
Open Web Application Security Project - sharemywin
https://www.owasp.org/index.php/Main_Page
======
eterm
I found their top 10 really approachable. Of course I knew some of the more
common things such as SQL-injection and knew of other things but didn't know
their name such as CSRF.

It was great to formalise independent knowledge into a common language I could
discuss with colleagues, and the examples were things you could take straight
from the PDF to the workplace. I don't work in infosec and it really helps to
have clear guidance to give to less security minded people to say not just
that it really _is_ bad if people can inject javascript or cause arbitrary
redirects or make arbitary requests from the server, but to give clear
indication of how bad relative to each other.

It also gives some ideas for how to find issues which is of use for anyone
hoping to bag a bug bounty, although there are some more useful resources now
for that such as Yaworski's "Web Hacking 101" [1] which should also be
essential reading for any web developers who don't quite understand _that
security stuff_ well enough to find bug bounties but still want to keep aware
of the kind of ways their platforms may fall prey to security bugs.

Getting back to the top 10, I look forward to it's release this year. It is
important to keep up with changing trends in web application security. The
release candidate notes that CSRF has dropped because frameworks now include
csrf protection configured in the defaults, in part because of the work that
groups such as OWASP do.

If you work in web application development you owe it to everyone else to get
a cursory education in web application security. If you are not doing that you
are an externality cost that everyone else has to bear.

[1] [https://leanpub.com/web-hacking-101](https://leanpub.com/web-hacking-101)
(It was available free from hacker one for a while, I'm not sure if they still
run that offer.)

------
sharemywin
Someone in another thread mentioned this and found it interesting. Never heard
of it before.

[https://www.owasp.org/index.php/Top_10_2017-Top_10](https://www.owasp.org/index.php/Top_10_2017-Top_10)

