OWASP as part of
their arsenal in tackling security.

Is it possible for a company to get some kind of certification
in OWASP or how can one verify that OWASP's principles are
actually followed during implementation?

Cheers,

Gian
 
Ranch Hand
Posts: 433
Netbeans IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As far as I know, there was once a plan for a certification (look here). But it was canceled (for reasons that I'm not familiar with. It's mentioned on the overview-page here)
 
Owasp member
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Gian Franco wrote:Hello,

Some time ago I had to evaluate some proposals of companies
that would have built a web site for my organisation.

Some of these companies were mentioning OWASP as part of
their arsenal in tackling security.

Is it possible for a company to get some kind of certification
in OWASP or how can one verify that OWASP's principles are
actually followed during implementation?

Cheers,

Gian



Gian,

This Thursday, the certification subject will be discussed at the OWASP Summit.
You can watch the video streak live at:
http://videos.sapo.pt/owaspsummit

OWASP Summit homepage:
http://www.owasp.org/index.php/OWASP_Summit_2011

 
Owasp member
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OWASP does NOT endorse or certiry any commercial products or services.

At the moment, we also do not "certify" any individuals though as Ferdinand mentioned, there is an active effort to explore this possibility.

What you have most likely run into is company literature that states that their product "conforms to" or "protects against" the OWASP Top 10.

In some ways, this is akin to a web browser stating they are ACID2 compliant, or a website stating they are W3C-standards compliant.

The reality though is that the OWASP Top 10 project is not a "standard" - it is a document whose goal is "to raise awareness about application security by identifying some of the most critical risks facing organizations."

What most commercial products mean when they allude to the Top 10 or to OWASP in general is that they believe their tool or product can help a company identify application security vulnerabilities such as those frequently cited by OWASP. As with any commercial product or service, obviously your mileage may vary.

OWASP will occasionally issues statements applauding companies for recognizing the importance of application security and secure development principles, but OWASP does NOT make any evaluation on the quality of any commercial product or service.

-Jason
OWASP Global Projects Committee Chair
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic