OWASP Integration Standards

The goal of the Integration Standards project is to facilitate technical interaction between software security initiatives inside OWASP and outside: links between documents and exchange between tools. More interaction reduces fragmentation and complexty of the standard landscape which has been making it hard for developers, testers, and procurement to set and apply appropriate standards and attain a shared understanding.

Four deliverables are specified:

  • A study of OWASP in the SDLC
  • The Security wayfinder (see below): an overview of OWASP projects and how they are related
  • The Common Requirement Enumeration or CRE: a mechanism to link between the content of standards and guidelines on multiple levels of topics, bringing together requirements, testing strategies, countermeasures, and links to existing repositories of threats and weaknesses. The CRE has been released in beta at opencre.org.
  • An SDLC tool exchange standard on how security initiatives can be integrated by exchanging data regarding different elements of the software development lifecycle (instructions, requirements, tests, test results, threats, findings).

Project roadmap

The below is a rough estimation as it is dependent on other projects’ time and availability.

  • End or Q3 2020:
    • ✔ OWASP in the SDLC article was written, reviewed, and published.
    • ✔ Security wayfinder was finalized and published
  • End of Q3 2021: CRE beta release

The roadmap will be adjusted as the project moves forward.

OWASP Projects, the SDLC and the Security wayfinder

In an effort to provide a high level map of how OWASP’s projects link to the SDLC, a document detailing OWASP in the SDLC was done. In addition, we performed a study detailing OWASP in the Software Development LifeCycle, summarized in the WayFinder diagram: