I have a very poor opinion of OWASP content, because the couple of areas I’ve paid any attention to have never been any better than mediocre, clearly written by amateurs long ago and largely unmaintained ever since, with known errors and heavily misleading statements hanging around for over a decade on no or unsound justification, among many other problems obvious to any that actually know the field. (See https://hn.algolia.com/?query=chrismorgan%20owasp&type=comme... for a few comments with somewhat more detail, but things have historically been just so bad and so obviously bad that I haven’t bothered enumerating more than the issue that has annoyed me the most.)
(Sigh. I see that as part of fixing a lot of the obvious unsuitability of https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc... some time in the past two years—and it is much better now, though there are still a few dodgy things about it in both content and presentation—they reintroduced the erroneous advice to entity-encode /, which was only finally removed two years ago. Feel free to try to get that fixed, anyone; for my part, I have no interest in trying to work with OWASP.)
wow, I have not seen much of the errors that you have come across! That is good to know about.
In regards to freely available information about security, are there other resources you can recommend? Something that I find myself constantly being asked is “how should I protect my code” from engineers. I really fail to find much better freely accessible content in one place than the content available on OWASP.
Not that this would help the quality of the content, but maybe ML can help here? I know a lot of very skilled security people who post on various places around the Internet and an ML search engine to help you find relevant security material might be helpful?
At the company I work for, we are building an ML chat bot that would allow you to ask questions about security vulnerabilities and get linked to the relevant material to help you make your own determination about relevancy.
This is exactly the subject matter that using a chat bot is incredibly dangerous for. The difference between "looks good but fundamentally broken" and "logically sound" in security arguments is very small. The consumer of the content is likely to have little to no developed taste on the matter (or they would seek out more specific resources).
If you have some authoritative curation of the resources it may have promise, but the question becomes, why not have the product of the curation be directly consumable, rather than feed it through an opaque layer?
Inventing problems here, people. It was a nice society while it lasted.
To me, the value of an ML tool would be in the step after we run things through static analysis (e.g. linters for bad coding practices, SCA scans for known CVEs) and before we send this off to our security team for an internal audit and pen test. It would be a tool that we add to our existing tool set, so that we can catch issues earlier, rather than something to replace our pen testers.
Even if you do have some authoritative curation of resources, it's difficult for dev teams to consume it. And even for those who do understand security, it requires a lot of tedious work to check through. I wish it weren't the case, but the reality is that most teams don't have the specialist skills or the motivation to grind away at this for a significant chunk of their time.
I agree with you, and further would say that this has been the case with OWASP for at least a decade.
My take about OWASP on HN has generally been: they're effective at producing communication tools that raise the salience of application security, especially within large companies. And that's about it.
Agreed, that matches my experience too, it's the clueless leading the clueless. I actively steer people away from OWASP regarding training and reference materials.
This doesn't exactly answer your question, but if you want a basic course for software developers in how to develop secure software, check out this free course from the OpenSSF:
https://openssf.org/training/courses/
There is a big difference between cheatsheets and an educational course. That isn't at all to say that the course isn't valuable, but if I want to know what the current best practices for hashing a password are (what algorithm with what parameters, etc.) I want a quick reference that is kept up to date.
(Sigh. I see that as part of fixing a lot of the obvious unsuitability of https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Sc... some time in the past two years—and it is much better now, though there are still a few dodgy things about it in both content and presentation—they reintroduced the erroneous advice to entity-encode /, which was only finally removed two years ago. Feel free to try to get that fixed, anyone; for my part, I have no interest in trying to work with OWASP.)