WASC in the News
Web Application Firewall Criteria
PcWorld
February 2011

Hackers Put Social Networks Such as Twitter in Crosshairs
PcWorld
December 2010

Real-World Software Security
InformationWeek
August 2010

Companies should not use free security testing tools exclusively
ZDNetAsia
April 2010

Google Gives Away Free Web Application Security Scanner
PCWorld
March 2010

Google open sources web app security scanner
TheRegister
March 2010

The State of Web Security Issues
ComputerWorld
February 2010

Phishers target Yahoo login credentials
TechTarget
December 9th, 2009

Brute-force attacks target two-year hole in Yahoo! Mail
TheRegister
September 18th, 2009

A Web security policy can save you money and embarrassment
BusinessDailyAfrica
September 3rd, 2009

Warum Hacker Websites hacken
PC Welt
April 20th, 2009

Web apps account for 80 percent of internet vulnerabilities
SC Magazine
March 19th, 2009

Forecast: Technologies Transforming the Data Center in 2009
Computer Technology Review
January 14th, 2009

The Web is more dangerous, and U.S. is biggest culprit
Government Computer News
December 10th, 2008

Statistical Validation of the IE8 XSS Filter
Microsoft Internet Explorer Blog
September 29th, 2008

The web application vulnerability landscape
Help Net Security
September 10th, 2008

Report: In-Depth Analysis Finds More Severe Web Flaws
Darkreading
September 10th, 2008

Facebook security snafu could compromise accounts
ComputerWorld
May 23rd, 2008

Mass SQL Attack a Wake-Up Call for Developers
TechNewsWorld
April 28th, 2008

Users Urge Vendors to Build in Security
Washington Post
April 23rd, 2008

Pressure on vendors can prevent security woes
InfoWorld
April 23rd, 2008

A Positive Impact on Web Application Security
SAP INFO
February 10, 2007

Web application firewalls critical piece of the app security puzzle
SearchAppSecurity.com
February 1, 2006

Web application firewalls prime for integrators
COMPUTERWORLD
January 23, 2006

Consortium helps define Web application firewalls
Network World
January 23, 2006

Le WASC lance sa mailing liste Websecurity
Vulnerabilite.com
May 10, 2005

McAfees e-commerce play
Red Herring
March 7, 2005

Insecure indexing risk dissected
The Register
March 1, 2005

Next Wave: Security hole offers a way in
Red Herring
September 30, 2004

WASC Tackles Web Application Security
BetaNews
February 27, 2004


Five Web Security Firms Form Consortium
TechWeb
February 24, 2004


Can Security Birds Catch Computer Worm?
IPS
February 20, 2004


Consortium to Target Web App Security
eWeek
February 18, 2004


Search this site

Web Application Security Consortium
The Web Application Security Consortium (WASC) is 501c3 non profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.

Volunteering to participate in WASC related activities is free and open to all.

How to contribute
If you're interested in website or application security you can first subscribe to our mailing list 'The Web Security Mailing List'. This has thousands of subscribers interested in everything appsec. If you are interested in participating in an existing project visit the project page and contact the project leader listed on the page. If you're interested in creating a project first review our charter then use our contact form and submit your proposal. more...


WASC Projects

Interested in application security and want to help? For starters consider subscribing to The Web Security Mailing List the most popular application security related mailing list on the web. You can also help us by contributing to one of the projects below. Simply go to the project you wish to help on, and contact the project leader. Joining WASC costs you nothing. Do you want to work on a new project not listed here? Please contact us using our contact form and let us know what is on your mind.



Web Security Articles
The Web Application Security Consortium (WASC) is seeking contributed 'Guest Articles' by industry professionals on the latest in trends, techniques, defenses, best practices and lessons learned relevant to the field of web application security. more...


The Web Hacking Incidents Database
The web hacking incident database (WHID) is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents. WHID goal is to serve as a tool for raising awareness of the web application security problem and provide the information for statistical analysis of web applications security incidents. more...


Web Application Security Scanner Evaluation Criteria
The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. more...


Distributed Open Proxy Honeypots
This project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location. more...


The Script Mapping Project
The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the use of <script> tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.


Web Security Glossary
The Web Security Glossary is an alphabetical index of terms and terminology relating to web applications security. The purpose of the Glossary is to further clarify the language used within the community. more...


WASC Threat Classification v2 (new)
The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues. more...


Web Application Firewall Evaluation Criteria
The goal of this project is to develop a detailed web application firewall (WAF) evaluation criteria; a testing methodology that can be used by any reasonably skilled technician to independently assess the quality of a WAF solution. more...


Web Application Security Statistics
The WASC Statistics Project is the first attempt at an industry wide collection of application vulnerability statistics in order to identify the existence and proliferation of application security issues on enterprise websites. Anonymous data correlating vulnerability numbers and trends across organization size, industry vertical and geographic area are being collected and analyzed to identify the prevalence of threats facing today's online businesses. Such empirical data aims to provide the first true statistics on application layer vulnerabilities. Using the Web Security Threat Classification as a baseline, data is currently being collected and contributed by more than a half dozen major security vendors with the list of contributors growing regularly. We are actively seeking others to contribute data. more...

Web Security List
  • [WEB SECURITY] Ruxcon 2014 Final Call For Presentations
  • [WEB SECURITY] Call for Submissions: The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014)!

  • Web Security news
  • Malicious CA's continue to cause headaches
  • WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
  • Poll: How do you rank the importance of a vulnerability?
  • Five pieces of advice for those new to the infosec industry
  • Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
  • Quick defcon/blackhat preparation list
  • Summary of Google+ browser security protections
  • Paper: Web Application finger printing Methods/Techniques and Prevention
  • Oracle website vulnerable to SQL Injection
  • WASC Announcement: 'Static Analysis Tool Evaluation Criteria' Call For Participants

  • Join WASC On LinkedIn!
    © Copyright 2005, Web Application Security Consortium. All rights reserved.      Hosting sponsored by FireHost