What is the Web
Application Security Consortium?
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.
As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security.
Volunteering to participate in WASC related activities is free and open to all.
WASC will improve web application security by
assisting developers, security professionals and software vendors.
Through a collaborative effort with the community, WASC feels strongly
that significant progress can be achieved to enhance the overall
security of the Web.
What is web application security?
Web application security covers the technology layers starting with
the web server and follows through to the software created to run
online banks, eCommerce, auctions, webmail, etc. As a general rule,
if the application communicates over http, it is under the scope
of web application security.
Security solutions such as firewalls, intrusion
detection, anti-virus, and network scanners do not protect against
web application attack. To address these new threats, the security
industry must adopt new technologies, new methodologies and new
solutions.
What are the business problems
WASC is addressing?
There is confusion in the market place because the web application
security industry has not adopted consistent technical terminology.
Customers should be able to easily understand the threats to their
web sites and choose solutions that mitigate those risks.
What is needed to solve these
problems?
Industry experts and solutions providers must combine their efforts
to provide the web application security marketplace with guidance
and direction. The industry must standardize its terminology and
develop its own standards of best practice. Those efforts must be
reflected in software design, security policies, reporting, audit
guidelines, solution capabilities, etc.
What is the solution to the
problem?
WASC will develop standard terminology and documentation used throughout
the web application security industry. Using this framework, WASC
will provide the industry guidance by developing security standards
of best practice. Organizations will be able to use the material
for policy guidelines, secure software design, audit review checklists
and selection of security solutions.
What are the benefits to companies,
application developers, information security professionals and software
vendors?
Customers will benefit by having a baseline to evaluate security
solutions by comparing web security threats to product capability.
A standard framework is helpful for developing web application security
policies, safe software development practices, risk assessment guidelines
and audit & control checklists. Also, application developers,
security professionals, software vendors and compliance auditors
will have access to consistent industry guidance and standards of
best practice.
When was WASC established?
WASC was founded in January 2004.
Who are the current officers of WASC?
Please see the Officers section.
Who does the work of WASC?
Projects are developed and released by WASC charter members.
How is WASC different from other
groups such as OWASP, OASIS-AVDL and OASIS-WAS?
WASC is different from other groups by acting as a public resource
for industry guidance, freely exchangeable literature and documented
standards. The focus of WASC is to help facilitate web application
security standards of best practice.
Groups such as OWASP and OASIS are goal-oriented and focused on
easing information exchange through creating standard XML formats.
OWASP currently has open-source web security software development
projects underway as well as documentation initiatives.
Will WASC only focus on web
application security issues?
Yes. WASC will focus only on the web application security layer.
How is WASC funded?
WASC’s efforts are supported and funded by its volunteers and sponsors.
Who do I contact with questions
about WASC?
Jeremiah Grossman – Spokesperson (contact@webappsec.org)
Who do I contact with questions
about one of the WASC projects?
Contact the appropriate project leader.
How do I participate in WASC?
Jeremiah Grossman – Spokesperson (contact@webappsec.org)
Where can I find more information about WASC?
The Web Application Security Consortium Homepage
http://www.webappsec.org
|