OWASP - Safety guidelines
References to 10 most popular Open Worldwide Application Security Project publications and resources.
OWASP Open Worldwide Application Security Project
OWASP is an international non-profit organisation that develops open standards, guidelines and tools for the development of secure software. OWASP publications - Top 10 Risk Lists, Application Security Verification Standard (USAS), Software Assurance Matoury Model (SAMM) and Web Security Testing Guide (WSTG) - have been identified as the industry reference material for the integration of a safe life cycle for the development of safe development in accordance with the requirements of Article 21 (2) (e) of the NIS2 Directive.
| Code | Name | Subject/application | Year | Source |
|---|---|---|---|---|
| Top 10:2021 | OWASP Top 10 - Web Application Security Risks | A generally accepted list of security risks for ten most common web applications (Broken Access Control, Cryptographic Files, Injection). Reference material for fulfilling the security requirements of Article 21 (2) (e) of the NIS2. | 2021 | Open |
| API Top 10:2023 | OWASP API Security Top 10 | API-specific safety risk list - Broken Object Level Authorization (BOLA), unauthorised authentication, excessive disclosure of data, lack of limitations on the scope of requests. Supports micro-service architecture security assessment. | 2023 | Open |
| Mobile Top 10:2024 | OWASP Mobile Application Security Top 10 | List of security risks for mobile applications - misuse of authentication data, unsafe communication, lack of cryptographic selection. Article 21 (2) (h) of the NIS2 applies directly. | 2024 | Open |
| USS v4.0.3% | Application Security Verification Standard | Detailed security check requirements for web applications - 286 requirements for three levels of verification (L1 9.3.2005L3). To be used as a benchmark for the conformity assessment of Article 21 (2) (f) of the NIS2. | 2024 | Open |
| Cheat Sheet Series | OWASP Cheat Sheet Series | More than a hundred implementation guidelines for development teams - authentication, session management, XSS and SQL prevention. Technical reference for the incorporation of safe design requirements. | Updated | Open |
| SAMM v2 | Software Assurance Equality Model | Secure software development maturity assessment model in five areas - Governance, Design, Implementation, Verification, Operations. Supports the systematic implementation of Article 21 (2) (e) of the NIS2. | 2024 | Open |
| WSTG v4.2 | Web Security Testing Guide | Manual penetration testing methodology with more than 100 test techniques and examples. To be used in conformity assessment activities under Article 21 (2) (f) of the NIS2. | 2024 | Open |
| ZAP | Zed Attack Proxy | An open source dynamic application security testing (DAST) scanr - automated and manual security check of web applications according to the development life cycle validation phase. | Updated | Open |
| Expenditure-Check | OWASP Expenditure-Check | Software Component Analysis (SCA) tool for searching for certain vulnerabilities in Java, Python and Node.j libraries with CVE link. Support supply chain risk management (Article 21 (2) (d) of the CIS2). | Updated | Open |
| Threeat Dragon | OWASP Three Dragon | Open source threat modelling tool with support of STRIDE methodology and exportable reports. To be used at the design stage to identify and document risks. | Updated | Open |