- The OWASP Top Ten is a great place to start; it gives you the main issues that you should be looking at.
- Projects like the SAMM, Software Assurance Maturity Model allows you to measure and model your company to a world where you can have different maturity models based on what you want to achieve.
- The ASVS Application Security Verification Standard allows you to map in a much more focused way, your software assessment (and verification) practices to an 'official' verification standard
- The ESAPI project is trying to create a template of good security controls that you should be able to (re)use. Ideally you (or the Frameworks you use) should adopt the code and make sure that all the areas covered by ESAPI are handled by your application (remember security doesn’t happen by accident)
- Also very useful (specially on 'outsourcing development' scenarios) the legal project can really help you to ensure the inclusion of 'security related clauses' in the software development contracts (this project will give you background information and templates that you can use on your legal contracts)
- On the actual 'hands-on' testing and web application review you have the testing guide, code review guide and the developer's guide ; which are documents that allow you to understand how to test (and secure) web applications.
- And finally a project like WebGoat is a great project because it allows people to gain awareness of security implications. One of the things a company should do is to 'make every major developer to go through the WebGoat exercises' (this will have a dramatic effect in helping them to understand the security implications of web applications security vulnerabilities)
- Note I: that there are many more OWASP Projects (the above are just a small sample)
- Note II: As a big company, you are going to have employees spread across the globe that you need to ensure have up-to-date skills. The OWASP chapters (154 at last count) and OWASP AppSec conferences (15 in 2009) are a great way to get your people involved raise their security knowledge.
One important issue to raise, is that today, there are already a lot of 'security related' activities done internally within companies and big corporations.
In practical terms this means that today, substantial funds (i.e. money) are already spent in develop standards or documents, that would be much better served, if they were done in an open environment, with the results shared back to everybody (this would also allow those companies to leverage the knowledge of the OWASP community.
One of the things I would hope to see more and more in the future, is companies doing some (or all) of their internal 'web application security' research through OWASP.
This could be done by a) paying internal staff (i.e employees) to work on OWASP projects or by b) giving OWASP grants (which would help OWASP to do a greater job).
The best part of this model, is that everyone, including the original company, would benefit.
In fact, in most cases (I believe) it will be more cost effective (from a value for money / ROI / Deliverables point of view), to do these engagements through OWASP , rather than independently at the company.