I want to take the opportunity to pay tribute to the work of the Open Web Application Security Project – OWASP. This project has now grown into an incredible wealth of online resources with a single minded focus on improving web product security. The OWASP Guide to Building Secure Web Applications should be considered essential reading for developers and if you are not familiar with this document to become so. One of the key messages that should be apparent from reading this guide is that secure products result from having security focused processes in place throughout the development lifecycle. It’s beginning to sound like a cliche but it’s a message that I can’t repeat enough.
The vendor independence of the resources on display makes the OWASP a refreshing change from the propaganda heavy literature that often bombards the inbox. That’s not to say that I don’t hold many security vendors in high esteem because I most certainly do – many of the most dedicated and committed people I meet within the security industry are vendors proud of the new products and services that they are trying to sell to cynics like me. What I enjoy about the OWASP is that every last word and every line of code written in it’s cause has been instigated by volunteers in their own time for their own love of the work. We, the consumer, can take it or leave it – there is no hard sell and no salesman with targets to meet, just good honest graft.