Projects
Projects for Good
We are a community of developers, technologists and evangelists improving the security of software. The OWASP Foundation gives aspiring open source projects a platform to improve the security of software with:
- Visibility: Our website gets more than six million visitors a year
- Credibility: OWASP is well known in the AppSec community
- Resources: Funding and Project Summits are available for qualifying Programs
- Community: Our Conferences and Local Chapters connect Projects with users
OWASP Projects are a collection of related tasks that have a defined roadmap and team members. Our projects are open source and are built by our community of volunteers - people just like you! OWASP project leaders are responsible for defining the vision, roadmap, and tasks for the project. The project leader also promotes the project and builds the team. OWASP currently has ‘over ‘93’ active projects’, and new project applications are submitted every week.
Code, software, reference material, documentation, and community all working to secure the world's software.
Projects gives members an opportunity to freely test theories and ideas with the professional advice and support of the OWASP community. Every project minimally has their own webpage, mailing list, and Slack Channel. Most projects maintain their content in our GitHub organization.
Who Should Start an OWASP Project?
- Application Developers
- Software Architects
- Information Security Authors
- Those who would like the support of a world wide professional community to develop or test an idea.
OWASP Project Inventory
All OWASP tools, document, and code library projects are organized into the following categories:
Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole.
Lab Projects: OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value.
Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.
List of Projects by Level or Type
Flagship Projects 
- OWASP Amass
- OWASP Application Security Verification Standard
- OWASP Cheat Sheet Series
- OWASP CSRFGuard
- OWASP Defectdojo
- OWASP Dependency-Check
- OWASP Dependency-Track
- OWASP Juice Shop
- OWASP Mobile Security Testing Guide
- OWASP Mobile Top 10
- OWASP ModSecurity Core Rule Set
- OWASP OWTF
- OWASP Risk Assessment Framework
- OWASP SAMM
- OWASP security Knowledge Framework
- OWASP Security Shepherd
- OWASP Top Ten
- OWASP Web Security Testing Guide
- OWASP ZAP
Lab Projects 
- OWASP AntiSamy
- OWASP API Security Project
- OWASP Automated Threats to Web Applications
- OWASP Benchmark
- OWASP Code Pulse
- OWASP Cornucopia
- OWASP Enterprise Security API (ESAPI)
- OWASP Internet of Things
- OWASP mobile security
- OWASP Proactive Controls
- OWASP Pygoat
- OWASP Snakes And Ladders
- OWASP Top 10 Privacy Risks
- OWASP WebGoat
Incubator Projects 
- OWASP Appsec Pipeline
- OWASP Attack Surface Detector
- OWASP CSRFProtector Project
- OWASP Cyber Controls Matrix (OCCM)
- OWASP Cyber Defense Matrix
- OWASP D4N155
- OWASP DevSlop
- OWASP Docker Top 10
- OWASP DPD (DDOS Prevention using DPI)
- OWASP Go Secure Coding Practices Guide
- OWASP Honeypot
- OWASP Information Security Metrics Bank
- OWASP Node.js Goat
- OWASP pytm
- OWASP SamuraiWTF
- OWASP Secure Coding Dojo
- OWASP Secure Headers Project
- OWASP secureCodeBox
- OWASP SecureFlag Community Edition
- OWASP SecureTea Project
- OWASP SecurityRAT
- OWASP Serverless Top 10
- OWASP Software Component Verification Standard
- OWASP Single Sign-On
- OWASP Threat Dragon
- OWASP TimeGap Theory
- OWASP Vulnerability Management Guide
- OWASP Vulnerable Web Applications Directory
- OWASP VulnerableApp
- OWASP Web Mapper
Projects Needing Website Update
- OWASP Access Log Parser
- OWASP Android Security Inspector Toolkit
- OWASP Anti-Ransomware Guide
- OWASP Application Security Curriculum
- OWASP Appsensor
- OWASP Auth
- OWASP Automotive EMB 60
- OWASP belva
- OWASP Best Practices In Vulnerability Disclosure And Bug Bounty Programs
- OWASP Blockchain Security Framework
- OWASP Broken Web Applications
- OWASP Bug Logging Tool
- OWASP Cloud-Native Application Security Top 10
- OWASP cloud security
- OWASP Cloud Security Mentor
- OWASP Cloud Testing Guide
- OWASP Code Review Guide
- OWASP Container Security Verification Standard
- OWASP Core Business Application Security
- OWASP Ctf
- OWASP Cyber Security Enterprise Operations Architecture
- OWASP Damn Vulnerable Crypto Wallet
- OWASP deepviolet-tls-ssl-scanner
- OWASP Drill
- OWASP Ende
- OWASP Find Security Bugs
- OWASP Game Security Framework
- OWASP Glue Tool
- OWASP hacking-lab
- OWASP Igoat Tool
- OWASP Incident Response
- OWASP internet of things top 10
- OWASP Iot Analytics 4Industry4
- OWASP Java Encoder
- OWASP Java Html Sanitizer
- OWASP Jotp
- OWASP Json Sanitizer
- OWASP jvmxray
- OWASP Knowledge Based Authentication Performance Metrics
- OWASP Learning Gateway
- OWASP little web application firewall
- OWASP Lock It
- OWASP Machine Learning Security Top 10
- OWASP Media
- OWASP Mth3L3M3Nt Framework
- OWASP O-Saft
- OWASP O2 Platform
- OWASP Off The Record 4 Java
- OWASP Online Academy
- OWASP Passfault
- OWASP Patton
- OWASP Php
- OWASP Php Security Training
- OWASP Podcast
- OWASP Python Honeypot
- OWASP Python Security
- OWASP Pyttacker
- OWASP Qrljacker
- OWASP rat
- OWASP Redteam Toolkit
- OWASP Revelo
- OWASP Reverse Engineering And Code Modification Prevention
- OWASP Rfp-Criteria
- OWASP Seclists
- OWASP Secure Coding Practices-Quick Reference Guide
- OWASP Secure Medical Device Deployment Standard
- OWASP Security Busters
- OWASP Security Integration System
- OWASP Security Logging
- OWASP Sedated
- OWASP Seeker
- OWASP Serverless Goat
- OWASP SideKEK
- OWASP Software Composition Security
- OWASP Software Security 5D Framework
- OWASP Thick Client Top 10
- OWASP Threat Model
- OWASP Threatspec
- OWASP Top 10 Fuer Entwickler
- OWASP University Challenge
- OWASP Vbscan
- OWASP Vicnum
- OWASP Virtual Patching Best Practices
- OWASP Voice Automated Application Security
- OWASP Vulnerable Web Application
- OWASP wafec
- OWASP Web Testing Environment
- OWASP webgoat php
- OWASP Webspa
- OWASP Wpbullet
- OWASP [GROUPNAME]
- OWASP Zsc Tool
Flagship Projects
Projects that have demonstrated strategic value to OWASP and application security as a whole
Tool Projects
OWASP Amass
An advanced open source tool to help information security professionals perform network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques!
OWASP CSRFGuard
More info soon…
OWASP Defectdojo
The leading open source application vulnerability management tool built for DevOps and continuous security integration.
OWASP Dependency-Check
Dependency-Check is a Software Composition Analysis (SCA) tool suite that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
OWASP Dependency-Track
Intelligent Supply Chain Component Analysis platform that allows organizations to identify and reduce risk from the use of third-party and open source components.
OWASP Juice Shop
Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!
OWASP OWTF
Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python.
OWASP Risk Assessment Framework
More info soon…
OWASP Security Shepherd
More info soon…
OWASP ZAP
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. Great for pentesters, devs, QA, and CI/CD integration.
Documentation Projects
OWASP Application Security Verification Standard
More info soon…
OWASP Cheat Sheet Series
The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.
OWASP Mobile Security Testing Guide
More info soon…
OWASP SAMM
More info soon…
OWASP Top Ten
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
OWASP Web Security Testing Guide
The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
Code Projects
OWASP ModSecurity Core Rule Set
More info soon…