OWASP Developer Guide

Leverage Security Frameworks and Libraries Checklist

4.2.2 Checklist: Leverage Security Frameworks and Libraries

Secure coding libraries and software frameworks with embedded security help software developers guard against security-related design and implementation flaws.

Refer to proactive control C2: Leverage Security Frameworks and Libraries for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.

Security Frameworks and Libraries

  • Ensure servers, frameworks and system components are running the latest approved versions and patches
  • Use libraries and frameworks from trusted sources that are actively maintained and widely used
  • Review all secondary applications and third party libraries to determine business necessity
  • Validate safe functionality for all secondary applications and third party libraries
  • Create and maintain an inventory catalog of all third party libraries using Software Composition Analysis (SCA)
  • Proactively keep all third party libraries and components up to date
  • Reduce the attack surface by encapsulating the library and expose only the required behaviour into your software
  • Use tested and approved managed code rather than creating new unmanaged code for common tasks
  • Utilize task specific built-in APIs to conduct operating system tasks
  • Do not allow the application to issue commands directly to the Operating System
  • Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files
  • Restrict users from generating new code or altering existing code
  • Implement safe updates using encrypted channels


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.