Fantastic OWASP Projects and where to find them!

Posted on Jan 2, 2023

The OWASP Foundation has been one of the most valuable resources throughout my career in application security. While many people are first introduced to OWASP through the well-known Top 10 projects, whether for web, mobile, or API security. However there’s a much larger ecosystem of projects/initiatives that often doesn’t get the same spotlight. In this post, I want to highlight a collection of OWASP projects that have genuinely helped me grow from hands-on remediation references to maturity models and cultural frameworks that support long-term security improvement.

These projects go beyond identifying risks, they help you understand how to fix vulnerabilities, guide developers toward secure coding practices, and build scalable application security programs within real-world engineering environments. If you’re learning AppSec, building a program, or trying to influence developer adoption, these resources are well worth exploring.

Cheat Sheet Series

Project Link
GitHub Link
How to contribute?
Project Leaders
- Jim Manico: GitHub | Twitter | LinkedIn | Website
- Jakub Maćkowski: GitHub | Twitter

The Cheatsheet series provides detailed information on specific application security topics that align with the ASVS, MASVS, Proactive Controls, OWASP Top 10, and other resources. Recently, I’ve been using this project to educate developers about vulnerabilities and how to implement mitigations. If you’re just starting out in security and learning about the OWASP Top 10, I highly recommend you check out the OWASP Top Ten 2021 : Related Cheat Sheets

Secure Headers Project

Project Link
GitHub Link
Project Leaders
- Ricardo Iramar: GitHub | Twitter | LinkedIn
- Alexandre Menezes: GitHub | Twitter| Website
- Dominique Righetto: GitHub | Twitter | LinkedIn | Website

The OWASP Secure Headers Project (also known as OSHP) outlines HTTP response headers that can be used to increase the security of your application. It provides guidance on recommended HTTP security headers that can be leveraged, headers that should be removed, and much more.

Application Security Verification Standard

Project Link
GitHub Link
How to Contribute?
Project Leaders
- Daniel Cuthbert: GitHub | Twitter | LinkedIn
- Andrew Van der Stock: GitHub | Twitter | LinkedIn
- Jim Manico: GitHub | Twitter | LinkedIn | Website
- Elar Lang: GitHub | Twitter | LinkedIn | Website
- Josh Grossman: GitHub | Twitter | LinkedIn | Website

The ASVS contains requirements that help the community prepare security requirements for application security testing or building web applications to ensure that necessary security controls are in place. There is also the MASVS for mobile applications.
I am currently reading the ASVS to learn about how to create application security requirements and turn them into user stories. To learn more about the project, I recommend checking out the project link and also these two talks:

Proactive Controls

Project Link
GitHub Link
Project Leaders:
- Jim Manico: GitHub | Twitter | LinkedIn | Website
- Katy Anton: GitHub | Twitter | LinkedIn

The OWASP Proactive Controls can be used as a training guideline when teaching developers about secure coding practices and various application security controls. When paired with the ASVS and the Top 10 Web Application Security Risks, this can help developers understand the vulnerabilities, associated risks, and how to mitigate them.

Security Culture

Project Link
GitHub Link
Project Leaders
- Nick Miller: Github

When implementing or scaling a security program, culture plays an important role for the security team because it helps us influence the engineering teams to adopt security tools, processes, policies, etc. This documentation project discusses the importance and benefits of establishing a security culture when building an application security program. It covers various activities that should be performed at each stage of the SDLC to help create secure development practices. It also discusses topics such as Security Champions, Threat Modeling, Metrics, and more.

Software Assurance Maturity Model(SAMM)

Project Link
Project Website
GitHub Link
Project Leaders
- Seba Deleersnyder: GitHub | Twitter | LinkedIn
- Bart De Win: GitHub | LinkedIn

The OWASP SAMM is a maturity model for software assurance that provides a measurable and effective way to analyze and improve the secure development lifecycle. It can be used as a guideline for starting or scaling a security program to decide which activities should be carried out and how to measure progress.

Application Security FAQ

OWASP Application Security FAQ

This is not a project itself, but I have found the questions answered here to be helpful when teaching developers about application security. It answers many frequently asked questions. Here are a few examples:

What best practices I should remember while designing login pages?
Is it required to redirect the user to a new page after login?
How can my “Forgot Password” feature be exploited?
In “Forgot Password”, is it safe to display the old password?
I’m using stored procedures for authentication, am I vulnerable?
I’m using client side JavaScript code for checking user input. Isn’t that enough?
Are Java servlets vulnerable to SQL injection?
Why can’t I trust the information coming from the browser?

OWASP Developer Guide

The OWASP Developer Guide provides an introduction to security concepts and a handy reference for application and system developers.

More details about the OWASP projects can be found here

I plan to keep updating this list as I learn more. If you come across any projects that you think should be on this list and that I should check out, please let me know.