What is the Web Application Security Consortium?
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.

As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.

Volunteering to participate in WASC related activities is free and open to all.

WASC will improve web application security by assisting developers, security professionals and software vendors. Through a collaborative effort with the community, WASC feels strongly that significant progress can be achieved to enhance the overall security of the Web.

What is web application security?
Web application security covers the technology layers starting with the web server and follows through to the software created to run online banks, eCommerce, auctions, webmail, etc. As a general rule, if the application communicates over http, it is under the scope of web application security.

Security solutions such as firewalls, intrusion detection, anti-virus, and network scanners do not protect against web application attack. To address these new threats, the security industry must adopt new technologies, new methodologies and new solutions.

What are the business problems WASC is addressing?
There is confusion in the market place because the web application security industry has not adopted consistent technical terminology. Customers should be able to easily understand the threats to their web sites and choose solutions that mitigate those risks.

What is needed to solve these problems?
Industry experts and solutions providers must combine their efforts to provide the web application security marketplace with guidance and direction. The industry must standardize its terminology and develop its own standards of best practice. Those efforts must be reflected in software design, security policies, reporting, audit guidelines, solution capabilities, etc.

What is the solution to the problem?
WASC will develop standard terminology and documentation used throughout the web application security industry. Using this framework, WASC will provide the industry guidance by developing security standards of best practice. Organizations will be able to use the material for policy guidelines, secure software design, audit review checklists and selection of security solutions.

What are the benefits to companies, application developers, information security professionals and software vendors?
Customers will benefit by having a baseline to evaluate security solutions by comparing web security threats to product capability. A standard framework is helpful for developing web application security policies, safe software development practices, risk assessment guidelines and audit & control checklists. Also, application developers, security professionals, software vendors and compliance auditors will have access to consistent industry guidance and standards of best practice.

When was WASC established?
WASC was founded in January 2004.

Who are the current officers of WASC?
Please see the Officers section.

Who does the work of WASC?
Projects are developed and released by WASC charter members.

How is WASC different from other groups such as OWASP, OASIS-AVDL and OASIS-WAS?
WASC is different from other groups by acting as a public resource for industry guidance, freely exchangeable literature and documented standards. The focus of WASC is to help facilitate web application security standards of best practice.

Groups such as OWASP and OASIS are goal-oriented and focused on easing information exchange through creating standard XML formats. OWASP currently has open-source web security software development projects underway as well as documentation initiatives.

Will WASC only focus on web application security issues?
Yes. WASC will focus only on the web application security layer.

How is WASC funded?
WASC’s efforts are supported and funded by its volunteers and sponsors.

Who do I contact with questions about WASC?
Jeremiah Grossman – Spokesperson (contact@webappsec.org)

Who do I contact with questions about one of the WASC projects?
Contact the appropriate project leader.

How do I participate in WASC?
Jeremiah Grossman – Spokesperson (contact@webappsec.org)

Where can I find more information about WASC?
The Web Application Security Consortium Homepage