The OWASP Developer Guide provides an introduction to security concepts and a handy reference for application and system developers. This guide does not seek to replicate the many excellent sources on specific security topics; it rarely tries to go into detail on a subject and instead provides links for greater depth on these security topics. The content of the Developer Guide aims to be accessible, introducing practical security concepts and providing enough detail to get developers started on various OWASP tools and documents.
The intended audience of the Developer Guide is application developers working in various domains such as web, desktop, mobile, API and cloud.
Along with the OWASP Top Ten, the Developer Guide is one of the original resources published soon after OWASP was formed in 2001. Version 1.0 of the Developer Guide was released in 2002 and then there were various updates culminating in version 2.0 in 2005. After discussions and iterations throughout 2023 and 2024, the Developer Guide has now been updated for the modern security landscape using contributions from the wider application security community.
Periodically the draft version is tagged and the contents promoted to the release area of the Developer Guide. The draft version is a work in progress and is subject to large scale and frequent changes.
Contributions and suggestions are all welcome, we just ask that you follow our code of conduct and read the contributing guidelines which provide style and document structure suggestions. We also welcome new issues, changes via a pull request and discussions in the project wiki.
The easiest way to get in contact with the development community for this documentation project is via the OWASP Slack #project-developer-guide project channel (you may need to subscribe first).
OWASP Developer Guide: accessible security for developers
The OWASP Developer Guide is first and foremost a guide for development teams, and is intended to be a body of knowledge that these teams can draw on and should be familiar with. The Developer Guide is a community effort with a diverse and wide range of contributors from across the whole software security field. The Developer Guide does not seek to replicate the various projects and resources already available, such as OWASP ASVS or WSTG, but provides basic and medium level introductions to software security; referencing other projects for a more in depth or advanced treatment of the subjects.
There are various areas of the guide that need content; please contribute where you can. If you feel a section is missing then suggest changes to the structure in a feature request.
Be sure to follow our code of conduct and the contributing guidelines which provide style and document structure suggestions.
The OWASP Developer Guide is the original OWASP project. It was first published in 2002 under the title ‘A Guide to Building Secure Web Applications and Web Services’. Since then, the web has come a long way. Unfortunately, the original Developer Guide never really took off with the intended audience: developers. The original guide was more of a ‘how to perform a web application penetration test’, material now better covered in the OWASP Web Security Testing Guide.
The developer guide has gone through several iterations since then and is now at version 4.x . This version does not seek to be a comprehensive and authoritative text; rather think of it as a text-based Wayfinder Guide to security projects and salient concepts, or a bit like a ‘Lonely Planet’ guide to AppSec for developers.
Collected here are the previous versions of the OWASP Developer Guide that can still be accessed. OWASP has a podcast on The History of the OWASP Developer Guide which discusses the history and future of the project.
We are still looking for the original Word documents for versions 1.x (1.0, 1.1 and 1.1.1), if you have any of these then please get in touch.
The OWASP ® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, and LASCON are trademarks of the OWASP Foundation, Inc. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. Copyright 2024, OWASP Foundation, Inc.