Projects
Projects for Good
We are a community of developers, technologists and evangelists improving the security of software. The OWASP Foundation gives aspiring open source projects a platform to improve the security of software with:
- Visibility: Our website gets more than six million visitors a year
- Credibility: OWASP is well known in the AppSec community
- Resources: Funding and Project Summits are available for qualifying Programs
- Community: Our Conferences and Local Chapters connect Projects with users
OWASP Projects are a collection of related tasks that have a defined roadmap and team members. Our projects are open source and are built by our community of volunteers - people just like you! OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has over 100 active projects, and new project applications are submitted every week.
Code, software, reference material, documentation, and community all working to secure the world's software.
Projects gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project minimally has their own webpage, mailing list, and Slack Channel. Most projects maintain their content in ourGitHub organization.
Who Should Start an OWASP Project?
- Application Developers
- Software Architects
- Information Security Authors
- Those who would like the support of a world wide professional community to develop or test an idea.
Project Guidance
You can find more information about project levels, promotion criteria, and best practices at theProject Committee pages.
OWASP Projects, the SDLC, and the Security Wayfinder
Thanks to the OWASP Integration Standards Project for mapping OWASP projects in a diagram of the Software Development LifeCycle. This resource should help you determine which projects fit into your SDLC.
OWASP Project Inventory (370)
All OWASP tools, document, and code library projects are organized into the following categories:
Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.
Production Projects: OWASP Production projects are production-ready projects.
Other Projects: The Lab and Incubator projects can be foundhere.
List of Projects byLevel orType
Flagship Projects
- OWASP Amass
An open source framework that helps information security professionals perform network mapping of attack surfaces and external asset discovery using open source intelligence gathering and reconnaissance techniques!
- OWASP Application Security Verification Standard (ASVS)
The OWASP Application Security Verification Standard (ASVS) Project is a framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications and web services.
- OWASP Cheat Sheet Series
The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.
- OWASP CycloneDX (ECMA-424)
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.
- OWASP Defectdojo
The leading open source application vulnerability management tool built for DevOps and continuous security integration.
- OWASP Dependency-Check
Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
- OWASP Dependency-Track
Intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
- OWASP Juice Shop
Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!
- OWASP Mobile Application Security
The OWASP Mobile Application Security (MAS) project consists of a series of documents that establish a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile application security assessment, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
- OWASP CRS
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
- OWASP OWTF
Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python.
- OWASP SAMM
A Software Assurance Maturity Model (SAMM) that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture.
- OWASP Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.
- OWASP Top Ten
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
- OWASP Web Security Testing Guide
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
Production Projects
- OWASP API Security Project
More info soon...
- OWASP Bug Logging Tool
OWASP BLT is a tool enabling internet users to report all kinds of issues they encounter, thereby improving internet security, with a unique feature of rewarding users for bug reporting and allowing companies to launch their own bug hunting programs, promoting responsible disclosure and fostering a safer online environment.
- OWASP Coraza Web Application Firewall
OWASP Coraza is a golang enterprise-grade WAF framework compatible with Modsecurity and OWASP Core Ruleset.
- OWASP CSRFGuard
OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
- OWASP ModSecurity
ModSecurity is the standard open-source web application firewall (WAF) engine.
- OWASP SamuraiWTF
SamuraiWTF (Web Training Framework) is a collection of tools and training bundled into a platform to provide a lab environment and training on web application testing.
- OWASP Secure Headers Project
Provides technical information about HTTP security headers.
- OWASP WrongSecrets
Examples with how to not use secrets
Code Projects
- OWASP API Security Testing Framework
- OWASP ASVS Security Evaluation Templates with Nuclei
- OWASP ASVS-Graph
- OWASP AWScanner
- OWASP Access Log Parser
- OWASP Amass
- OWASP AntiSamy
- OWASP Application Gateway
- OWASP Appsec Discovery
- OWASP Attack Surface Detector
- OWASP Auto DevSecOps
- OWASP Benchmark
- OWASP Bug Logging Tool
- OWASP CRS
- OWASP CSRFGuard
- OWASP Cervantes
- OWASP Chirps
- OWASP Code Pulse
- OWASP Coraza Web Application Firewall
- OWASP DVSA
- OWASP Data Analysis Visualization and Ingestion Domain (DAVID)
- OWASP DeepSecrets
- OWASP Defectdojo
- OWASP Dependency-Check
- OWASP Dependency-Track
- OWASP Domain Protect
- OWASP Dragon-GPT
- OWASP EKS Goat
- OWASP Ende
- OWASP Enterprise Security API (ESAPI)
- OWASP Faction
- OWASP Find Security Bugs
- OWASP Four Clover
- OWASP Glue Tool
- OWASP HACTU8
- OWASP Intelligent Intrusion Detection System
- OWASP Java Encoder
- OWASP Java HTML Sanitizer
- OWASP Juice Shop
- OWASP Jupiter
- OWASP Maryam
- OWASP Mimosa
- OWASP Mobile Audit
- OWASP ModSecurity
- OWASP Mutillidae II
- OWASP Nest
- OWASP Netryx
- OWASP Nettacker
- OWASP Node.js Goat
- OWASP Noir
- OWASP O-Saft
- OWASP OWTF
- OWASP Ontology Driven Threat Modeling Framework
- OWASP Open SAMMY
- OWASP PCI DSS Toolkit
- OWASP PSIRT
- OWASP PenText
- OWASP Penetration Testing Kit
- OWASP PurpleTeam
- OWASP Qrljacker
- OWASP Raider
- OWASP Risk Assessment Framework
- OWASP SAMMwise
- OWASP SAP Threat Modeling Builder
- OWASP SEDATED®
- OWASP SamuraiWTF
- OWASP Sasori
- OWASP ScrapPy
- OWASP Secure Coding Dojo
- OWASP SecureBank
- OWASP SecureTea Project
- OWASP Security Shepherd
- OWASP Security-C4PO
- OWASP SecurityRAT
- OWASP Seraphimdroid
- OWASP Threat Dragon
- OWASP Threat Model Library
- OWASP Threat Model Vault
- OWASP VulnerableApp
- OWASP VulnerableApp-Facade
- OWASP WAF Advanced Ruleset Management
- OWASP WAF-A-MoLE
- OWASP WebGoat
- OWASP WinFIM.NET
- OWASP WrongSecrets
- OWASP Zezengorri Code
- OWASP aegis4j
- OWASP crAPI
- OWASP dep-scan
- OWASP iGoat Tool
- OWASP pytm
- OWASP safetypes
- OWASP secureCodeBox
- OWASP untrust
- OWASP-js
Documentation Projects
- OWASP AI Maturity Assessment
- OWASP AI Security and Privacy Guide
- OWASP AIBOM
- OWASP Antiforensics Project
- OWASP API Security Project
- OWASP Application Security Awareness Campaigns
- OWASP Application Security Curriculum
- OWASP AppSensor
- OWASP Authoritative Privacy Reference Project
- OWASP Automated Threats to Web Applications
- OWASP BlockChain AppSec Standard
- OWASP Certified Secure Developer
- OWASP Cheat Sheet Series
- OWASP Cloud-Native Application Security Top 10
- OWASP Cloud Tenant Isolation
- OWASP Code Review Guide
- OWASP Common Lifecycle Enumeration
- OWASP Consigliere - Your SAST Fixing Advisor
- OWASP Cornucopia
- OWASP Cumulus
- OWASP Data Security Top 10
- OWASP Desktop App Security Top 10
- OWASP Developer Guide
- OWASP DevSecOps Automation Matrix
- OWASP DevSecOps Guideline
- OWASP Devsecops Maturity Model
- OWASP DevSecOps Top 10
- OWASP DevSecOps Verification Standard
- OWASP DevSlop
- OWASP Docker Top 10
- OWASP Dojo Shield
- OWASP Dungeons and Daemons
- OWASP Embedded Application Security
- OWASP GameSec Framework
- OWASP Go Secure Coding Practices Guide
- OWASP hacking-lab
- OWASP Honeypot
- OWASP Infrastructure Security Testing Guide
- OWASP Integration Standards
- OWASP internet of things top 10
- OWASP IoT Security Testing Guide
- OWASP LLM Security Verification Standard
- OWASP Machine Learning Security Top Ten
- OWASP Mobile Application Security
- OWASP Mobile Top 10
- OWASP Non-Human Identities Top 10
- OWASP Top 10 Risks for Open Source Software
- OWASP Operational Technology Top 10
- OWASP OT Top Ten
- OWASP Penetration Test Reporting Standard (OPTRS)
- OWASP Pentest Best Practices
- OWASP ProdSecMan
- OWASP Product Security Capability Framework
- OWASP RBTM
- OWASP Reverse Engineering And Code Modification Prevention
- OWASP SAMM
- OWASP Secure Coding Practices-Quick Reference Guide
- OWASP Secure Headers Project
- OWASP Secure Logging Benchmark
- OWASP Security Bridge
- OWASP Security Culture
- OWASP Security Pins
- OWASP Serverless Top 10
- OWASP SCSTG
- OWASP Smart Contract Security Verification Standard
- OWASP Smart Contract Top 10
- OWASP Snakes And Ladders
- OWASP Software Component Verification Standard
- OWASP Software Security 5D Framework
- OWASP State of AppSec Survey
- OWASP Threat and Safeguard Matrix (TaSM)
- OWASP Threat Modeling Project
- OWASP Threat Modeling Playbook (OTMP)
- OWASP Top 10 CI/CD Security Risks
- OWASP Top 10 Client-Side Security Risks
- OWASP Top 10 Drone Security Risks
- OWASP Top 10 for Business Logic Abuse
- OWASP Top 10 for Large Language Model Applications
- OWASP Top 10 for Maritime Security
- OWASP Top 10 in XR
- OWASP Low-Code/No-Code Top 10
- OWASP Top 10 Privacy Risks
- OWASP Top 25 Parameters
- OWASP Top Ten
- OWASP TorBot
- OWASP Vulnerability Management Guide
- OWASP Vulnerable Web Applications Directory
- OWASP Web Hacking Incident Database
- OWASP Web Mapper
- OWASP Web Security Testing Guide
- OWASP Wi-Fi Security Testing Guide
Other Projects
Flagship Projects
Projects that have demonstrated strategic value to OWASP and application security as a whole
Standards Projects
OWASP Application Security Verification Standard (ASVS)
The OWASP Application Security Verification Standard (ASVS) Project is a framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications and web services.
OWASP CycloneDX (ECMA-424)
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.
Tool Projects
Documentation Projects
OWASP Cheat Sheet Series
The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.
OWASP Mobile Application Security
The OWASP Mobile Application Security (MAS) project consists of a series of documents that establish a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile application security assessment, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
OWASP SAMM
A Software Assurance Maturity Model (SAMM) that provides an effective and measurable way for all types of organizations to analyse and improve their software security posture.
OWASP Top Ten
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
OWASP Web Security Testing Guide
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
Code Projects
OWASP Amass
An open source framework that helps information security professionals perform network mapping of attack surfaces and external asset discovery using open source intelligence gathering and reconnaissance techniques!
OWASP Defectdojo
The leading open source application vulnerability management tool built for DevOps and continuous security integration.
OWASP Dependency-Check
Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
OWASP Dependency-Track
Intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
OWASP Juice Shop
Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!
OWASP CRS
The OWASP CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
OWASP OWTF
Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python.
OWASP Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.