From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
OWASP Logo.png
FounderMark Curphey[1]
Type501(c)(3) Nonprofit organization
FocusWeb Security, Application Security, Vulnerability Assessment
MethodIndustry standards, Conferences, Workshops
Martin Knobloch, Chair; Owen Pendlebury, Vice-Chair; Sherif Mansour, Treasurer; Ofer Maor, Secretary; Chenxi Wang; Richard Greenberg; Gary Robinson
Key people
Mike McCamon, Interim Executive Director; Kelly Santalucia, Director of Corporate Support; Harold Blankendship, Director Projects and Technology; Dawn Aitken, Community Manager; Lisa Jones, Manager of Projects and Sponsorship; Matt Tesauro, Director of Community and Operations
Revenue (2017)
Decrease $2.3 million[2]
7 (2017)[3]
approx. 13,000 (2017)[3]

The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.[4][5]


Mark Curphey started OWASP on September 9, 2001.[1] Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board.[6]

The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects. Since 2011, OWASP is also registered as a non-profit organization in Belgium under the name of OWASP Europe VZW.[7]

Publications and resources[edit]

  • OWASP Top Ten: The "Top Ten", first published in 2003, is regularly updated.[8] It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.[9][10][11] Many standards, books, tools, and organizations reference the Top 10 project, including MITRE, PCI DSS,[12] the Defense Information Systems Agency (DISA-STIG), the United States Federal Trade Commission (FTC),[13] and many[quantify] more.
  • OWASP Software Assurance Maturity Model: The Software Assurance Maturity Model (SAMM) project is committed to building a usable framework to help organizations formulate and implement a strategy for application security that is tailored to the specific business risks facing the organization.
  • OWASP Development Guide: The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.
  • OWASP Testing Guide: The OWASP Testing Guide includes a "best practice" penetration testing framework that users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. Version 4 was published in September 2014, with input from 60 individuals.[14]
  • OWASP Code Review Guide: The code review guide is currently at release version 2.0, released in July 2017.
  • OWASP Application Security Verification Standard (ASVS): A standard for performing application-level security verifications.[15]
  • OWASP XML Security Gateway (XSG) Evaluation Criteria Project.[16]
  • OWASP Top 10 Incident Response Guidance. This project provides a proactive approach to Incident Response planning. The intended audience of this document includes business owners to security engineers, developers, audit, program managers, law enforcement & legal council.[17]
  • OWASP ZAP Project: The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience including developers and functional testers who are new to penetration testing.
  • Webgoat: a deliberately insecure web application created by OWASP as a guide for secure programming practices.[1] Once downloaded, the application comes with a tutorial and a set of different lessons that instruct students how to exploit vulnerabilities with the intention of teaching them how to write code securely.
  • OWASP AppSec Pipeline: The Application Security (AppSec) Rugged DevOps Pipeline Project is a place to find information needed to increase the speed and automation of an application security program. AppSec Pipelines take the principles of DevOps and Lean and applies that to an application security program.[18]
  • OWASP Automated Threats to Web Applications: Published July 2015[19] - the OWASP Automated Threats to Web Applications Project aims to provide definitive information and other resources for architects, developers, testers and others to help defend against automated threats such as credential stuffing. The project outlines the top 20 automated threats as defined by OWASP.[20]


The OWASP organization received the 2014 Haymarket Media Group SC Magazine Editor's Choice award]].[5][21]

See also[edit]


  1. ^ a b c d Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley. p. 203. ISBN 0470857447.
  2. ^ "OWASP FOUNDATION INC". Nonprofit Explorer. ProPublica. Retrieved January 8, 2020.
  3. ^ a b "OWASP Foundation's Form 990 for fiscal year ending Dec. 2017". October 26, 2018. Retrieved January 8, 2020 – via ProPublica Nonprofit Explorer.
  4. ^ "OWASP top 10 vulnerabilities". developerWorks. IBM. April 20, 2015. Retrieved November 28, 2015.
  5. ^ a b "SC Magazine Awards 2014" (PDF). Media.scmagazine.com. Archived from the original (PDF) on September 22, 2014. Retrieved November 3, 2014.
  6. ^ Board Archived September 16, 2017, at the Wayback Machine. OWASP. Retrieved on 2015-02-27.
  7. ^ OWASP Europe, OWASP, 2016
  8. ^ OWASP Top Ten Project on owasp.org
  9. ^ Trevathan, Matt (October 1, 2015). "Seven Best Practices for Internet of Things". Database and Network Journal. Archived from the original on November 28, 2015. Retrieved November 28, 2015 – via  – via HighBeam (subscription required).
  10. ^ Crosman, Penny (July 24, 2015). "Leaky Bank Websites Let Clickjacking, Other Threats Seep In". American Banker. Archived from the original on November 28, 2015. Retrieved November 28, 2015 – via  – via HighBeam (subscription required).
  11. ^ Pauli, Darren (December 4, 2015). "Infosec bods rate app languages; find Java 'king', put PHP in bin". The Register. Retrieved December 4, 2015.
  12. ^ "Payment Card Industry (PCI) Data Security Standard" (PDF). PCI Security Standards Council. November 2013. p. 55. Retrieved December 3, 2015.
  13. ^ "Open Web Application Security Project Top 10 (OWASP Top 10)". Knowledge Database. Synopsys. Synopsys, Inc. 2017. Retrieved July 20, 2017. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP Top 10 as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.
  14. ^ Pauli, Darren (September 18, 2014). "Comprehensive guide to obliterating web apps published". The Register. Retrieved November 28, 2015.
  15. ^ Baar, Hans; Smulters, Andre; Hintzbergen, Juls; Hintzbergen, Kees (2015). Foundations of Information Security Based on ISO27001 and ISO27002 (3 ed.). Van Haren. p. 144. ISBN 9789401800129.
  16. ^ "Category:OWASP XML Security Gateway Evaluation Criteria Project Latest". Owasp.org. Archived from the original on November 3, 2014. Retrieved November 3, 2014.
  17. ^ "Archived copy". Archived from the original on April 6, 2019. Retrieved December 12, 2015.CS1 maint: archived copy as title (link)
  18. ^ "OWASP AppSec Pipeline". Open Web Application Security Project (OWASP). Retrieved February 26, 2017.
  19. ^ "AUTOMATED THREATS to Web applications" (PDF). OWASP. July 2015.
  20. ^ The list of automated threat events
  21. ^ "Winners | SC Magazine Awards". Awards.scmagazine.com. Archived from the original on August 20, 2014. Retrieved July 17, 2014. Editor's Choice [...] Winner: OWASP Foundation

External links[edit]