|st||Builder, Breaker, Defender||OWASP SAMM||Proposed Project Status||Project Name||Project Type||Project License||OWASP Mailman Mailing List||Project Wiki Page||Project Leader(s) (if exists)||Project Leader Email(s) (if exists)||Project Description (if available)||Contains Quotes||Notes||Project Short Name||Project Short Name Length||Summary|
|1||D||OWASP Excess XSS Project||Tool||Creative Commons Attribution ShareAlike 3.0 License||None Created||https://www.owasp.org/index.php/OWASP_Excess_XSS_Project||Donator: Jakob Kallinemail@example.com||A comprehensive tutorial on cross-site scripting. Propagating practices in XSS prevention that OWASP wants to promote, such as terminology, libraries, and best practices. Its goal is to serve as a comprehensive introduction for developers unfamiliar with XSS, rather than as reference material like the current cheat sheets.||Project Donation: Endowments||http://excess-xss.com/|
|2||Builder||Construction||F||OWASP AntiSamy Project||Code||BSD License||owasp-antisamy||https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project||Arshan Dabirsiaghifirstname.lastname@example.org||This is an API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks||antisamy||8||An API for validating rich HTML/CSS to prevent XSS/phishing attacks|
|3||Breaker||Verification||F||OWASP Application Security Verification Standard Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-application-security-verification-standard||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project||Sahba Kazerooni, Daniel Cuthbertemail@example.com, firstname.lastname@example.org||The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigour available in the market when it comes to performing Web application security verification using a commercially-workable open standard.||asvs||4||A standard for conducting application security assessments|
|4||Breaker||Verification||F||OWASP Code Review Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-codereview||https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project||Eoin Kearyemail@example.com||The code review guide is currently at release version 1.1 and the second best selling OWASP book in 2008. Many positive comments have been feedback regarding this initial version and believe it’s a key enabler for the OWASP fight against software insecurity.||codereview||10||A project to capture best practices for reviewing code|
|5||Other||Governance||F||OWASP Codes of Conduct||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-codes-of-conduct||https://www.owasp.org/index.php/OWASP_Codes_of_Conduct||Colin Watsonfirstname.lastname@example.org||This project envisages to create and maintain OWASP Codes of Conduct. In order to achieve our mission, OWASP needs to take advantage of every opportunity to affect software development everywhere. At the OWASP Summit 2011 in Portugal, the idea was created to try to influence educational institutions, government bodies, standards groups, and trade organizations. We set out to define a set of minimal requirements for these organizations specifying what we believe to be the most effective ways to support our mission. We call these requirements a "code of conduct" to imply that these are normative standards, they represent a minimum baseline, and that they are not difficult to achieve||codesofconduct||14||A set of guidelines for organizations to support the OWASP mission.|
|6||Builder||Construction||F||OWASP CSRFGuard Project||Code||BSD License||owasp-csrfguard||https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project||Eric Sheridanemail@example.com||Cross-Site Request Forgery (CSRF) is an attack whereby the victim is tricked into loading information from or submitting information to a web application for which they are currently authenticated. The problem is that the web application has no means of verifying the integrity of the request. The OWASP CSRFGuard Project attempts to address this issue through the use of unique request tokens.||csrfguard||9||A Java filter to add unique request tokens to mitigate CSRF attacks|
|7||Builder||Construction||F||OWASP Development Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-guide||https://www.owasp.org/index.php/Category:OWASP_Guide_Project||Vishal Gargfirstname.lastname@example.org||The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. The Development Guide covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.||dev-guide||9||A developer's guide covering web application and web service security|
|8||Builder||Construction||F||OWASP Enterprise Security API||Code||BSD License||esapi-users||https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API||Jeff Williamsemail@example.com||ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.||esapi||5||A collection of security methods needed to build secure applications.|
|9||Builder||Construction||F||OWASP ModSecurity Core Rule Set Project||Code||Apache License V2.0||owasp-modsecurity-core-rule-set||https://www.owasp.org/index.php/Projects/OWASP_ModSecurity_Core_Rule_Set_Project||Ryan Barnett||Ryan.Barnett@owasp.org||ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the "Swiss Army Knife of web application firewalls." While this is certainly true, it doesn't do much implicitly on its own and requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.||modsec-crs||10||A project to document and develop the ModSecurity Core Rule Set|
|10||Builder||Construction||F||OWASP Secure Coding Practices - Quick Reference Guide||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-secure-coding-practices||https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide||Keith Turpinfirstname.lastname@example.org||The Secure Coding Practices Quick Reference Guide is a technology agnostic set of general software security coding practices, in a comprehensive checklist format, that can be integrated into the development lifecycle. At only 17 pages long, it is easy to read and digest.||secure-coding||13||High level, technology agnostic reference for secure coding practices|
|11||Other||Governance||F||OWASP Software Assurance Maturity Model (SAMM)||Documentation||Creative Commons Attribution ShareAlike License V3.0||samm||https://www.owasp.org/index.php/Category:Software_Assurance_Maturity_Model||Seba, Kuai Hinojosa||Seba@owasp.org; email@example.com||This project is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.||opensamm||8||An open framework to help create a strategy for software security|
|12||Breaker||Verification||F||OWASP Testing Guide Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-testing||https://www.owasp.org/index.php/OWASP_Testing_Project||Matteo Meuccifirstname.lastname@example.org||The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.||testing-guide||13||A collection of application security testing procedures and checklists|
|13||Breaker||Verification||F||OWASP Top Ten Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-topten||https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project||Dave Wichersemail@example.com||The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.||top10||5||Explanation of the top ten web application security vulnerabilities|
|14||Breaker||Verification||F||OWASP Web Testing Environment Project||Tool||GNU General Public License version 3.0 (GPLv3)||web-testing-environment||https://www.owasp.org/index.php?title=OWASP_Web_Testing_Environment_Project||Matt Tesaurofirstname.lastname@example.org||This CD collects some of the best open source security projects in a single environment. Web developers, testers and security professionals can boot from this Live CD and have access to a full security testing suite||Verify wiki page forwards correctly||wte||3||A collection of open source security projects in one environment|
|15||Breaker||Verification||F||OWASP WebGoat Project||Tool||GNU General Public License version 2.0 (GPLv2)||owasp-webgoat||https://www.owasp.org/index.php/Webgoat||Bruce Mayhewemail@example.com||The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.||webgoat||7||A Java training environment for learning about application security|
|16||Breaker||Verification||F||OWASP Zed Attack Proxy||Tool||Apache License V2.0||NONE||https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project||Psiinonfirstname.lastname@example.org||This project provides an easy to use integrated penetration testing tool for testing web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing.||zap||3||An easy to use integrated proxy tool for testing web applications|
|17||Builder||Construction||I||OWASP Application Security Requirements Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-appsec-requirements||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Requirements_Project||Luis Martinez Bachaemail@example.com||The intent of this project is to assemble a useful base of generic/common web application security requirements that could be used in most projects.||appsec-reqs||11||A set of generic web application security requirements|
|18||Other||I||OWASP Common Numbering Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-common-numbering||https://www.owasp.org/index.php/OWASP_Common_Numbering_Project||Dave Wichersfirstname.lastname@example.org||An exciting development, a new numbering scheme that will be common across OWASP Guides and References is being developed. The numbering is loosely based on the OWASP ASVS section and detailed requirement numbering. OWASP ASVS, Guide, and Reference project leads and contributors as well as the OWASP leadership plan to work together to develop numbering that would allow for easy mapping between OWASP Guides and References, and that would allow for a period of transition as Guides and References are updated to reflect the new numbering. This project will provide a centralized clearinghouse for mapping information.||commonnumbering||15||A common number scheme to refer to application security topics|
|19||Builder||Construction||I||OPA||Code||Affero GNU Public License||owasp-opa-project||https://www.owasp.org/index.php/Opa||Henri Binsztok,|
|Henri.Binsztok@mlstate.com, Adam.Koprowski@mlstate.com||Usher in a new generation of web development tools and methodologies.||opa||3||A language for writing distributed web applications|
|20||Breaker||Verification||I||OWASP Academy Portal Project||Tool||Unknown||NONE||https://www.owasp.org/index.php/OWASP_Academy_Portal_Project||Danny Harris, Filipe Lacerda||- Danny (email@example.com)|
- Felipe (firstname.lastname@example.org)
|Creation of a Portal to offer academic material in usable blocks, lab's, video's and forum.||academy-portal||14||A portal to offer academic material in usable blocks|
|21||Other||Governance||I||OWASP Application Security Assessment Standards Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-appsec-standards||https://www.owasp.org/index.php/Category:OWASP_Application_Security_Assessment_Standards_Project||Matteo Micheliniemail@example.com||The Project’s primary objective is to establish common, consistent methods for application security assessments standards that organizations can use as guidance on what tasks should be completed, how the tasks should be completed, who should be involved and what level of assessment is appropriate based on business requirements.||appsec-stds||11||A process for consistent methods for application security assessments|
|22||Builder||I||OWASP Application Security Skills Assessment||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-assa||https://www.owasp.org/index.php/OWASP_Application_Security_Skills_Assessment||Neil Smithline||Neil.Smithline@owasp.org||The OWASP Application Security Skills Assessment (OWASP ASSA) is an online multiple-choice quiz built to help individuals understand their strengths and weaknesses in specific application security skills with the aim of enabling them to focus their training in the most efficient and appropriate manner.||assa||4||A quiz to help develop application security skills|
|23||Breaker||Verification||I||OWASP ASIDE Project||Tool||Unknown||owasp-aside-project||https://www.owasp.org/index.php/OWASP_ASIDE_Project||Jing Xie, Bill Chu, John Meltonfirstname.lastname@example.org, email@example.com, firstname.lastname@example.org||Assured Software Integrated Development Environment (ASIDE) is an Eclipse Plugin which is a software tool primarily designed to help students write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs. ASIDE may be useful by professional developers as well.||aside||5||An Eclipse plugin designed to help students write more secure code|
|24||Other||I||OWASP Computer Based Training Project (OWASP CBT Project)||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-cbt||https://www.owasp.org/index.php/Category:OWASP_CBT_Project||Nishi Kumar||Nishi.Kumar@owasp.org||The goal of this project is to provide computer based training on OWASP security related initiatives. This project is intended to provide increased access of security training material, convenience and flexibility to learners. It will be self-paced and the learning sessions will be available 24x7. Learners will not be bound to a specific day/time to physically attend classes. They can also pause learning sessions at their convenience.||cbt||3||Computer-based training modules about OWASP and application security|
|25||Builder||Construction||I||OWASP Enterprise Application Security Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-eas||https://www.owasp.org/index.php/OWASP_Enterprise_Application_Security_Project||Alexander Polyakovemail@example.com||Enterprise applications security is one of the major topics in overall security area because those applications controls money and resources and every security violation can result a significant money loss. Purpose of this project is to aware people about enterprise application security problems and create a guideline for EA security assessment.||eas||3||Guidance about procurement and design of enterprise applications|
|26||Other||I||OWASP Exams Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-exams||https://www.owasp.org/index.php/OWASP_Exams_Project||Jason Taylorfirstname.lastname@example.org||The OWASP Exams project will establish the model by which the OWASP community can create and distribute CC-licensed exams for use by educators. The purpose of the exams is to improve the effectiveness of OWASP training through the use of exams as a means of measurement and student progress tracking. The project will include creation of a set of CC-licensed exams, a model for exam usage, and a roadmap for future exam creation||exams||5||A set of exams and study aids about application security|
|27||Breaker||Verification||I||OWASP GoatDroid Project||Documentation||owasp-mobile-security-project||https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project||Jack Mannino||Jack@nvisiumsecurity.com||The OWASP GoatDroid Project is the Android equivalent to the iGoat Project. Inspired by WebGoat, this project will help educate Android developers on security issues they’ll encounter when writing applications.||goat-droid||10||An Android security training environment for developer education|
|28||Breaker||Verification||I||OWASP iGoat Project||Tool||GNU General Public License version 3.0 (GPLv3)||owasp-igoat-project||https://www.owasp.org/index.php/OWASP_iGoat_Project||Kenneth R. van Wykemail@example.com||iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.||igoat-project||13||An iOS security training environment for developer education|
|29||Builder||Construction||I||OWASP Java Encoder Project||Code||BSD License||owasp-java-encoder-project||https://www.owasp.org/index.php/OWASP_Java_Encoder_Project||Jeff Ichnowskifirstname.lastname@example.org||This project is a simple-to-use drop-in encoder class with little baggage.||java-encoder||12||A drop-in high performance encoding library for Java|
|30||Breaker||Verification||I||OWASP Proxy Project||Tool||Creative Commons Attribution ShareAlike License V3.0||owasp-proxy-project||https://www.owasp.org/index.php/Category:OWASP_Proxy||Rogan Dawesemail@example.com||The OWASP Proxy aims to provide a high quality intercepting proxy library which can be used by developers who require this functionality in their own programs, rather than having to develop it all from scratch.||proxy||5||A library providing intercepting proxy functionality|
|31||Other||I||OWASP Request For Proposal||Documentation||Unknown||owasp-rfp-criteria||https://www.owasp.org/index.php/OWASP_RFP-Criteria||Tom Brennanfirstname.lastname@example.org||Purpose of this project is to simply provide an objective list and a aggregate set of questions from companies to utilize when they issue a RFPs for web application security.||rfp-criteria||12||A guide for RFPs for security verification services|
|32||Other||Governance||I||OWASP Security Baseline Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-security-baseline-project||https://www.owasp.org/index.php/OWASP_Security_Baseline_Project||Marian Ventuneacemail@example.com||This projects aims to benchmark the security of various enterprise security products/services against OWASP Top 10 risks. Comprehensive assessing security of enterprise products/services, the OWASP Security Baseline initiative will (eventually) lead to vendor-independent security certified solutions.||sec-baseline||12||A benchmark security analysis of enterprise products and services|
|33||Builder||I||OWASP Software Security Assurance Process||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-software-security-assurance-process||https://www.owasp.org/index.php/OWASP_Software_Security_Assurance_Process||Mateo Martinezfirstname.lastname@example.org||To outlines mandatory and recommended processes and practices to manage risks associated with applications. Software Security is equally dependent on people, processes and technology. The effectiveness of the OWASP Software Security Process is continuously measured and is improved through feedback, threat landscape changes, availability of new concepts and tools. Should be the framework to map Requirements, Dev and Testing guidelines for example.||soft-sec||8||A set of recommended process and practices for software security|
|34||Breaker||Verification||I||OWASP WhatTheFuzz Project||Tool||BSD License||/owasp-whatthefuzz-project||https://www.owasp.org/index.php/OWASP_WhatTheFuzz_Project#tab=Project_About||Joe Basiricoemail@example.com||An easy to use, easy to get started fuzzer for websites.||whatthefuzz||11||A fuzzer for websites|
|35||Other||I||OWASP Web Application Security Accessibility Project||Documentation||Creative Commons Attribution ShareAlike License V3.0||owasp-accessibility-project||https://www.owasp.org/index.php/OWASP_Web_Application_Security_Accessibility_Project#tab=Project_About||Petr Závodskýfirstname.lastname@example.org||The practice points out to the fact that a seemingly secure web application does, in reality, protect interests of only a specific group of users. Interests of a great number of users are protected only partially or by no means. This project will focus extensively on the issue of web application security accessibility.||accessiblity||12||Guidelines to increase the accessibility of web application security|
|36||Other||I||OWASP Java Project||java-project||https://www.owasp.org/index.php/Category:OWASP_Java_Project||Matthias Rohremail@example.com||The OWASP Java Project's goal is to enable Java and J2EE developers to build secure applications efficiently.||This is an ecosystem/community||0|
|37||Other||I||OWASP Data Exchange Format Project||Document||Apache License V2.0||owasp-data-exchange-format||https://www.owasp.org/index.php/OWASP_Data_Exchange_Format_Project||Psiinon, Dinis Cruzfirstname.lastname@example.org, email@example.com||To define an open format for exchanging data between pentest tools.||data-exchange||13||An open format for exchanging data between pentest tools|
|38||Builder||Construction||I||OWASP Cheat Sheets Project||Document||Creative Commons Attribution ShareAlike License V3.0||owasp-cheat-sheets||https://www.owasp.org/index.php/Cheat_Sheets||Sherif Koussa, Jim Manicofirstname.lastname@example.org, email@example.com||This project was created to provide a concise collection of high value information on specific security topics.||cheat-sheets||12||A collection of cheat sheets about web application security topics|
|39||Breaker||Verification||I||OWASP Security Tools for Developers Project||Tool||Unknown||owasp-std||https://www.owasp.org/index.php/OWASP_Security_Tools_for_Developers_Project||Mark Curpheyfirstname.lastname@example.org||Develop a reference implementation of open source tools integrated in an end to end development process. This will likely include a reference architecture, guidance and a reference implementation using open source tools.||sec-dev-tools||13||A platform to integrate security tools into the development process|
|40||Breaker||Verification||I||OWASP OVAL Content Project||Tool||Creative Commons Attribution ShareAlike License V3.0||owasp-oval-content||https://www.owasp.org/index.php/OWASP_OVAL_Content_Project||Gaurav Kumaremail@example.com||The purpose of this project is to create OVAL content to enable any OVAL compatible tool find security issues which can be represented in a standard format.||oval-content||12||A set of standardized assessment documents in OVAL XML format|
|41||Breaker||Verification||I||OWASP NAXSI Project||Tool||GNU General Public License version 2.0 (GPLv2)||owasp-naxsi-project||https://www.owasp.org/index.php/OWASP_NAXSI_Project||Thibault "bui" Koechlinfirstname.lastname@example.org||this is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.||naxsi||5||A web application firewall module for Nginx|
|42||Breaker||Verification||I||OWASP Passw3rd Project||Tool||MIT License||owasp-passw3rd-project||https://www.owasp.org/index.php/OWASP_Passw3rd_Project||Neil Matatallemail@example.com||Store passwords in encrypted files with an easy to use command line interface, and utilities to use the passwords in code. In its simplest form, the keys are generated per environment with OS access controls while the password files are stored in SCM.||passw3rd||8||A tool to store encrypted passwords for programmatic use in code|
|43||Breaker||Verification||I||OWASP File Hash Reposotory||Tool||Apache License V2.0||https://www.owasp.org/index.php/OWASP_File_Hash_Repository||Lucas C. Ferreirafirstname.lastname@example.org||The goal of this project is to build a repository of hashes of executable and source files. This repository can then be queried by clients to determine the status os of files based on their hashes. Some statuses are GOOD, MALWARE, SOURCE CHECKED, etc. This repository can consolidate several available sources (NIST, MHR, VirusTotal, etc) and provide better query capabilities.||file-hash||9||A repository of file hashes to recognize known malware|
|44||Breaker||Verification||I||OWASP WebGoat.NET||Tool||GNU General Public License version 3.0 (GPLv3)||https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET||Jerry Hoffemail@example.com||WebGoat.NET is a purposefully broken ASP.NET web application. It contains many common vulnerabilities, and is intended for use in classroom environments.||webgoat-dotnet||14||An ASP.NET training environment for learning application security|
|45||Builder||Construction||I||OWASP Proactive Controls||Document||Creative Commons Attribution ShareAlike 3.0 Licensefirstname.lastname@example.org||https://www.owasp.org/index.php/OWASP_Proactive_Controls||Andrew van der Stockemail@example.com||A Top 10 like document, phrased in a positive, testable manner that describes the Top 10 controls architects and developers should absolutely, 100% include in every project.||Formerly known as OWASP Top 10 Defenses|
|46||Builder||Construction||I||OWASP Passfault||Code Project||GNU LGPL v3||owasp_passfault||https://www.owasp.org/index.php/OWASP_Passfault||Cam Morrisfirstname.lastname@example.org||Passfault evaluates password strength and enforces password policy. It identifies patterns in a password then enumerates how many passwords fit within the identified patterns. This approach is more accurate and more intuitive. It allows administrators to know and control password risk, instead of hoping that users will create strong passwords.|
|47||Builder||Construction||I||OWASP OctoMS||Code Project||Creative Commons Attribution ShareAlike 3.0 License||owasp_octoms||https://www.owasp.org/index.php/OWASP_OctoMS||Valentino Radosavleviciemail@example.com||OctoMS is a free open-source PHP Framework designed on the MVC pattern that focuses on delivering useful debugging information and both offline & online documentation inside the application that is being developed through an intuitive AJAX interface.|
|48||Breaker||Verification||I||OWASP OWTF||Tool||BSD License||owasp_owtf||https://www.owasp.org/index.php/OWASP_OWTF||Abraham Aranguren||Abraham.Aranguren@owasp.org||The Offensive (Web) Testing Framework is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.|
|49||Other||I||OWASP Java/J2EE Secure Development Curriculum||Document Project||CC-BY 3.0||OWASP_Java_J2EE_Secure_Development_Curriculum||https://www.owasp.org/index.php/OWASP_Java_J2EE_Secure_Development_Curriculum||Dr. A. L. Gottliebfirstname.lastname@example.org||The OWASP Java/J2EE software security curriculum is offered as prescriptive guidance for those wishing to educate themselves or others on how to secure Java/J2EE software development. Included are core education tracks based on job|
description and specialization tracks based on specific areas of software security.
Course descriptions are provided as a point of reference for those wishing to know what content OWASP recommends.
|50||Breaker||Verification||I||OWASP Path Traverser||Tool||Attribution-NonCommercial-NoDerivs 3.0 Unported (CC BY-NC-ND 3.0||OWASP_Path_Traverser||https://www.owasp.org/index.php/OWASP_Path_Traverser||Tal Melamed||Tal.Melamed@owasp.org||Path Traverser is a tool for security testing of web applications.|
It simulates a real Path Traversal attack, only with actual existing files.
It operates as a middleman between the web application to its host server, which gives the abillity to test the actual files as found in the host server against the application, according to their relevant path.
After you have provided the relevant details, Path Traverser will connect (FTP) to your host server in order to pull out the list of files.
Then, it manipulates the list taken from the file system so it will fit the web application by changing their paths.
If your application could be found at: http://mysrvr:777/home
and the application files could be found in the file system under: myapps/demoapp/client/version/lastversion/, requests for files under: /myapps/demoapp/client/version/1.1/ will be created as: http://mysrvr:777/home/../1.1/ and requests for files under/myapp/differentapp/files/ will be created as: http://mysrvr:777/home/../../../../differentapp/files/, etc...
After that, the Path Traverser will start sending these requests one by one and log the results by the HTTP Response code selected.
A configuration for excluding/including specific file types is available.
|51||Breaker||Verification||I||OWASP Watiqay||Tool||GNU GPL v2||OWASP_Watiqay||https://www.owasp.org/index.php/OWASP_OWASP_Watiqay||Carlos Ganoza Plasencia||Carlos.Ganoza@owasp.org||prevents attacks of layer 7 to various websites where client service is running, will have capacity to restore the vulnerable websites and will have a continuous warning system in a personalized way.|
|52||Breaker||Verification||I||OWASP Security Shepherd||Tool||GNU GPL v3||OWASP_Security_Shepherd||https://www.owasp.org/index.php/Projects/OWASP_Security_Shepherd/Roadmap||Mark Denihan||Mark.Denihan@owasp.org||Security Shepherd is a security aware in depth project. Designed with the aim of fostering security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.|
|53||Breaker||Verification||I||OWASP Xenotix XSS Exploit Framework||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Xenotix_XSS_Exploit_Framework||https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework||Ajin Abraham||Ajin.Abraham@owasp.org||Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner. It provides a penetration tester the ability to test all the possible XSS payloads available in the payload list against a web application with ease. The tool supports both manual mode and automated time sharing based test modes. It includes a XSS encoder, a victim side keystroke logger, and an Executable Drive-by downloader.|
|54||Breaker||Verification||I||OWASP Mantra OS||Tool||Creative Commons Attribution ShareAlike 3.0 License||OWASP_Mantra_OS||https://www.owasp.org/index.php/OWASP_Mantra_OS||Gregory Disney||Gregory.Disney@owasp.org||Chromium OS is a safe, fast and secure sand-boxed OS. This makes it ideal to continue on the OWASP Mantra security toolkit project by completing it as an operating system.|
|55||Builder||Construction||I||OWASP AW00t||Code Project||GNU GPL v2||OWASP_AW00t||https://www.owasp.org/index.php/OWASP_AW00T||Nitin Arya||Nitin.Arya@owasp.org||Its an implementation of binary stubs from basic to the polymorphic code that will show how viruses and malicious files get themselves undetected from the Antiviruses.|
The generated stubs can be appended to any program and also a new approach of AV avoidance will be shown also special programs for hunting down the signatures and extracting them, and editing them for better use will be incorporated.
|56||Breaker||Verification||I||OWASP XSSER||Tool||GNU GPL v3||OWASP_XSSER||https://www.owasp.org/index.php/OWASP_XSSER||Roberto Mérida||Roberto.Merida@owasp.org||Cross Site "Scripter" (XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.|
It contains several options to try to bypass certain filters, and various special techniques of code injection.
|57||Breaker||Verification||I||OWASP University Challenge||Documentation||Creative Commons Attribution ShareAlike 3.0 License||OWASP_University_Challenge||https://www.owasp.org/index.php/OWASP_University_Challenge||Ivan Buetler, Mateo Martinez||- Ivan (email@example.com)|
- Mateo (Mateo.Martinez@owasp.org)
|As first time organized at the OWASP AppSec-US 2011 in Minneapolis, this project is to enable "attack & defend" challenges.|
First, at OWASP AppSec conferences, later also to enable this outside AppSec conferences.
|58||Breaker||Verification||I||OWASP Hacking-Lab||Documentation||Creative Commons Attribution ShareAlike 3.0 License||OWASP_Hacking_Lab||https://www.owasp.org/index.php/OWASP_Hacking_Lab||Ivan Buetler, Mateo Martinez||- Ivan (firstname.lastname@example.org)|
- Mateo (Mateo.Martinez@owasp.org)
|The current OWASP Hacking-Lab challenge (https://www.hacking-lab.com/Remote_Sec_Lab/free-owasp-top10-lab.html) is a great succes!|
Currently, there is one challenge, the OWASP TopTen with currently 1164 registered users and +500 solutions send in and verified by the OWASP teachers!
Goal is to provide an open and transperent process about the challenges, the teachers and continiously working on extending the available challenges.
|59||Builder||Construction||I||OWASP JSON Sanitizer||Code Library Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_JSON_Sanitizer||https://www.owasp.org/index.php/OWASP_JSON_Sanitizer||Mike Samuelemail@example.com||"As described at http://code.google.com/p/json-sanitizer/|
Given JSON-like content, converts it to valid JSON.
This can be attached at either end of a data-pipeline to help satisfy Postel's principle:
be conservative in what you do, be liberal in what you accept from others
Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use.
Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML."
|60||Builder||Construction||I||OWASP PHPRBAC Project||Code Library Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_PHPRBAC||https://www.owasp.org/index.php/OWASP_PHPRBAC_Project||Abbas Naderifirstname.lastname@example.org||PHPRBAC is a standard NIST Level 2 Hierarchical Role Based Access Control library implemented as a library for PHP. It allows perfectly maintainable function-level access control for enterprise and small applications or even frameworks alike.|
Since implementation of NIST Level 2 Hierarchical RBAC is quite complicated, there are very few similar libraries and most of them do not adhere to standards. PHP RBAC is one of the fastest implementations (relying on a SQLite or MySQL backend) and has been tested in industry for more than three years.
|61||Builder||Construction||I||OWASP EJSF Project||Code Library Project||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||OWASP_EJSF_Project||https://www.owasp.org/index.php/OWASP_EJSF_Project||Prof.Dr.Benoistemail@example.com||Modern web application frameworks have made it easy to develop high quality web applications, but developing a secure application still requires programmers to possess a deep understanding of security vulnerabilities and attacks. Sometimes it is difficult for an experienced developer to find and eliminate all the vulnerabilities. This demo represents the JSF-ESAPI framework based on JSF2.0 and OWASP ESAPI. It helps developers write a secure and lower-risk JSF based on a web application with minimal configuration and without extensive prior knowledge of the web security. The figure below shows a complete integration of the JSF-ESAPI framework with JSF2.0 and ESAPI. It works as a middleware and consists of four important modules. ESAPI Validation is the first module which verifies the user input as given in the XSS prevention cheat sheet provided by OWASP. It consists of many user-defined validator tags and generates appropriate error messages if the user input is not valid. In this way it performs a strong validation. |
There are also some tags available in the correspondence validators in ESAPI, and they also filter the XSS relevant code from the input. The file-based authorization module simplifies the user’s role, such as admin, user, etc. and gives the permission to visualize certain components at the
presentation layer based on assigned roles. ESAPI Filtering layer compares the valid form token with tokens stored in the session for that user. If the token is mitigated or changed by man in the middle during the process of a request-response exchange, it will give the appropriate exception.
The last module is a render module, which renders the output after filtering the XSS content and encodes the vulnerable characters such as <,>,”,’ etc. as given in the XSS prevention cheat sheet provided by OWASP.
[JSF-ESAPI Complete Architecture]This framework will help developers to prevent a myriad of security problems including cross-site scripting, cross-site request forgery, automatic input validation, and automatic output
validation with escaped “true” or without this parameter, authorization. All the features are included in one framework.
(1) It requires minimal configuration to use the framework.
(2) It ensures retrofit security in the existing application.
(3) It provides the same performance as JSF framework.
(4) Automatic filtering of the XSS vulnerable code from output takes place when escape equals true” or “false”.
(5) The input validation is easy and no additional coding is required.
(6) It has a layered architecture. It uses what you need and leaves what you don’t need at the moment.
(7) One framework includes the most secure features.
|62||Builder||Construction||I||OWASP Barbarus||Code Library Project||GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)||OWASP_Barbarus||https://www.owasp.org/index.php/OWASP_Barbarus||Nebrass Lamouchi||Nebrass.Lamouchi@owasp.org||My project offers a new mechanism of authentication in web applications. This mechanism will be very easy and comfortable to use for the application's users and it will be very easy to integrate for the application developers.|
|63||Builder||Construction||I||OWASP Security Research and Development Framework||Code Project||GNU GPL v2||OWASP_Security_Research_and_Development_Framework||https://www.owasp.org/index.php/OWASP_Security_Research_and_Development_Framework||Amr Thabet||Amr.Thabet@owasp.org||This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.|
This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
|66||I||OWASP Secure Application Design Project||Document Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_Secure_Application_Design||https://www.owasp.org/index.php/OWASP_Secure_Application_Design_Project||Ashish Rao||Ashish.Rao@owasp.org||Design level flaws are lesser known concepts but their presence is a very big risk to the applications. Such flaws are hard to find in static or dynamic application scans and instead require deep understanding of application architecture and layout to uncover them manually. |
Design level security is crucial and must be adopted at an early stage of application development to build a robust system. Thus the aim of this project is to impart secure design guidelines to application developers. The project will highlight vulnerable areas in application designs through real world examples and scenarios and touch up on different aspects of design level security. The focus will also be to explain measures to be taken to prevent such flaws while designing applications.
The guidelines will cover core design concepts which can applicable to any application independent of the platform.
Most of the design flaws will be discussed using sample code incorporated in an insecure design application. The project will also focus on releasing a secure design checklist for reviewing application designs or threat modelling them.
|67||Other||Governance||I||OWASP Periodic Table of Vulnerabilities||Documentation||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Periodic_Table_of_Vulnerabilities||https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities||James Landisfirstname.lastname@example.org||There are many anthologies of vulnerabilities and weaknesses (including CWE-25, TCv2, and OWASP top 10), but there is no attempt to classify these issues based on how they should best be solved. In the past, we have tried to teach developers how to avoid introducing these problems, but it appears via the lesson of Buffer Overflow that the only way we'll ever eliminate them is to make it impossible for developers to write vulnerable code at all. The periodic table classifies issues based on the most scalable solution, whether that be in frameworks, perimeter technologies, custom code, or fixing the browsers and standards responsible.|
|68||Other||I||OWASP Application Security Awareness Top 10 E-learning Project||Documentation Project||AGPL 3.0|
(prevents GPL's SaaS loophole)
|OWASP_Application_Security_Awareness_Top_10_E-learning_Project||https://www.owasp.org/index.php/OWASP_Application_Security_Awareness_Top_10_E-learning_Project||Erez Metula||Erez.Metula@owasp.org||The Application Security E-Learning project has set itself the goal of delivering intuitive, concise and precise content in the fundementals of application secure coding.|
Main target audience: programmers who wish to learn/ review application security fundementals.
|69||Defender||Verification||I||WASC/OWASP Web Application Firewall Evaluation Criteria (WAFEC)||Documentation Project||Creative Commons Attribution License 2.5||https://www.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project||Ofer Shezafemail@example.com||WAFEC provides interested partied, including users, vendors and 3rd party evaluators with a tool to definel, learn about and evaluate the suitability of different WAFs for their needs.|
|70||Construction||I||OWASP ESAPI Swingset Project||Documentation Project||BSD license||owasp-esapi-swingset||https://www.owasp.org/index.php/ESAPI_Swingset||Fabio Cerullo||Fabio.Cerullo@owasp.org||This a web application which demonstrates common security vulnerabilities and asks users to secure the application against these vulnerabilities using the ESAPI library.|
The application is intended for Java Developers. The goal of the application is to teach developers about the functionality of the ESAPI library and give users a practical understanding of how it can be used to protect web applications against common security vulnerabilities.
|71||Other||Construction||I||OWASP Press||Documentation Project||CC-BY-SA||owasp_press||https://www.owasp.org/index.php/OWASP_Press||dennis firstname.lastname@example.org||The OWASP press is a pattern for massive community collaboration on OWASP documentation projects with just-in-time publication.|
|72||Other||Governance||I||OWASP CISO Survey||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_CISO_Survey||https://www.owasp.org/index.php/OWASP_CISO_Survey||Tobias Gondromemail@example.com||CISO Survey and later the CISO Report on Application and Information Security trends. |
Also providing input and data for the CISO guide.
|73||Defender||Governance||I||OWASP Application Security Guide For CISOs||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Application_Security_Guide_For_CISOs||https://www.owasp.org/index.php/OWASP_Application_Security_Guide_For_CISOs_Project||Marco Morana||Marco.firstname.lastname@example.org||The purpose of this document is to guide the CISO in managing application security from initial problem statement to delivery of the solution. We start this journey with the creation of the business cases for investing in application security following with the awareness of threats targeting applications, the identification of the economical impacts, the determination of a risk mitigation strategy, the prioritization of the mitigation of the risk of vulnerabilities, the selection of security control measures to mitigate risks, the adoption of secure software development processes and maturity models and we conclude this journey with the selection of metrics for reporting and managing application security risk. More info about this project can be found in the introductory page of the guide https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs|
|74||Other||I||OWASP Scada Security Project||Documentation Project||Apache 2.0 License (fewest restrictions, even allowing proprietary modifications and proprietary forks of your project)||OWASP_Scada_Security_Project||https://www.owasp.org/index.php/OWASP_Scada_Security_Project||Andrey Komarov||Andrey.Komarov@owasp.org||"The primary aim of OWASP SCADA Security project is to gather information about different ICS/SCADA security threats related to WEB-applications and it’s environments., starting from econnaissance (“foorprinting”) stage to vulnerabilities exploitation. |
- to aware ICS/SCADA developers about security vulnerabilities by providing information about found WEB-application viulnerabilities in software and firmware on famous vendors;
- to create and publish freeware and open-source tools for ICS/SCADA security assessment written on scripting languages. "
|75||Builder||Construction||I||OWASP Cornucopia||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Cornucopia||https://www.owasp.org/index.php/OWASP_Cornucopia||Colin Watson||Colin.Watson@owasp.org||Cornucopia is a card game used to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. An edition for ecommerce websites exists and alternative versions are planned.|
|76||Breaker||Verification||I||OWASP SamuraiWTF||Tool||OWASP_SamuraiWTF_Project||https://www.owasp.org/index.php/OWASP_SamuraiWTF_Project||Kevin Johnson and Justin Searleemail@example.com, Justin.Searle@owasp.org||The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications.|
|77||Other||Verification||I||O-Saft||Tool||GNU GPL v2||O-Saft||https://www.owasp.org/index.php/O-Saft||Achim Hoffmannfirstname.lastname@example.org||This tools lists information about remote target's SSL certificate and tests the remote target's SSL connection according given list of ciphers and various SSL configurations.|
----- Not part of the brief description, but to get the idea:
The tool currently combines the functionality of some existing tools (sslscan, ssltest.pl sslaudit.pl, ssllyze, ...). It's prepared to make more intensive tests, that's where I expect
help from the community.
|78||Breaker||Verification||I||OWASP Crowdtesting||Tool||GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)||OWASP_Crowdtesting||https://www.owasp.org/index.php/OWASP_Crowdtesting||Thomas Kalamaris||Thomas.Kalamaris@owasp.org||The project will try to promote the idea of crowd-testing combined with crowd-sourcing capabilities. We suggest the creation of a dynamic team of security testers specialized in application security testing that can test online web applications upon request. The web applications will be defined as projects and the team of testers will start the security testing. The team will use the tools that have been developed by the OWASP community but using custom-made tools is highly encouraged. As a result the consumer will have either a proof of concept that his application complies with the OWASP principles of secure coding or a list of potential threats due to discovered security flaws. Currently the application owners have access to this kind of security services via companies like Passbrains, utest etc.|
|79||Breaker||Verification||I||OWASP OpenStack Security Project||Tool||OWASP_OpenStack_Security_Project||https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project||Matt Tesauroemail@example.com||The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud.|
|80||Breaker||Verification||I||OWASP Desktop Goat and Top 5 Project||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Desktop_Goat_and_Top_5_Project||https://www.owasp.org/index.php/OWASP_Desktop_Goat_and_Top_5_Project||Gregory Disney||Gregory.Disney@owasp.org||OWASP Top 5: Desktop Vulnerabilities; a list of the top 5 vulnerabilities that are faced by desktop applications. |
Desktop Goat; a vulnerable desktop application to demonstrate vulnerabilities for a learning environment.
|81||Breaker||Verification||I||OWASP Bricks||Tool||OWASP_Bricks||https://www.owasp.org/index.php/OWASP_Bricks||Abhi M Balakrishnanfirstname.lastname@example.org||Bricks, a deliberately vulnerable web application built on PHP & MySQL focuses on variations of commonly seen application security vulnerabilities & exploits, which can be exploited using tools (Mantra & ZAP). The mission is to 'break the bricks'.|
|82||Breaker||Verification||I||OWASP Dependency Check||Tool||OWASP_Dependency_Check||https://www.owasp.org/index.php/OWASP_Dependency_Check||Jeremy Longemail@example.com||DependencyCheck is a utility that attempts to detect publicly disclosed|
vulnerabilities contained within a Java projects dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
|83||Breaker||Verification||I||OWASP Hive Project||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Hive_Project||https://www.owasp.org/index.php/OWASP_Hive_Project||Jason Johnson||Jason.Johnson@owasp.org||We have a hive network that hosts a dashboard with the attitude of the hive and the Internet by using data mined from twitter and others. maybe we can incorporate tools like ZAP or any of the others into this. The thing is we sell this not to make money but to establish a statistics and data rich network. The fact that it cost 35$ with a case that has a WASP on it maybe a bit more. With the push of global security of our assets there is not a better time. I would not ask any other group but owasp this foundation is the smarts of the net. We can make something that is both supportive of our cause and a huge data rich Internet HIVE that if its kicked we know why.|
|84||Breaker||Verification||I||OWASP Droid Fusion||Tool||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Droid_Fusion||https://www.owasp.org/index.php/OWASP_Droid_Fusion||Nikhalesh Singh Bhadoria||Nikhalesh.Singh@owasp.org||Droid Fusion is a platform for android mobile or any other mobile for doing Malware Analysis, Development, Application Pentesting,forensics. You can use it in any mobile security research, and if you have Droid Fusion, you don't need to worry about finding tools. There are more then 60 tools and scripts and it is free.|
|85||Breaker||Verification||I||OWASP iSABEL Proxy Server||Tool||OWASP_iSABEL_Proxy_Server||https://www.owasp.org/index.php/OWASP_iSABEL_Proxy_Server||Eurojee Jarina||Eurojee.Jarina@owasp.org||Recent research taken from leading network security solution providers shows that traditional firewalls focus their security mainly around the ports and protocols which is the packet headers and not the actual data content known as the packet payload. Packet headers only contains basic information like source and destination address which is very unreliable when it comes to identifying potential threats, attack, and malicious.|
The idea of the project is to gain a deeper knowledge about securing web applications from different threats and attacks coming from external sources; this can be achieved by developing intermediary software that runs between the client and the server. This intermediary software will be based on a proxy server that will be implemented on layer 7 (Application) of the OSI model (Open Systems Interconnection), and it’s function is to accept network traffic from different client’s trying to access resources from the web server, once the client successfully established a connection, the proxy will inspect all incoming network packets coming from the clients for malicious parameter and files such as viruses, worms, trojans.
|86||Builder||I||OWASP Top 10 Fuer Entwickler||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Top_10_Fuer_Entwickler||https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project||Torsten Giglerfirstname.lastname@example.org||Top 10 fuer Entwickler (Top 10 Developer Edition in German) The objectives of the '''project''' is to add ''' ''Good Practices'' (like the Cheat Sheets)''' to the '''OWASP Top 10'''. Its aim is to bridge the gap between awareness, theoretical knowledge to effective know-how to build good propgrams. It is written in German to make it easier for German developers to use it. We will take care to make a migration to other languages easy.|
|87||I||OWASP Rails Goat Project||Tool||OWASP_Rails_Goat||https://www.owasp.org/index.php/OWASP_Rails_Goat_Project||Ken Johnson||Ken.Johnson@owasp.org||This is a Rails application which is vulnerable to the OWASP Top 10. It is intended to show how each of these categories of vulnerabilities can manifest themselves in a Rails-specific way as well as provide the subsequent mitigations for each.|
|88||I||OWASP Good Component Practices Project||Documentation Project||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_Good_Component_Practices_Project||https://www.owasp.org/index.php/OWASP_Good_Component_Practices_Project||Mark Milleremail@example.com; firstname.lastname@example.org||Good Component Practice is one of the most over looked silver bullets in the Open Source arsenal. Because of business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.|
This project will use community input to document an industry acceptable process for the creation, maintenance and use of open source components.
|89||I||OWASP Bywaf Project||Tool||OWASP_Bywaf_Project||https://www.owasp.org/index.php/OWASP_Bywaf_Project||Rafael Gil Lariosemail@example.com||Desarrollar una aplicación que agiliza el trabajo de un auditor a la hora de hacer un PenTest, su principal función es la de "detectar, evadir y dar un resultado (vulnerabilidad)" utilizando métodos conocidos de inyección de códigos y otros desarrollados por los integrantes a lo largo de su trayectoria profesional.|
|90||I||OWASP S.T.I.N.G Project||Tool||MIT License||OWASP_S.T.I.N.G_Project||https://www.owasp.org/index.php/OWASP_S.T.I.N.G_Project||Lutz Wischmannfirstname.lastname@example.org; Lutz.Wischmann@owasp.org||The OWASP =S.T.I.N.G= is a tool used for creating project specific security/privacy requirement catalogues by selecting from a huge set of potential requirements, policies or best practices. It acts as a kind of questionnaire and will generate a list of requirements and/or policies which are relevant for the project's context.|
Security Requirements Management Questionaire Repository
Filter Set & Rules for Policies, Standards, Guidelines, Procedures
Context : Tool within an Information Security Policy Framework
|91||I||OWASP Web Application Security Quick Reference Guide Project||Documentation||GNU AGPL v3 License (similar to GPL but modified for use with web applications and web interfaces)||OWASP_Web_Application_Security_Quick_Reference_Guide_Project||https://www.owasp.org/index.php/OWASP_Web_Application_Security_Quick_Reference_Guide_Project||Marek Zmyslowskiemail@example.com||This will be simple checklist for Web Application. The unique feature of this project is that all check will be simple and can be check by particular testcase. It is simple but from my experience can be very informative and useful for testers and coders|
|92||I||OWASP Application Fuzzing Framework Project||Tool||OWASP_Application_Fuzzing_Framework_Project||https://www.owasp.org/index.php/OWASP_Application_Fuzzing_Framework_Project||Marek Zmyslowskifirstname.lastname@example.org||The framework will be used to fuzz applications in the Windows environment. It will have couple of modules. Two main modules will be for file fuzzing and dll fuzzing. Very wide configuration to allow lots of fuzzing possibilities.|
|93||I||OWASP iMAS - iOS Mobile Application Security Project||Code||OWASP_iMAS_iOS_Mobile_Application_Security_Project||https://www.owasp.org/index.php/OWASP_iMAS_iOS_Mobile_Application_Security_Project||Gregg Ganleyemail@example.com, Gregg.Ganley@owasp.org||iMAS – iOS secure application framework to reduce iOS application vulnerabilities and information loss|
iMAS and its first open source static security controls for download and use in iOS applications. Visit and browse our project to find out more; download and give it a try. Once you do, tell us what you think or better yet, get involved and participate!
iMAS is a collaborative research project from the MITRE Corporation focused on open source iOS security controls. Today, iOS meets the enterprise security needs of customers, however many security experts cite critical vulnerabilities and have demonstrated exploits, which pushes enterprises to augment iOS deployments with commercial solutions. The iMAS intent is to protect iOS applications and data beyond the Apple provided security model and reduce the adversary’s ability and efficiency to perform recon, exploitation, control and execution on iOS mobile applications. iMAS will transform the effectiveness of the existing iOS security model across major vulnerability areas including the System Passcode, jailbreak, debugger / run-time, flash storage, and the system keychain. Research outcomes include an open source secure application framework, including an application container, developer and validation tools/techniques.
|94||I||OWASP VaultDB Project||Tool||Modified BSD, 3-clause License (we recommend you consider Apache 2.0 instead of this licnese. It is more up-to-date and provides a little more protection from software patent lawsuits)||OWASP_VaultDB_Project||https://www.owasp.org/index.php/OWASP_VaultDB_Project||Maxime Labelle||Maxime.Labelle@owasp.org, firstname.lastname@example.org||NoSQL crypto proxy for modern DBMS and web applications.|
Supports multi-recipient and group encryption. Loaded
with a strong RSA/AES cryptosystem.
Scytale sits between your web application and your
favorite DBMS and performs encryption and decryption
of your web application data. Scytale stores the
encrypted data inside your prefered DBMS for storage.
It's design is secure, well planned and made to provide
developers with a solid method for integrating strong
cryptography inside web applications using NoSQL-like
|95||I||OWASP WS-Amplification DoS Project||Tool||OWASP_WS_Amplification_DoS_Project||https://www.owasp.org/index.php/OWASP_WS_Amplification_DoS_Project||Thomas Vissers||Thomas.Vissers@owasp.org||The project aims to explore the threat of an Amplification DoS attack that utilises webservices.|
Currently, DNS servers are widely misused to amplify DoS traffic. This is called a DNS Amplification or Reflective attack. Read more about it in this article: http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack.
It appears that SOAP webservices that implement WS-Addressing might be vulnerable to similar abuse. (http://www.fim.uni-passau.de/fileadmin/files/lehrstuhl/meer/publications/pdf/Jensen2009a.pdf)
The aim of the project is to develop tools to test this vulnerability and determine the threat magnitude on a global scale.
If necessary, a publication involving awareness and countermeasures will follow.
|96||I||OWASP Mutillidae 2 Project||Tool||OWASP_Mutillidae_2_Project||https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project||Jeremy Druin||Jeremy.Druin@owasp.org||NOWASP (Mutillidae) is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. NOWASP (Mutillidae) can be installed on Linux and Windows using LAMP, WAMP, and XAMMP for users who do not want to administrate a webserver. It is pre-installed on SamuraiWTF, Rapid7 Metasploitable-2, and OWASP BWA. The existing version can be updated on pre-installed platforms. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.|
|97||I||OWASP Skanda - SSRF Exploitation Framework||Tool||OWASP_Skanda_SSRF_Exploitation_Framework||https://www.owasp.org/index.php/OWASP_Skanda_SSRF_Exploitation_Framework||Jayesh Singh Chauhan||Jayesh.Singh@owasp.org||Skanda is a SSRF Vulnerability Exploitation Framework. Current version performs Cross Site Port Attack on a vulnerable application and discovers open ports.Future versions will perform advanced attacks like network host discovery, service discovery and service level vulnerability detection and exploitation through SSRF.|
|98||I||OWASP RBAC Project||Code||OWASP_RBAC_Project||https://www.owasp.org/index.php/OWASP_RBAC_Project||Abbas Naderiemail@example.com||The RBAC project aims to port and promote standard NIST Level 2 RBAC implementations, currently the PHP version is available as a separate project.|
|99||I||OWASP PHP Security Project||Code||Creative Commons Attribution ShareAlike 3.0 License (best for documentation projects)||OWASP_PHP_Security_Project||https://www.owasp.org/index.php/OWASP_PHP_Security_Project||Abbas Naderi||Abbas.Naderi@owasp.org||OWASP PHP Security project plans to gather around secure PHP libraries, and provide a full featured framework of libraries for secure web applications in PHP, both as separate de-coupled libraries and as a whole secure web application framework. Many aspects of this project are already handled, and are being added to OWASP.|