OWASP Integration Standards

The goal of the Integration Standards project is to facilitate technical interaction between software security initiatives inside OWASP and outside: links between documents and exchange between tools. More interaction reduces fragmentation and complexity of the standard landscape which has been making it hard for developers, testers, and procurement to set and apply appropriate standards and attain a shared understanding.

Four deliverables are specified:

  • A study of OWASP in the SDLC (see below)
  • The Security wayfinder (see below): an interactive overview of OWASP projects and how they are related
  • The Open Common Requirement Enumeration or OpenCRE: a mechanism to link between the content of standards and guidelines on multiple levels of topics, bringing together requirements, testing strategies, tool rules, countermeasures, and links to existing repositories of threats and weaknesses. OpenCRE has been released in beta at opencre.org.
  • An SDLC tool exchange standard on how security initiatives can be integrated by exchanging data regarding different elements of the software development lifecycle (instructions, requirements, tests, test results, threats, findings).

Project history and roadmap

  • Q3 2020:
    • ✔ OWASP in the SDLC article was written, reviewed, and published.
    • ✔ Security wayfinder was finalized and published
  • Q3 2021: OpenCRE beta release
  • Added to OpenCRE: Top10, ASVS, Cheat sheets, Pro-active controls, CAPEC, CWE, ZAP rules, NIST 800-53, NISTT 800-63b and Cloud control matrix. Many collaborations including CSA, SKF and OpenSSF.
  • May 2023: Release of OpenCRE structure update to accomodate more process-oriented standards like ISO27001

OWASP Projects, the SDLC and the Security wayfinder

In an effort to provide a high level map of how OWASP’s projects link to the SDLC, a document detailing OWASP in the SDLC was done. In addition, we mapped OWASP projects in a diagram of the Software Development LifeCycle, summarized in the interactive WayFinder below: