The Open Web Application Security Project (OWASP) is an open community dedicated to finding and fighting the causes of insecure software. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.


OWASP is a new type of entity in the security market. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of security technology.

We advocate approaching application security as a people, process, and technology problem. The most effective approaches to application security include improvements in all of these areas.

Structure and Licensing

The OWASP Foundation is the not for profit (501c3) entity that provides the infrastructure for the OWASP community. The Foundation provides our servers and bandwidth, facilitates projects and chapters, and manages the worldwide OWASP AppSec Conferences.

All of the OWASP materials are available under an approved open source license. If you opt to become an OWASP member organization, can also use the commercial license that allows you to use, modify, and distribute all of the OWASP materials within your organization under a single license.

Participation and Membership

Everyone is welcome to participate in our forums, projects, chapters, and conferences. OWASP is a fantastic place to learn about application security, network, and even build your reputation as an expert. Many application security experts and companies participate in OWASP because the community establishes their credibility.

If you get value from the OWASP materials, please consider supporting our cause by becoming an OWASP member. All monies received by the OWASP Foundation go directly into supporting OWASP projects.


OWASP projects are broadly divided into two main categories, development projects, and documentation projects. Our documentation projects currently consist of:

  • The Guide – This document which provides detailed guidance on web application security.

  • Top Ten Most Critical Web Application Vulnerabilities – A high level document to help focus on the most critical issues.

  • Metrics – A project to define workable web application security metrics.

  • Legal – A project to help software buyers and sellers negotiate appropriate security in their contracts.

  • Testing Guide – A guide focused on effective web application security testing.

  • ISO17799 – Supporting documents for organizations performing ISO17799 reviews.

  • AppSec FAQ – Frequently asked questions and answers about application security.

Development projects include:

  • WebScarab - a web application vulnerability assessment suite including proxy tools

  • Validation Filters – (Stinger for J2EE, filters for PHP) generic security boundary filters that developers can use in their own applications

  • WebGoat - an interactive training and benchmarking tool that users can learn about web application security in a safe and legal environment

  • DotNet – a variety of tools for securing .NET environments.

Last updated