OWASP Security Knowledge Framework

OWASP Security Knowledge Framework

SKF Logo

Project status details:
Build Travis CI Master Join the chat at https://gitter.im/Security-Knowledge-Framework/Lobby Join the chat at https://owasp.slack.com/messages/C0F7L9X6V OWASP Flagship OSSF Working group: Best Practices for Open Source Developers

Quality testing:
Known Vulnerabilities Coverage Status Black Duck Security Risk Requirements Status

The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design. OWASP-SKF does this through manageable software development projects with checklists (using OWASP-ASVS/OWASP-MASVS or custom security checklists) and labs to practice security verification (using SKF-Labs, OWASP Juice-shop, and best practice code examples from SKF and the OWASP-Cheatsheets).


Our experience taught us that the current level of security of web-applications is not sufficient enough to ensure security. This is mainly because web-developers simply aren’t aware of the risks and dangers that are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a framework in order to create a guide-system available for all developers so they can develop applications secure by design from the start.

SKF Features

SKF Flow


Glenn ten Cate

As a coder, hacker, speaker, trainer and security researcher employed at ING Belgium Glenn has over 15 years experience in the field of security. One of the founders of defensive development def[dev]eu a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.

Glenn ten Cate LinkedIn

Riccardo ten Cate

As a penetration tester from the Netherlands employed at Zerocopter Riccardo specialises in web-application security and has extensive knowledge in securing web applications in multiple coding languages.

Riccardo ten Cate LinkedIn


Contributors have contributed quality content and are logged in the GitHub repository. A Big thank you for their effort!


  • Glenn ten Cate
  • Riccardo ten Cate
  • Mattijs van Ommeren
  • Alexander Kaasjager
  • John Haley
  • Daniel Paulus
  • Erik de Kuijper
  • Roderick Schaefer
  • Jim Manico
  • Martijn Gijsberti Hodenpijl
  • Bithin Alangot
  • Martin Knobloch
  • Adam Fisher
  • Tom Wirschell
  • Joerg Stephan
  • Simon Brakhane
  • Gerco Grandia
  • Ross Nanopoulos
  • Bob van den Heuvel
  • Mariano Jose Abdala
  • Ilguiz Latypov
  • Laurence Keijmel
  • Rick Mitchell (Kingthorin)
  • Xenofon Vassilakopoulos
  • Heeraj Nair
  • Alpha Kitonga
  • Wojciech Reguła
  • Amadeusz Starzykiewicz
  • Adam Zima
  • Kacper Madej
  • Rafał Fronczyk
  • Chang Xu (Neo)
  • Martin Marsicano
  • Priyanka Jain
  • Chandrasekar Karthickrajan
  • Leena Bhegade
  • Balazs Hambalko
  • Rudy Truyens
  • Giulio Comi
  • Aniket Surwade
  • Thiago Luiz Dimbarre
  • Harshant Sharma
  • Lucas Luitjes
  • Semen Rozhkov
  • Mehtab Zafar
  • Daniel Spilsbury
  • Akash M
  • Tess Sluijter
  • Xavier Rene-Corail
  • David Wheeler

Project FAQ

If you have any questions about OWASP-SKF or issues when using or deploying then please join us in the Gitter or Slack chats that we are active on: Join the chat at https://gitter.im/Security-Knowledge-Framework/Lobby Join the chat at https://owasp.slack.com/messages/C0F7L9X6V

Also for dropping feedback and discussing improvements we are happily to have a discussion about it!

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. As we have knowledge base items 300+ that can use some editing OWASP-SKF Knowledge base items