« ModSecurity 1.9 FINAL has been released | Main | RSS Is Worm Bots Next Target »


CMP Media has written a nice comparison chart between WASC (an organization I co founded :) and OWASP. While I may not agree with everything in this article, it does clearly outline a few key points between the two organizations. However I *don't* agree with the following:

"Two organizations promise to help. The Open Web Application Security Project (OWASP) mainly targets software developers and the application architects who manage them, aiming to stamp out security bugs in the applications themselves. The Web Application Security Consortium (WASC) is broader, focusing on threat classification and all means of mitigation.

The two are sometimes seen as rivals because they were founded by competing penetration-testing firms and take different approaches to security. But for most enterprises, both approaches are necessary: OWASP can help harden applications, while WASC can help ensure that any remaining vulnerabilities aren't exploited. All their code and documentation is freely available for in-house use, so there's no reason not to select the best of both worlds." - CMP

<Start of Rant>
Now some people involved in WASC can be considered 'competition' (OWASP I'm sure has a few people competing against each other as well, which is normal) but I don't consider us rivals. I'd also like to clear up that the organization was founded by myself, and a good friend of mine (who yes, works at a firm :). While I do work for a security vendor, WASC was not created *soley* by vendors for the purpose of vendor interests. The purpose of WASC is to promote proper security practices regardless of the department you're in (IT Manager, QA/Tester , Developer, Architect, Penetration Tester, etc...) through education via our organization "Projects". The GIF linked below also mentions that WASC doesn't release 'code'. At this time we have no immediate plans to release any code, but it isn't entirely ruled out (it is entirely depandant on a specific project's need).
<End of Rant>

Article Link: http://www.itarchitect.com/shared/article/showArticle.jhtml;

Image Chart Link: http://i.cmpnet.com/networkmagazine/content/200511/2011tech2b.gif


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!