Introduction

Welcome to the totally re-written OWASP Guide 3.0! The OWASP Guide has been re-written to be:

• Shorter
• More applicable
• More functional

The previous Guide contained information on how to review, attack and protect code. That is no longer necessary now that the Code Review Guide and Penetration Testing Guides have been completed. This version of the Guide concentrates upon writing solid, safe and secure code. By reducing the length of the Guide to no more than 150 pages, we hope that more architects, designers, business analysts, software engineers and developers will be able to digest the new version, thus creating safe and more secure applications. There will never be a one page version of this book.

Architects and designers should digest the first section and use the remaining sections like an encyclopedia or dictionary – looking up controls as necessary. Software engineers should read the entire Guide. The reasoning behind choosing certain controls is in the first section, and the controls themselves in the remaining sections.

Those who set policy are recommended to read as much as they can – only by knowledge of what can go wrong can organizations set policy to prevent the acquisition or development of insecure software.

It is far harder to write solid code than to destroy it. Necessarily, this book contains a great deal of information. Not every application will require every control, and thus it is necessary to.