Web Application Security Consortium Establishes Official Charter and Delivers Web Security Threat Classification
Group Promotes Industry Standard Terminology of Web Security Threats
LAS VEGAS, Nev. - July 28, 2004 - Web Application Security Consortium (WASC), a group dedicated to developing and
promoting "security standards of best practice" for the World Wide Web, announced the completion of the WASC official
Charter and Web Security Threat Classification. Rising to meet the escalating challenges of Web security, WASC through
a collaborative effort focuses on assisting developers, security professionals and software vendors. WASC members include
industry professionals and representatives from Application Security, NT OBJECTives, Inc., Sanctum, SPI Dynamics, Inc. and
WhiteHat Security.
The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a
Web site. The members of the WASC created this project to develop and promote industry standard terminology for describing
these issues. With the creation of the Web Security Threat Classification, application developers, security professionals,
software vendors and compliance auditors have the ability to access a consistent language for Web security related issues.
"The Web Application Security Consortium brings together leading experts in the field to
develop a common classification of Web application security problems." said Jeremiah Grossman, spokesperson and co-founder
of WASC. "WASC members are eager to continue the momentum of our efforts and look forward to new projects to share with the
security community."
Web security vulnerabilities continually impact the critical risk of doing business on the Web. When any Web security
vulnerability is identified, performing the attack requires using at least one of several application attack techniques,
or class of attack. These techniques include types of attacks such as Buffer Overflows, SQL Injection and Cross-Site
Scripting. As a baseline, the class of attack is the method the Web Security Threat Classification uses to explain and
organize the threats to a Web site. The Web Security Threat Classification compiles and distills the known unique classes
of attack, which have presented a threat to Web sites in the past. Independent security review methodologies, secure
development guidelines, and product/service capability requirements will all benefit from WASC's Web Security Threat
Classification.
WASC has identified its primary objectives to best address the challenges of developing security standards for the Web,
which include:
1. Identify the security risks to e-business and privacy on the Web.
2. Establish consistent technical terminology relating to Web security issues.
3. Establish Web application security standards of best practice for secure software development, independent
security review and policy guidelines.
WASC welcomes feedback and contribution from the industry. For more information on becoming a member of WASC, please visit
http://www.webappsec.org or e-mail contact@webappsec.org.
About the Web Application Security Consortium
Founded in January 2004, the Web Application Security Consortium (WASC) is a group of top security experts dedicated to
developing and promoting standards of best practice for the World Wide Web. Through firsthand experience, WASC members
understand the risks of conducting business online and the challenges of securing Web sites against all conceivable
threats. WASC will improve Web application security by assisting application developers, security professionals and
software vendors. Through a collaborative effort with the community, WASC feels strongly that significant progress
can be made to enhance the overall security of the Web. For more information, please visit the Web Application Security
Consortium homepage: http://www.webappsec.org
|