WASC in the News
Web Application Firewall Criteria
Hackers Put Social Networks Such as Twitter in Crosshairs
Real-World Software Security
Companies should not use free security testing tools exclusively
Google Gives Away Free Web Application Security Scanner
Google open sources web app security scanner
The State of Web Security Issues
Phishers target Yahoo login credentials
December 9th, 2009
Brute-force attacks target two-year hole in Yahoo! Mail
September 18th, 2009
A Web security policy can save you money and embarrassment
September 3rd, 2009
Warum Hacker Websites hacken
April 20th, 2009
Web apps account for 80 percent of internet vulnerabilities
March 19th, 2009
Forecast: Technologies Transforming the Data Center in 2009
Computer Technology Review
January 14th, 2009
The Web is more dangerous, and U.S. is biggest culprit
Government Computer News
December 10th, 2008
Statistical Validation of the IE8 XSS Filter
Microsoft Internet Explorer Blog
September 29th, 2008
The web application vulnerability landscape
Help Net Security
September 10th, 2008
Report: In-Depth Analysis Finds More Severe Web Flaws
September 10th, 2008
Facebook security snafu could compromise accounts
May 23rd, 2008
Mass SQL Attack a Wake-Up Call for Developers
April 28th, 2008
Users Urge Vendors to Build in Security
April 23rd, 2008
Pressure on vendors can prevent security woes
April 23rd, 2008
A Positive Impact on Web Application Security
February 10, 2007
Web application firewalls critical piece of the app security puzzle
February 1, 2006
Web application firewalls prime for integrators
January 23, 2006
Consortium helps define Web application firewalls
January 23, 2006
Le WASC lance sa mailing liste Websecurity
May 10, 2005
McAfees e-commerce play
March 7, 2005
Insecure indexing risk dissected
March 1, 2005
Next Wave: Security hole offers a way in
September 30, 2004
WASC Tackles Web Application Security
February 27, 2004
Five Web Security Firms Form Consortium
February 24, 2004
Can Security Birds Catch Computer Worm?
February 20, 2004
Consortium to Target Web App Security
February 18, 2004
Search this site
Web Application Security Consortium
The Web Application Security Consortium (WASC) is 501c3 non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
Volunteering to participate in WASC related activities is free and open to all.
How to contribute
If you're interested in website or application security you can first subscribe to our mailing list 'The Web Security Mailing List'. This has thousands of subscribers interested
in everything appsec. If you are interested in participating in an existing project visit the project page and contact the project leader listed on the page. If you're interested
in creating a project first review our charter then use our contact form and submit your proposal.
Interested in application security and want to help? For starters consider subscribing to The Web Security Mailing List the most popular application security related mailing list on
the web. You can also help us by contributing to one
of the projects below. Simply go to the project you wish to help on, and contact
the project leader. Joining WASC costs you nothing.
Do you want to work on a new project not listed here? Please contact
us using our contact form and let us know what is on your mind.
Web Security Articles
The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security.
The Web Hacking Incidents Database
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to
maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for
raising awareness of the web application security problem and provide the information for statistical
analysis of web applications security incidents.
Web Application Security Scanner Evaluation Criteria
The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness.
Distributed Open Proxy Honeypots
This project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.
The Script Mapping Project
The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.
Web Security Glossary
The Web Security Glossary is an alphabetical index of terms and terminology relating to web applications security. The purpose of the Glossary is to further clarify the language used within the community.
WASC Threat Classification v2 (new)
The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues.
Web Application Firewall Evaluation Criteria
The goal of this project is to develop a detailed web application
firewall (WAF) evaluation criteria; a testing methodology that can be used by
any reasonably skilled technician to independently assess the quality
of a WAF solution.
Web Application Security Statistics
The WASC Statistics Project is the first attempt at an industry wide collection of application vulnerability statistics in order to identify the existence and proliferation of application security issues on enterprise websites. Anonymous data correlating vulnerability numbers and trends across organization size, industry vertical and geographic area are being collected and analyzed to identify the prevalence of threats facing today's online businesses. Such empirical data aims to provide the first true statistics on application layer vulnerabilities. Using the Web Security Threat Classification as a baseline, data is currently being collected and contributed by more than a half dozen major security vendors with the list of contributors growing regularly. We are actively seeking others to contribute data.
Join WASC On LinkedIn!