OWASP Developer Guide

Overview

OWASP Developer Guide

Developer Guide
Developer Guide
- Introduction
- Foundations
  Foundations
- Requirements
  Requirements
  - Overview
  - Requirements in practice
  - Risk profile
  - OpenCRE
  - SecurityRAT
  - ASVS
  - MAS
  - SKF
- Design
  Design
  - Overview
  - Threat modeling
    Threat modeling
    
    Overview
    
    Threat modeling in practice
    
    pytm
    
    Threat Dragon
    
    Cornucopia
    
    LINDDUN GO
    
    Threat Modeling toolkit
  - Web application checklist
    Web application checklist
    
    Overview
    
    Define Security Requirements
    
    Leverage Security Frameworks and Libraries
    
    Secure Database Access
    
    Encode and Escape Data
    
    Validate All Inputs
    
    Implement Digital Identity
    
    Enforce Access Controls
    
    Protect Data Everywhere
    
    Implement Security Logging and Monitoring
    
    Handle all Errors and Exceptions
  - MAS checklist
- Implementation
  Implementation
  - Overview
  - Documentation
    Documentation
    
    Overview
    
    Top 10 Proactive Controls
    
    Go Secure Coding Practices
    
    Cheatsheet Series
  - Dependencies
    Dependencies
    
    Overview
    
    Dependency-Check
    
    Dependency-Track
    
    CycloneDX
  - Secure Libraries
    Secure Libraries
    
    Overview
    
    ESAPI
    
    CSRFGuard
    
    OSHP
  - MASWE
- Verification
  Verification
  - Overview
  - Guides
    Guides
    
    Overview
    
    WSTG
    
    MASTG
    
    ASVS
  - Tools
    Tools
    
    Overview
    
    DAST tools
    
    Amass
    
    OWTF
    
    Nettacker
    
    OSHP verification
  - Frameworks
    Frameworks
    
    Overview
    
    secureCodeBox
  - Vulnerability management
    Vulnerability management
    
    Overview
    
    DefectDojo
- Training and Education
  Training and Education
  - Overview
  - Vulnerable Applications
    Vulnerable Applications
    
    Overview
    
    Juice Shop
    
    WebGoat
    
    PyGoat
    
    Security Shepherd
  - Secure Coding Dojo
  - SKF
  - SamuraiWTF
  - OWASP Top 10
  - Mobile Top 10
  - API Top 10
  - WrongSecrets
  - OWASP Snakes and Ladders
- Culture building and Process maturing
  Culture building and Process maturing
  - Overview
  - Security Culture
  - Security Champions
    Security Champions
    
    Overview
    
    Security champions program
    
    Security Champions Guide
    
    Security Champions Playbook
  - SAMM
  - ASVS
  - MAS
- Operations
  Operations
- Metrics
  Metrics
  - Overview
- Security gap analysis
  Security gap analysis
  - Overview
  - Guides
    Guides
    
    Overview
    
    SAMM
    
    ASVS
    
    MAS
  - BLT
- Appendices
  Appendices
  - Implementation Do's and Don'ts
    Implementation Do's and Don'ts
    
    Overview
    
    Container security
    
    Secure coding
    
    Cryptographic practices
    
    Application spoofing
    
    Content Security Policy (CSP)
    
    Exception and error handling
    
    File management
    
    Memory management
  - Verification Do's and Don'ts
    Verification Do's and Don'ts
    
    Overview
    
    Secure environment
    
    System hardening
    
    Open Source software
Guía del Desarrollador
Guía del Desarrollador
- Introducción
- Fundamentos
  Fundamentos
- Requisitos
  Requisitos
- Diseño
  Diseño
  - Descripción
  - Modelado de amenazas
    Modelado de amenazas
    
    Descripción
    
    Modelado de amenazas en la práctica
    
    pytm
    
    Threat Dragon
    
    Cornucopia
    
    LINDDUN GO
    
    Threat Modeling toolkit
  - Lista de verificación para aplicaciones web
    Lista de verificación para aplicaciones web
    
    Descripción
    
    Definir Requisitos de Seguridad
    
    Aprovechar Marcos y Bibliotecas de Seguridad
    
    Acceso Seguro a Bases de Datos
    
    Codificar y Escapar Datos
    
    Validar Todas las Entradas
    
    Implementar Identidad Digital
    
    Aplicar Controles de Acceso
    
    Proteger Datos en Todas Partes
    
    Implementar Registro y Monitoreo de Seguridad
    
    Manejar todos los Errores y Excepciones
  - Lista de verificación MAS
- Implementación
  Implementación
  - Descripción
  - Documentation
    Documentation
    
    Descripción
    
    Top 10 Proactive Controls
    
    Go Secure Coding Practices
    
    Cheatsheet Series
  - Dependencias
    Dependencias
    
    Descripción
    
    Dependency-Check
    
    Dependency-Track
    
    CycloneDX
  - Bibliotecas seguras
    Bibliotecas seguras
    
    Descripción
    
    ESAPI
    
    CSRFGuard
    
    OSHP
  - MASWE
- Verificación
  Verificación
  - Descripción
  - Guías
    Guías
    
    Descripción
    
    WSTG
    
    MASTG
    
    ASVS
  - Herramientas
    Herramientas
    
    Descripción
    
    DAST tools
    
    Amass
    
    OWTF
    
    Nettacker
    
    OSHP verification
  - Marcos de verificación
    Marcos de verificación
    
    Descripción
    
    secureCodeBox
  - Gestión de vulnerabilidades
    Gestión de vulnerabilidades
    
    Descripción
    
    DefectDojo
Guia de Desenvolvimento
Guia de Desenvolvimento
- Introdução
- Fundamentos
  Fundamentos
Get involved
Get involved

Overview

Developer guide logo

Verification is one of the business functions described by the OWASP SAMM. The verification activities are wide ranging, and will include:

Testing of security controls
Review of controls and security mechanisms
Evaluation and assessment of the security architecture
and others

Given the breadth of techniques and knowledge required, guides are an important resource for verification activities.

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.