Projects
Projects for Good
We are a community of developers, technologists and evangelists improving the security of software. The OWASP Foundation gives aspiring open source projects a platform to improve the security of software with:
Visibility: Our website gets more than six million visitors a year
Credibility: OWASP is well known in the AppSec community
Resources: Funding and Project Summits are available for qualifying Programs
Community: Our Conferences and Local Chapters connect Projects with users
OWASP Projects are a collection of related tasks that have a defined roadmap and team members. Our projects are open source and are built by our community of volunteers - people just like you! OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 100 active projects, and new project applications are submitted every week.
Code, software, reference material, documentation, and community all working to secure the world's software.
Projects gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project minimally has their own webpage, mailing list, and Slack Channel. Most projects maintain their content in our GitHub organization.
Who Should Start an OWASP Project?
Application Developers
Software Architects
Information Security Authors
Those who would like the support of a world wide professional community to develop or test an idea.
OWASP Projects, the SDLC, and the Security Wayfinder
Thanks to the OWASP Integration Standards Project for mapping OWASP projects in a diagram of the Software Development LifeCycle. This resource should help you determine which projects fit into your SDLC.
Requirements
Design
Docs
Implementation
Guides
After N Iterations
Verification
Metrics
Training/Education
Iterate
Culture Building & Process Maturing
Guides
Policy Gap Evaluation
Tools
Frameworks
Threat Modeling
CheatSheet Series
Proactive Controls
Go SCP
ZAP
Amass
Nettacker
OWTF
Secure Libraries
Dependency Track
Dependency Check
ESAPI
CSRFGuard
Vulnerability Management
Glue
Dracon
Defect Dojo
ASVS
MASVS
Threat Dragon
Threat Modeling Talks
PyTM
Application Security Wayfinder
Security Champions Playbook
SAMM
Code Pulse
Operation
Mod Security CRS
Cornucopia
SecurityRAT
Top 10
Juice Shop
Security Shepherd
API Top 10
Mobile Top 10
WebGoat
PyGoat
Snakes & Ladders
WSTG
MSTG
SAMM
ASVS
MASVS
ASVS
MASVS
SKF
Brought to you by the Integration standards project
Linking requirements and guidance across standards through the Common Requirement Enumeration.
Dependencies
OWASP Project Inventory (255)
All OWASP tools, document, and code library projects are organized into the following categories:
Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. Lab Projects: OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.
List of Projects by Level or Type
Flagship Projects 
Lab Projects 
Incubator Projects 
Projects Needing Website Update
Standards Projects
Tool Projects
Documentation Projects
Code Projects
Other Projects
$(function(){ $('#projects-type').click(function(){ $('#project-list-level').hide(); $('#project-list-type').show(); $('#projects-level').removeClass('active'); $('#projects-type').addClass('active'); $('#projects-level').addClass('inactive'); $('#projects-type').removeClass('inactive'); }); $('#projects-level').click(function(){ $('#project-list-type').hide(); $('#project-list-level').show(); $('#projects-type').removeClass('active'); $('#projects-level').addClass('active'); $('#projects-level').removeClass('inactive'); $('#projects-type').addClass('inactive'); }); });
Flagship Projects
Projects that have demonstrated strategic value to OWASP and application security as a whole
Standards Projects
The OWASP Application Security Verification Standard (ASVS) Project is a framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications and web services.
CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
Tool Projects
An advanced open source tool to help information security professionals perform network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques!
OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
The leading open source application vulnerability management tool built for DevOps and continuous security integration.
Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
Intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!
Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python.
The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design.
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. Great for pentesters, devs, QA, and CI/CD integration.
Documentation Projects
The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.
The OWASP Mobile Security Testing Guide project consists of a series of documents that establish a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
A Software Assurance Maturity Model (SAMM) that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture.
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
Code Projects
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
Last updated