Projects

image

Projects for Good

We are a community of developers, technologists and evangelists improving the security of software. The OWASP Foundation gives aspiring open source projects a platform to improve the security of software with:

• Visibility: Our website gets more than six million visitors a year

• Credibility: OWASP is well known in the AppSec community

• Resources: Funding and Project Summits are available for qualifying Programs

• Community: Our Conferences and Local Chapters connect Projects with users

OWASP Projects are a collection of related tasks that have a defined roadmap and team members. Our projects are open source and are built by our community of volunteers - people just like you! OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 100 active projects, and new project applications are submitted every week.

Code, software, reference material, documentation, and community all working to secure the world's software.

Projects gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project minimally has their own webpage, mailing list, and Slack Channel. Most projects maintain their content in our GitHub organization.

Who Should Start an OWASP Project?

• Application Developers

• Software Architects

• Information Security Authors

• Those who would like the support of a world wide professional community to develop or test an idea.

OWASP Projects, the SDLC, and the Security Wayfinder

Thanks to the OWASP Integration Standards Project for mapping OWASP projects in a diagram of the Software Development LifeCycle. This resource should help you determine which projects fit into your SDLC.

Requirements

Design

Docs

Implementation

Guides

After N Iterations

Verification

Metrics

Training/Education

Iterate

Culture Building & Process Maturing

Guides

Policy Gap Evaluation

Tools

Frameworks

Threat Modeling

CheatSheet Series

Proactive Controls

Go SCP

ZAP

Amass

Nettacker

OWTF

Secure Libraries

Dependency Track

Dependency Check

ESAPI

CSRFGuard

Vulnerability Management

Glue

Dracon

Defect Dojo

ASVS

MASVS

Threat Dragon

Threat Modeling Talks

PyTM

Application Security Wayfinder

Security Champions Playbook

SAMM

Code Pulse

Operation

Mod Security CRS

Cornucopia

SecurityRAT

Top 10

Juice Shop

Security Shepherd

API Top 10

Mobile Top 10

WebGoat

PyGoat

Snakes & Ladders

WSTG

MSTG

SAMM

ASVS

MASVS

ASVS

MASVS

SKF

Brought to you by the Integration standards project

Linking requirements and guidance across standards through the Common Requirement Enumeration.

Dependencies

OWASP Project Inventory (255)

All OWASP tools, document, and code library projects are organized into the following categories:

Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. Lab Projects: OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.

List of Projects by Level or Type

Flagship Projects

• OWASP Amass

• OWASP Application Security Verification Standard

• OWASP Cheat Sheet Series

• OWASP CSRFGuard

• OWASP CycloneDX

• OWASP Defectdojo

• OWASP Dependency-Check

• OWASP Dependency-Track

• OWASP Juice Shop

• OWASP Mobile Security Testing Guide

• OWASP ModSecurity Core Rule Set

• OWASP OWTF

• OWASP SAMM

• OWASP Security Knowledge Framework

• OWASP Security Shepherd

• OWASP Top Ten

• OWASP Web Security Testing Guide

• OWASP ZAP

Lab Projects

• OWASP AntiSamy

• OWASP API Security Project

• OWASP Attack Surface Detector

• OWASP Automated Threats to Web Applications

• OWASP Benchmark

• OWASP Code Pulse

• OWASP Code Review Guide

• OWASP Coraza Web Application Firewall

• OWASP Cornucopia

• OWASP Devsecops Maturity Model

• OWASP Enterprise Security API (ESAPI)

• OWASP Find Security Bugs

• OWASP Integration Standards

• OWASP Internet of Things

• OWASP Java HTML Sanitizer

• OWASP mobile security

• OWASP Mobile Top 10

• OWASP Mutillidae II

• OWASP Podcast

• OWASP Proactive Controls

• OWASP pytm

• OWASP SamuraiWTF

• OWASP Secure Coding Dojo

• OWASP secureCodeBox

• OWASP SecureTea Project

• OWASP Security Pins

• OWASP Snakes And Ladders

• OWASP Software Component Verification Standard

• OWASP Threat Dragon

• OWASP Top 10 Privacy Risks

• OWASP TorBot

• OWASP Vulnerable Web Applications Directory

• OWASP WebGoat

• OWASP WrongSecrets

Incubator Projects

• OWASP .Net

• OWASP aegis4j

• OWASP Android Security Inspector Toolkit

• OWASP APICheck

• OWASP Application Gateway

• OWASP Application Security Awareness Campaigns

• OWASP Appsec Pipeline

• OWASP Barbarus

• OWASP Big Data Security Verification Standard

• OWASP Bug Logging Tool

• OWASP Cloud-Native Security Project

• OWASP Code the Flag

• OWASP Core Business Application Security

• OWASP CSRFProtector Project

• OWASP Cyber Controls Matrix (OCCM)

• OWASP Cyber Defense Framework

• OWASP Cyber Defense Matrix

• OWASP Cyber Scavenger Hunt

• OWASP D4N155

• OWASP Data Security Top 10

• OWASP Desktop App Security Top 10

• OWASP AppSec Days Developer Outreach Program

• OWASP DevSlop

• OWASP Docker Top 10

• OWASP DPD (DDOS Prevention using DPI)

• OWASP G0rKing

• OWASP Go Secure Coding Practices Guide

• OWASP Honeypot

• OWASP How to Get Into AppSec

• OWASP Information Security Metrics Bank

• OWASP Kubernetes Top Ten

• OWASP Maryam

• OWASP Mobile Audit

• OWASP Nettacker

• OWASP Nightingale

• OWASP Node.js Goat

• OWASP O-Saft

• OWASP Ontology Driven Threat Modeling Framework

• OWASP Open Source Security Application Platform

• OWASP Patton

• OWASP Penetration Testing Kit

• OWASP PenText

• OWASP Port and Service Information

• OWASP PurpleTeam

• OWASP Pygoat

• OWASP Raider

• OWASP Risk Assessment Framework

• OWASP Sectudo

• OWASP Secure Headers Project

• OWASP Secure Logging Benchmark

• OWASP SecureFlag Open Platform

• OWASP Security Culture

• OWASP Security Qualitative Metrics

• OWASP SecurityRAT

• OWASP Serverless Top 10

• OWASP SideKEK

• OWASP Snow

• OWASP Project Spotlight Series

• OWASP Single Sign-On

• OWASP Thick Client Security Testing Guide

• OWASP Threat and Safeguard Matrix (TaSM)

• OWASP Threat Modeling Project

• OWASP Threat Model Cookbook

• OWASP Threat Modeling Playbook (OTMP)

• OWASP TimeGap Theory

• OWASP Top 10 Card Game

• OWASP Top 10 Client-Side Security Risks

• OWASP Top 10 Low-Code/No-Code Security Risks

• OWASP Vulnerability Management Center

• OWASP Vulnerability Management Guide

• OWASP VulnerableApp

• OWASP VulnerableApp-Facade

• OWASP Web Application Firewall Evaluation Criteria Project (WAFEC)

• OWASP Web Mapper

• OWASP Web Testing Environment

Projects Needing Website Update

• OWASP Access Log Parser

• OWASP AndroGoat

• OWASP Anti-Ransomware Guide

• OWASP Application Security Curriculum

• OWASP Application Security Hardening

• OWASP AppSec Minimum Requirements

• OWASP Auth

• OWASP belva

• OWASP Best Practices In Vulnerability Disclosure And Bug Bounty Programs

• OWASP Blend

• OWASP Blockchain Distributed Infrastructure

• OWASP Broken Web Applications

• OWASP ChainGoat

• OWASP cloud security

• OWASP Cloud Security Mentor

• OWASP Cloud Security Testing Guide

• OWASP Cloud Testing Guide

• OWASP CloudSheep

• OWASP Container Security Verification Standard

• OWASP Ctf

• OWASP Cyber Security Enterprise Operations Architecture

• OWASP Cybersecurity Risk Register

• OWASP Damn Vulnerable Crypto Wallet

• OWASP Damn Vulnerable Thick Client Application

• OWASP deepviolet-tls-ssl-scanner

• OWASP DevSecOps Verification Standard

• OWASP Drill

• OWASP Ende

• OWASP Financial Systems Security

• OWASP Game Security Framework

• OWASP Glue Tool

• OWASP hacking-lab

• OWASP Igoat Tool

• OWASP Incident Response

• OWASP InjectBot

• OWASP internet of things top 10

• OWASP Iot Analytics 4Industry4

• OWASP JavaScript Security

• OWASP Joomscan

• OWASP Jotp

• OWASP Json Sanitizer

• OWASP jvmxray

• OWASP Knowledge Based Authentication Performance Metrics

• OWASP Laravel Goat

• OWASP Learning Gateway

• OWASP little web application firewall

• OWASP Lock It

• OWASP Low Code Security

• OWASP Machine Learning Security Top 10

• OWASP Mth3L3M3Nt Framework

• OWASP Nasi Lemak

• OWASP O2 Platform

• OWASP Off The Record 4 Java

• OWASP Online Academy

• OWASP Open AppSec Tooling API

• OWASP Passfault

• OWASP Php

• OWASP Php Security Training

• OWASP Python Honeypot

• OWASP Python Security

• OWASP Pyttacker

• OWASP Qrljacker

• OWASP rat

• OWASP Redteam Toolkit

• OWASP Revelo

• OWASP Reverse Engineering And Code Modification Prevention

• OWASP Seclists

• OWASP Secure Coding Practices-Quick Reference Guide

• OWASP Secure Medical Device Deployment Standard

• OWASP Security Busters

• OWASP Security Champions Guidebook

• OWASP Security Integration System

• OWASP Security Logging

• OWASP Security Resource Framework

• OWASP SEDATED®

• OWASP Seeker

• OWASP Software Composition Security

• OWASP SupplyChainGoat

• OWASP Threatspec

• OWASP TOCTOURex

• OWASP Top 10 Fuer Entwickler

• OWASP University Challenge

• OWASP Vbscan

• OWASP Vicnum

• OWASP Virtual Patching Best Practices

• OWASP VITCC Open Source Initiative

• OWASP Voice Automated Application Security

• OWASP Vue 3 Password Input

• OWASP Vulnerable Web Application

• OWASP webgoat php

• OWASP Webspa

• OWASP Wpbullet

• OWASP Zsc Tool

Standards Projects

Tool Projects

• OWASP Amass

• OWASP CSRFGuard

• OWASP Defectdojo

• OWASP Dependency-Check

• OWASP Dependency-Track

• OWASP Juice Shop

• OWASP OWTF

• OWASP Security Knowledge Framework

• OWASP Security Shepherd

• OWASP ZAP

• OWASP AntiSamy

• OWASP Attack Surface Detector

• OWASP Benchmark

• OWASP Code Pulse

• OWASP Find Security Bugs

• OWASP Java HTML Sanitizer

• OWASP pytm

• OWASP secureCodeBox

• OWASP SecureTea Project

• OWASP Threat Dragon

• OWASP WebGoat

• OWASP WrongSecrets

• OWASP APICheck

• OWASP Application Gateway

• OWASP Bug Logging Tool

• OWASP G0rKing

• OWASP Maryam

• OWASP Mobile Audit

• OWASP Nettacker

• OWASP Nightingale

• OWASP O-Saft

• OWASP Ontology Driven Threat Modeling Framework

• OWASP Patton

• OWASP PenText

• OWASP PurpleTeam

• OWASP Raider

• OWASP Risk Assessment Framework

• OWASP SecureFlag Open Platform

• OWASP SecurityRAT

• OWASP Single Sign-On

• OWASP Web Testing Environment

• OWASP AWScanner

• OWASP crAPI

• OWASP SecureBank

• OWASP WinFIM.NET

• OWASP Intelligent Intrusion Detection System

• OWASP Jupiter

• OWASP Seraphimdroid

• OWASP belva

• OWASP Broken Web Applications

• OWASP Damn Vulnerable Crypto Wallet

• OWASP Ende

• OWASP Glue Tool

• OWASP Igoat Tool

• OWASP Jotp

• OWASP Mth3L3M3Nt Framework

• OWASP O2 Platform

• OWASP Passfault

• OWASP Php Security Training

• OWASP Python Honeypot

• OWASP Python Security

• OWASP Pyttacker

• OWASP Qrljacker

• OWASP rat

• OWASP Revelo

• OWASP Security Integration System

• OWASP Seeker

• OWASP Vbscan

• OWASP Vicnum

• OWASP Voice Automated Application Security

• OWASP webgoat php

• OWASP Webspa

• OWASP Wpbullet

• OWASP Zsc Tool

Documentation Projects

• OWASP Cheat Sheet Series

• OWASP Mobile Security Testing Guide

• OWASP SAMM

• OWASP Top Ten

• OWASP Web Security Testing Guide

• OWASP API Security Project

• OWASP Automated Threats to Web Applications

• OWASP Code Review Guide

• OWASP Cornucopia

• OWASP Devsecops Maturity Model

• OWASP Integration Standards

• OWASP Mobile Top 10

• OWASP Proactive Controls

• OWASP Security Pins

• OWASP Snakes And Ladders

• OWASP Software Component Verification Standard

• OWASP Top 10 Privacy Risks

• OWASP TorBot

• OWASP Vulnerable Web Applications Directory

• OWASP .Net

• OWASP Application Security Awareness Campaigns

• OWASP Appsec Pipeline

• OWASP Cloud-Native Security Project

• OWASP Cyber Controls Matrix (OCCM)

• OWASP Cyber Defense Matrix

• OWASP Data Security Top 10

• OWASP Desktop App Security Top 10

• OWASP DevSlop

• OWASP Docker Top 10

• OWASP Go Secure Coding Practices Guide

• OWASP Honeypot

• OWASP Information Security Metrics Bank

• OWASP Secure Headers Project

• OWASP Secure Logging Benchmark

• OWASP Security Culture

• OWASP Security Qualitative Metrics

• OWASP Serverless Top 10

• OWASP Threat and Safeguard Matrix (TaSM)

• OWASP Threat Modeling Project

• OWASP Threat Model Cookbook

• OWASP Threat Modeling Playbook (OTMP)

• OWASP Top 10 Card Game

• OWASP Top 10 Client-Side Security Risks

• OWASP Top 10 Low-Code/No-Code Security Risks

• OWASP Vulnerability Management Guide

• OWASP Web Mapper

• OWASP AppSensor

• OWASP Cloud-Native Application Security Top 10

• OWASP DevSecOps Guideline

• OWASP Embedded Application Security

• OWASP Software Security 5D Framework

• OWASP Anti-Ransomware Guide

• OWASP Application Security Curriculum

• OWASP Best Practices In Vulnerability Disclosure And Bug Bounty Programs

• OWASP cloud security

• OWASP Cloud Testing Guide

• OWASP Container Security Verification Standard

• OWASP Ctf

• OWASP Game Security Framework

• OWASP hacking-lab

• OWASP Incident Response

• OWASP internet of things top 10

• OWASP Iot Analytics 4Industry4

• OWASP Knowledge Based Authentication Performance Metrics

• OWASP Machine Learning Security Top 10

• OWASP Php

• OWASP Reverse Engineering And Code Modification Prevention

• OWASP Seclists

• OWASP Secure Coding Practices-Quick Reference Guide

• OWASP Secure Medical Device Deployment Standard

• OWASP Security Busters

• OWASP Software Composition Security

• OWASP Top 10 Fuer Entwickler

• OWASP University Challenge

• OWASP Virtual Patching Best Practices

Code Projects

• OWASP ModSecurity Core Rule Set

• OWASP Coraza Web Application Firewall

• OWASP Enterprise Security API (ESAPI)

• OWASP Mutillidae II

• OWASP SamuraiWTF

• OWASP Secure Coding Dojo

• OWASP aegis4j

• OWASP Barbarus

• OWASP CSRFProtector Project

• OWASP Cyber Scavenger Hunt

• OWASP Node.js Goat

• OWASP Penetration Testing Kit

• OWASP SideKEK

• OWASP TimeGap Theory

• OWASP VulnerableApp

• OWASP VulnerableApp-Facade

• ASVS-Graph

• OWASP DVSA

• OWASP Java Encoder

• OWASP Zezengorri Code

• OWASP Auth

• OWASP Cloud Security Mentor

• OWASP deepviolet-tls-ssl-scanner

• OWASP Json Sanitizer

• OWASP Learning Gateway

• OWASP little web application firewall

• OWASP Lock It

• OWASP Off The Record 4 Java

• OWASP Online Academy

• OWASP Security Logging

• OWASP SEDATED®

• OWASP Threatspec

• OWASP Vulnerable Web Application

Other Projects

• OWASP Podcast

• OWASP Project Spotlight Series

• OWASP Enterprise DevSecOps

$(function(){ $('#projects-type').click(function(){ $('#project-list-level').hide(); $('#project-list-type').show(); $('#projects-level').removeClass('active'); $('#projects-type').addClass('active'); $('#projects-level').addClass('inactive'); $('#projects-type').removeClass('inactive'); }); $('#projects-level').click(function(){ $('#project-list-type').hide(); $('#project-list-level').show(); $('#projects-type').removeClass('active'); $('#projects-level').addClass('active'); $('#projects-level').removeClass('inactive'); $('#projects-type').addClass('inactive'); }); });

---

Flagship Projects

Projects that have demonstrated strategic value to OWASP and application security as a whole

---

Standards Projects

OWASP Application Security Verification Standard

The OWASP Application Security Verification Standard (ASVS) Project is a framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications and web services.

OWASP CycloneDX

CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Tool Projects

OWASP Amass

An advanced open source tool to help information security professionals perform network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques!

OWASP CSRFGuard

OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.

OWASP Defectdojo

The leading open source application vulnerability management tool built for DevOps and continuous security integration.

OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.

OWASP Dependency-Track

Intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

OWASP Juice Shop

Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!

OWASP OWTF

Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python.

OWASP Security Knowledge Framework

The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design.

OWASP Security Shepherd

OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.

OWASP ZAP

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. Great for pentesters, devs, QA, and CI/CD integration.

Documentation Projects

OWASP Cheat Sheet Series

The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.

OWASP Mobile Security Testing Guide

The OWASP Mobile Security Testing Guide project consists of a series of documents that establish a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

OWASP SAMM

A Software Assurance Maturity Model (SAMM) that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture.

OWASP Top Ten

The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.

OWASP Web Security Testing Guide

The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.

Code Projects

OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.