OWASP Application Security Curriculum


The OWASP Application Security Curriculum project has two initial goals and those are to provide educational, learning and training materials for:

  • Developers - in how to build secure products in a secure manner; and
  • Evaluators - in how to measure security in products (pen testers) and in secure software development lifecyles (SSDLC).

The project hopes to do that by building or collecting resources for learning and by providing training materials (presentations, hands-on tools, and teaching notes) based on key OWASP projects.

Awareness - OWASP Top 10

Everything begins with awareness and in application security everything begins with the OWASP Top 10 and rightly so. TO that end we have already created the ASC101 (or Application Security Curriculum Foundational course) and you can grab the Google Presentation materials here and leverage your OWASP Member benefit with SecureFlag here to work through the hands-on secure coding exercises.

Understanding - OWASP Cornucopia

Once development teams are aware of the top issues they might face in regard to application security they need to develop an understanding of the ways that they can avoid those pitfalls.

Enter OWASP Cornucopia… but why use Cornucopia? Well, it encourages secure-by-design thinking, for developers, and because it simplifies issues described in the Top 10, while making them more generically applicable.

It gives developers tangible abuse cases to consider while planning the next feature set and can be used to evaluate the system as a whole, or to focus on getting security non-functional requirements (NFR) sorted for the next sprint.

Play the game with your development teams and let them play it as often as they want to. A digital version of the game is available for free here, provided by one of this project’s sponsors (Secure Delivery)

Education - OWASP Application Security Verification Standard (ASVS) / Mobile

Now that your teams have an awareness of what they should be building for security we need to educate them in how they should build to successfully pass the OWASP standard for application security testing: The OWASP ASVS.

This is still work in progress, and we are actively looking for contributors to help us flesh this out. Review the video below if you are keen to hear about our progress.

On the pen testing side of things there is already a Crest certification called OVS that pen testers / pen testing companies can achieve that shows they understand how to test against the standard.

Ways of Working - OWASP Software Assurance Maturity Model (SAMM)

Once developers know how to build a secure thing, they need to understand how to do so in concert with others. The broader picture of this is the maturity level of the team performing all the security aspects of the greater SSDLC - and when we say SSDLC at OWASP, we mean OWASP SAMM.

Project Video Explanation

Grant Ongers - Scaling AppSec through Education - DEF CON 29 AppSec Village


Getting Involved

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. All of our projects ,tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

Everyone is welcome and encouraged to participate in our Projects, Local Chapters, Events, Online Groups, and Community Slack Channel. We especially encourage diversity in all our initiatives. OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.