OWASP Developer Guide


6. Verification

Verification is one of the business functions described by the OWASP SAMM.

Verification focuses on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, and also includes other review and evaluation activities.

Verification activities should include:

  • Architecture assessment, validation and mitigation
  • Requirements-driven testing
  • Security control verification and misuse/abuse testing
  • Automated security testing and baselining
  • Manual security testing and penetration testing

These activities are supported by:

  • Security guides
  • Test tools
  • Test frameworks
  • Vulnerability management
  • Checklists


6.1 Guides
6.1.1 Web Security Testing Guide
6.1.2 Mobile Application Security
6.1.3 Application Security Verification Standard
6.2 Tools
6.2.1 Zed Attack Proxy
6.2.2 Amass
6.2.3 Offensive Web Testing Framework
6.2.4 Nettacker
6.2.5 OWASP Secure Headers Project
6.3 Frameworks
6.3.1 secureCodeBox
6.4 Vulnerability management
6.4.1 DefectDojo
6.5 Do’s and Don’ts
6.5.1 Secure environment
6.5.2 System hardening
6.5.3 Open Source software

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.