OWASP
The Open Web Application Security Project — a nonprofit foundation focused on improving software security through community-led open-source projects, tools, documentation, and standards. OWASP is best known for the OWASP Top 10 — a regularly updated list of the most critical web application security risks (including injection, broken authentication, XSS, and security misconfiguration). Other key projects include the OWASP Testing Guide, ASVS (Application Security Verification Standard), ZAP (Zed Attack Proxy), and the Mobile Security Testing Guide. OWASP resources are referenced across virtually every security certification and are the de facto standard for web application security assessments.
Why It Matters
In practice, OWASP is critical because its Top 10 list serves as the baseline standard for web application security, referenced by compliance frameworks, procurement requirements, and security testing methodologies worldwide. Organizations that fail to address OWASP Top 10 vulnerabilities in their applications face preventable breaches from well-known attack patterns that automated tools can discover and exploit. The 2021 OWASP Top 10 update elevated broken access control to the number one position and added new categories for insecure design and software supply chain failures, reflecting the evolving threat landscape. OWASP's free tools like ZAP provide enterprise-grade testing capabilities accessible to organizations of any size. On certification exams such as CEH, CSSLP, and Security+, expect questions about the current OWASP Top 10 categories, applying the OWASP Testing Guide methodology, using ASVS for security requirements, and understanding how OWASP resources integrate into secure development lifecycle practices.
Practice this topic
Test your knowledge of OWASP concepts with exam-style practice questions.
Related Application Security terms
SAST (Static Application Security Testing)
A testing methodology that analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program, often called 'white-box' testing. SAST tools scan codebases for patterns that match known vulnerability types such as SQL injection, XSS, buffer overflows, and hardcoded credentials. They integrate into CI/CD pipelines to catch issues early in the development lifecycle (shift-left security). Popular SAST tools include SonarQube, Checkmarx, Semgrep, and Fortify. SAST complements DAST (runtime testing) and is a fundamental practice in DevSecOps and secure SDLC, tested in CSSLP and DevSecOps certifications.
DAST (Dynamic Application Security Testing)
A testing methodology that analyzes running applications for vulnerabilities by simulating external attacks without access to source code, often called 'black-box' testing. DAST tools interact with the application through its interfaces (HTTP requests, APIs) to find issues like injection flaws, authentication problems, configuration errors, and sensitive data exposure. Unlike SAST, DAST finds runtime-specific issues but cannot pinpoint the exact line of vulnerable code. Popular DAST tools include OWASP ZAP, Burp Suite, Nikto, and Acunetix. DAST is used alongside SAST in a comprehensive application security program and is tested in CEH, OSCP, and DevSecOps certifications.
DevSecOps
An approach that integrates security practices within the DevOps process throughout the entire software development lifecycle, making security a shared responsibility rather than an afterthought. DevSecOps automates security testing at every stage: SAST in code commits, dependency scanning in builds, DAST in staging, infrastructure-as-code scanning, and container image scanning before deployment. Key principles include shift-left security, security as code, automated compliance checks, and continuous monitoring in production. Tools include GitHub Advanced Security, Snyk, HashiCorp Vault, and Falco. DevSecOps is increasingly tested in CISSP, CSSLP, and dedicated DevSecOps foundation certifications.
CSRF (Cross-Site Request Forgery)
An attack that forces authenticated users to submit unwanted requests to a web application where they are currently logged in, exploiting the trust that the site has in the user's browser. For example, an attacker could craft a link that transfers funds or changes account settings when clicked by a logged-in user. CSRF works because browsers automatically include session cookies with every request to a domain. Defenses include anti-CSRF tokens (synchronizer tokens), SameSite cookie attributes, checking the Origin/Referer headers, and requiring re-authentication for sensitive actions. CSRF is an OWASP Top 10 vulnerability and is tested in CEH, OSCP, and web application security certifications.