Table of Contents
OWASP Developer Guide (draft)
A Guide to Building Secure Web Applications and Web Services
This draft version has the latest contributions to the Developer Guide so expect frequent changes in the content.
2 Foundations
2.1 Security fundamentals
2.2 Secure development and integration
2.3 Principles of security
2.4 Principles of cryptography
2.5 OWASP Top 10
3 Requirements
3.1 Requirements in practice
3.2 Risk profile
3.3 OpenCRE
3.4 SecurityRAT
3.5 ASVS requirements
3.6 MAS requirements
3.7 SKF requirements
4 Design
4.1 Threat modeling
4.1.1 Threat modeling in practice
4.1.2 pytm
4.1.3 Threat Dragon
4.1.4 Cornucopia
4.1.5 LINDDUN GO
4.1.6 Threat Modeling toolkit
4.2 Web application checklist
4.2.1 Checklist: Define Security Requirements
4.2.2 Checklist: Leverage Security Frameworks and Libraries
4.2.3 Checklist: Secure Database Access
4.2.4 Checklist: Encode and Escape Data
4.2.5 Checklist: Validate All Inputs
4.2.6 Checklist: Implement Digital Identity
4.2.7 Checklist: Enforce Access Controls
4.2.8 Checklist: Protect Data Everywhere
4.2.9 Checklist: Implement Security Logging and Monitoring
4.2.10 Checklist: Handle all Errors and Exceptions
4.3 MAS checklist
5 Implementation
5.1 Documentation
5.1.1 Top 10 Proactive Controls
5.1.2 Go Secure Coding Practices
5.1.3 Cheatsheet Series
5.2 Dependencies
5.2.1 Dependency-Check
5.2.2 Dependency-Track
5.2.3 CycloneDX
5.3 Secure Libraries
5.3.1 ESAPI
5.3.2 CSRFGuard
5.3.3 OSHP
5.4 MASWE
6 Verification
6.1 Guides
6.1.1 WSTG
6.1.2 MASTG
6.1.3 ASVS
6.2 Tools
6.2.1 DAST tools
6.2.2 Amass
6.2.3 OWTF
6.2.4 Nettacker
6.2.5 OSHP verification
6.3 Frameworks
6.3.1 secureCodeBox
6.4 Vulnerability management
6.4.1 DefectDojo
7 Training and Education
7.1 Vulnerable Applications
7.1.1 Juice Shop
7.1.2 WebGoat
7.1.3 PyGoat
7.1.4 Security Shepherd
7.2 Secure Coding Dojo
7.3 SKF education
7.4 SamuraiWTF
7.5 OWASP Top 10 project
7.6 Mobile Top 10
7.7 API Top 10
7.8 WrongSecrets
7.9 OWASP Snakes and Ladders
8 Culture building and Process maturing
8.1 Security Culture
8.2 Security Champions
8.2.1 Security champions program
8.2.2 Security Champions Guide
8.2.3 Security Champions Playbook
8.3 SAMM
8.4 ASVS process
8.5 MAS process
9 Operations
9.1 DevSecOps Guideline
9.2 Coraza WAF
9.3 ModSecurity WAF
9.4 OWASP CRS
10 Metrics
11 Security gap analysis
11.1 Guides
11.1.1 SAMM gap analysis
11.1.2 ASVS gap analysis
11.1.3 MAS gap analysis
11.2 BLT
12 Appendices
12.1 Implementation Do’s and Don’ts
12.1.1 Container security
12.1.2 Secure coding
12.1.3 Cryptographic practices
12.1.4 Application spoofing
12.1.5 Content Security Policy (CSP)
12.1.6 Exception and error handling
12.1.7 File management
12.1.8 Memory management
12.2 Verification Do’s and Don’ts
12.2.1 Secure environment
12.2.2 System hardening
12.2.3 Open Source software