[062704] Press Releases - Web Application Security Consortium

Web Application Security Consortium Establishes Official Charter and Delivers Web Security Threat Classification

Group Promotes Industry Standard Terminology of Web Security Threats

LAS VEGAS, Nev. - July 28, 2004 - Web Application Security Consortium (WASC), a group dedicated to developing and promoting "security standards of best practice" for the World Wide Web, announced the completion of the WASC official Charter and Web Security Threat Classification. Rising to meet the escalating challenges of Web security, WASC through a collaborative effort focuses on assisting developers, security professionals and software vendors. WASC members include industry professionals and representatives from Application Security, NT OBJECTives, Inc., Sanctum, SPI Dynamics, Inc. and WhiteHat Security.

The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a Web site. The members of the WASC created this project to develop and promote industry standard terminology for describing these issues. With the creation of the Web Security Threat Classification, application developers, security professionals, software vendors and compliance auditors have the ability to access a consistent language for Web security related issues.

"The Web Application Security Consortium brings together leading experts in the field to develop a common classification of Web application security problems." said Jeremiah Grossman, spokesperson and co-founder of WASC. "WASC members are eager to continue the momentum of our efforts and look forward to new projects to share with the security community."

Web security vulnerabilities continually impact the critical risk of doing business on the Web. When any Web security vulnerability is identified, performing the attack requires using at least one of several application attack techniques, or class of attack. These techniques include types of attacks such as Buffer Overflows, SQL Injection and Cross-Site Scripting. As a baseline, the class of attack is the method the Web Security Threat Classification uses to explain and organize the threats to a Web site. The Web Security Threat Classification compiles and distills the known unique classes of attack, which have presented a threat to Web sites in the past. Independent security review methodologies, secure development guidelines, and product/service capability requirements will all benefit from WASC's Web Security Threat Classification.

WASC has identified its primary objectives to best address the challenges of developing security standards for the Web, which include:

1. Identify the security risks to e-business and privacy on the Web.
2. Establish consistent technical terminology relating to Web security issues.
3. Establish Web application security standards of best practice for secure software development, independent security review and policy guidelines.

WASC welcomes feedback and contribution from the industry. For more information on becoming a member of WASC, please visit http://www.webappsec.org or e-mail contact@webappsec.org.

About the Web Application Security Consortium
Founded in January 2004, the Web Application Security Consortium (WASC) is a group of top security experts dedicated to developing and promoting standards of best practice for the World Wide Web. Through firsthand experience, WASC members understand the risks of conducting business online and the challenges of securing Web sites against all conceivable threats. WASC will improve Web application security by assisting application developers, security professionals and software vendors. Through a collaborative effort with the community, WASC feels strongly that significant progress can be made to enhance the overall security of the Web. For more information, please visit the Web Application Security Consortium homepage: http://www.webappsec.org