Projects Map
Discover 55+ OWASP projects by maturity level and type.
CycloneDX
Lightweight SBOM standard designed for use in application security contexts and supply chain component analysis.
Find Security Bugs
SpotBugs plugin for security audits of Java web applications detecting 140+ vulnerability patterns with 900+ unique APIs.
OWASP Amass
In-depth attack surface mapping and asset discovery tool using open source information gathering and active reconnaissance techniques.
OWASP API Security
Project focused on strategies and solutions to understand and mitigate unique security risks of APIs, including the API Security Top 10.
OWASP ASVS
Application Security Verification Standard providing a framework of security requirements for designing, developing and testing web applications.
OWASP Cheat Sheet Series
Concise collection of high-value information on specific application security topics for developers and security engineers.
OWASP Coraza
Enterprise-grade WAF framework supporting ModSecurity syntax, designed for high-performance API gateway and reverse proxy deployment.
OWASP CRS
ModSecurity Core Rule Set — generic attack detection rules for ModSecurity-compatible WAFs protecting against OWASP Top 10.
OWASP DefectDojo
Open-source application vulnerability management tool that streamlines testing through templating, report generation, and metrics.
OWASP Dependency-Check
Software Composition Analysis tool that detects publicly disclosed vulnerabilities contained within a project's dependencies.
OWASP Dependency-Track
Intelligent Component Analysis platform for identifying and reducing risk in the software supply chain.
OWASP Juice Shop
The most modern and sophisticated insecure web application for security training, CTFs, and awareness demos.
OWASP MAS
Mobile Application Security project providing the MASTG and MASVS standards for mobile app security testing and verification.
OWASP MASVS
Mobile Application Security Verification Standard — the security requirements for mobile apps used as penetration testing baseline.
OWASP Mobile Top 10
Top 10 mobile security risks awareness document covering improper platform usage, insecure data storage, and other mobile-specific threats.
OWASP SAMM
Software Assurance Maturity Model helps organizations formulate and implement a strategy for software security tailored to specific risks.
OWASP Security Shepherd
Web and mobile application security training platform designed to foster security knowledge in users of varying skill levels.
OWASP SKF
Security Knowledge Framework is an educational tool that explains secure coding principles in multiple programming languages.
OWASP Testing Guide
Comprehensive framework of best practices used by penetration testers worldwide to test web application security.
OWASP Threat Dragon
An open source threat modeling tool with a focus on usability, including UML-style diagrams and automatic threat generation.
OWASP Top 10
The standard awareness document for developers and web application security, representing broad consensus about the most critical security risks.
OWASP Top 10 CI/CD Security
Awareness document for CI/CD security risks covering pipeline poisoning, credential exposure, insufficient access controls, and more.
OWASP Top 10 for LLM Apps
Guidance on the most critical security risks for applications integrating Large Language Models, including prompt injection, data leakage, and more.
OWASP Top 10 Mapping
Comprehensive mapping of OWASP Top 10 categories to CWE identifiers, CVE examples, and mitigation strategies for developers.
OWASP WebGoat
A deliberately insecure web application for teaching web application security lessons in a safe environment.
OWASP WSTG
The Web Security Testing Guide is a comprehensive open source guide for testing the security of modern web applications.
OWASP ZAP
The world's most widely used web app scanner, actively maintained by a dedicated international team of volunteers.
Attack Surface Detector
Analyzes source code for web application endpoints and parameters to give security teams a comprehensive picture of the attack surface.
MobSF
Automated all-in-one mobile application penetration testing, malware analysis, and security assessment framework for Android and iOS.
OWASP AppSensor
Conceptual framework offering prescriptive guidance to implement intrusion detection and automated response into applications.
OWASP Benchmark
Test suite to evaluate the accuracy, coverage, and speed of automated software vulnerability detection tools (SAST, DAST, IAST).
OWASP CSRFGuard
Java library implementing the synchronizer token pattern to mitigate Cross-Site Request Forgery (CSRF) attacks.
OWASP Glue
Framework for running a series of security tools as part of an application security pipeline and CI/CD automation.
OWASP iGoat
A vulnerable iOS application built in Swift for learning iOS security and practicing mobile application penetration testing.
OWASP Juice Shop CTF
Tooling for setting up Juice Shop in CTF events — generate scoreboards, challenge flags, and integrate with CTF frameworks.
OWASP NodeGoat
A purposely vulnerable Node.js application to learn how OWASP Top 10 security risks apply to Node.js web applications.
OWASP O-Saft
SSL advanced forensic tool that shows SSL certificate information and tests SSL connections against cipher lists and TLS methods.
OWASP OWTF
Offensive Web Testing Framework uniting great tools and making pen testing more efficient via a web-based interface.
OWASP pytm
A Pythonic framework for threat modeling — define your system in Python, generate DFDs, sequence diagrams, and threats automatically.
OWASP RailsGoat
A vulnerable Ruby on Rails application demonstrating OWASP Top 10 vulnerabilities for security training.
OWASP Secure Coding Dojo
Training platform for practicing secure coding standards. Offers multiple training modules including developer challenges and pentesting labs.
OWASP VWAD
Vulnerable Web Applications Directory — a comprehensive list of known vulnerable web applications for security training.
OWASP WrongSecrets
Vulnerable app showing how NOT to use secrets, helping developers learn secret management best practices in cloud/container environments.
OWASP Cloud-Native Security
Security considerations and risks for cloud-native applications, covering containers, orchestration, service mesh, and serverless architectures.
OWASP crAPI
Completely Ridiculous API — a vulnerable-by-design API application for learning the OWASP API Security Top 10.
OWASP DevSecOps Testing Guide
Testing methodology for DevSecOps practitioners covering CI/CD pipeline security, supply chain security, and cloud infrastructure testing.
OWASP DSVW
Damn Small Vulnerable Web, written in less than 100 lines of Python code, covering numerous vulnerability classes for demos.
OWASP DVSA
Damn Vulnerable Serverless Application. Teaches serverless security risks by demonstrating intentional vulnerabilities in Lambda functions.
OWASP Maryam
Open-source OSINT framework for intelligence gathering, data collection, and reconnaissance on target organizations.
OWASP Nettacker
Automated penetration testing framework and information gathering tool with various vulnerability scanning modules.
OWASP NoSQL Injection
Project focused on NoSQL injection vulnerabilities, their detection, exploitation techniques, and mitigation strategies.
OWASP Serverless Top 10
Highlights security risks unique to serverless architectures including event-data injection, broken authentication, and over-privileged functions.
OWASP SwiftGoat
Vulnerable iOS app written in Swift using MVVM architecture, helping developers learn mobile security topics for iOS applications.
OWASP Timings API
A timing-attack testing solution for checking web applications for timing vulnerabilities in authentication and other flows.
OWASP WAD
Web Application Firewall Detection tool that analyzes HTTP responses to detect and fingerprint WAFs protecting web applications.