This document outlines how to run an application security (AppSec) program using various open source tools from the Open Web Application Security Project (OWASP). It discusses tools for requirements gathering, threat modeling, source code review, vulnerability testing, defect tracking, defensive controls, training and awareness, and knowledge management. Many of the tools are linked, including the OWASP Security Knowledge Framework, Dependency Check, ModSecurity Core Rule Set, Juice Shop, DevSlop, the OWASP Top 10, and the OWASP Testing guides. The document provides an open source framework for implementing an AppSec program.

1. Running an
AppSec Program
with Open
Source Projects
Vandana Verma Sehgal

2. ❖ OWASP Global Board of Director
❖ President - InfosecGirls
❖ Award-winning Cybersecurity Professional
❖ Keynote Speaker, Inclusion Advocate
Personal interests
Reading Books, Teaching, Cooking and Travelling
About Me
Vandana Verma Sehgal

3. AppSec Framework
Threat
Modeling
Vulnerability
Testing
Training &
Awareness
Knowledge
Management
Source Code
Review
Defect
Tracking
Defensive
controls
Software
Component
Analysis
(SCA)
Requirement
Gathering

4. Requirement
Gathering

5. OWASP Security Rat
OWASP Security RAT (Requirement Automation
Tool) is a tool to assist with the problem of
addressing security requirements during
application development. Simplify security
requirement management during development
using automation approaches.
https://owasp.org/www-project-securityrat/

6. OWASP Security Knowledge Framework
SKF is an open source security knowledge-base including
manageable projects with checklists and best practice
code examples in multiple programming languages
showing you how to prevent hackers gaining access and
running exploits on your application.
https://owasp.org/www-project-security-knowledge-framework/

7. Threat Modeling

8. OWASP Threat Dragon
It is a tool used to create threat model
diagrams and to record possible threats
and decide on their mitigations
https://owasp.org/www-project-threat-dragon/

9. OWASP pytm
OWASP pytm: A Pythonic framework for threat
modeling
Define your system in Python using the elements
and properties described in the pytm framework.
Based on your definition, pytm can generate, a
Data Flow Diagram (DFD), a Sequence Diagram and
most important of all, threats to your system.
https://owasp.org/www-project-pytm/

10. Source Code Review

11. Source Code Review
Code Review Checklist
Guide for the security issues in the code and recommendations
on how to fix them
https://owasp.org/www-project-code-review-guide/
OWASP Code Pulse
The OWASP Code Pulse Project is a tool that provides insight into
the real-time code coverage of black box testing activities. It is a
cross-platform desktop application that runs on most major
platforms.
https://owasp.org/www-project-code-pulse/

12. Source Code Review
OWASP Cheat Sheet Series
OWASP Cheat Sheet Series was created to provide a set of simple good
practice guides for application developers and defenders to follow
https://owasp.org/www-project-cheat-sheets/
OWASP Go Secure Coding Practices Guide
The main goal of this project is to help developers avoid common mistakes
while at the same time, learning a new programming language through a
“hands-on approach”.
https://owasp.org/www-project-go-secure-coding-practices-guide/

13. Software
Component Analysis
(SCA)

14. Software Component
Analysis (SCA)
OWASP Dependency-Check
Dependency-Check is a Software Composition Analysis (SCA) tool
that attempts to detect publicly disclosed vulnerabilities contained
within a project’s dependencies
https://owasp.org/www-project-dependency-check/
OWASP Dependency Track
Dependency-Track is an intelligent Supply Chain Component
Analysis platform that allows organizations to identify and reduce
risk from the use of third-party and open source components.
https://docs.dependencytrack.org

15. Vulnerability Testing

16. Web Application Testing
OWASP Web Security Testing Guide
The Web Security Testing Guide (WSTG) Project produces the premier
cybersecurity testing resource for web application developers and security
professionals.
https://owasp.org/www-project-web-security-testing-guide/
OWASP API Security Project
This project is designed to address the ever-increasing number of
organizations that are deploying potentially sensitive APIs as part of their
software offerings
https://owasp.org/www-project-api-security/

17. Mobile Apps Testing
Mobile Security Testing Guide
The MSTG is a comprehensive manual for mobile app security
testing and reverse engineering for iOS and Android mobile
security testers
https://owasp.org/www-project-mobile-security-testing-guide/

18. Automated testing
OWASP ZAP
ZAP is an open-source web application security scanner.
It is intended to be used by both those new to application security as
well as professional penetration testers
https://owasp.org/www-project-zap/
OWASP Amass
The OWASP Amass Project performs network mapping of attack
surfaces and external asset discovery using open source information
gathering and active reconnaissance techniques.
https://github.com/OWASP/Amass

19. Defect Tracking

20. OWASP Defectdojo
DefectDojo is a security program and vulnerability
management tool. DefectDojo allows you to manage
our application security program, maintain product
and application information, schedule scans, triage
vulnerabilities and push findings into defect trackers.
Consolidate your findings into one source of truth
with DefectDojo.
https://owasp.org/www-project-defectdojo/
Defect Tracking

21. Defensive Controls

22. Defensive Controls
OWASP CSRFGuard
It’s a list of security techniques that should be included in every
software development project
https://owasp.org/www-project-csrfguard/
OWASP ModSecurity Core Rule Set
The CRS aims to protect web applications from a wide range of
attacks, including the OWASP Top Ten, with a minimum of false
alerts.
https://owasp.org/www-project-modsecurity-core-rule-set/

23. Proactive Controls

24. Training &
Awareness

25. OWASP Webgoat
OWASP WebGoat is a deliberately insecure application
that allows interested developers just like you to test
vulnerabilities commonly found in Java-based
applications that use common and popular open source
components.
https://owasp.org/www-project-webgoat/

26. OWASP Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd
has been designed to foster and improve security awareness among a varied skill-set demographic. The
aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration
testing skillset to security expert status.
https://owasp.org/www-project-security-shepherd/

27. OWASP DevSlop
The OWASP DevSlop project contains several modules, all with the purpose of teaching
participants about DevSecOps.
https://owasp.org/www-project-devslop/

28. OWASP Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It
can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools!
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other
security flaws found in real-world applications!
https://owasp.org/www-project-juice-shop/

29. Awareness – Web App
OWASP Top 10
The OWASP Top 10 is the reference standard for the most critical web
application security risks
https://owasp.org/www-project-top-ten/
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical
security controls and also provides developers with a list of
requirements for secure development.
https://owasp.org/www-project-application-security-verification-standard/

30. Awareness
OWASP Mobile Top 10
The Mobile Top 10 is the reference standard for the most
critical mobile application security risks.
https://owasp.org/www-project-mobile-top-10/
Mobile Application Security Verification Standard
Mobile ASVS Project provides a basis for testing mobile
application technical security controls and also provides
developers with a list of requirements for secure development.
https://github.com/OWASP/owasp-masvs

31. Awareness
OWASP Top 10 Privacy Risks
Top 10 list for privacy risks in web applications and related
countermeasures
https://owasp.org/www-project-top-10-privacy-risks/
OWASP Automated Threats to Web Applications
It helps organizations better understand and respond to the notable
worldwide increase of automated threats from bots
https://owasp.org/www-project-automated-threats-to-web-applications/

32. Knowledge
Management

33. Knowledge Management
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical security controls
and also provides developers with a list of requirements for secure development.
https://owasp.org/www-project-application-security-verification-standard/
OWASP Security Knowledge Framework
SKF is an open source security knowledgebase including manageable projects with
checklists and best practice code examples in multiple programming languages
showing you how to prevent hackers gaining access and running exploits on your
application.
https://owasp.org/www-project-security-knowledge-framework/

34. Knowledge Management
OWASP Snakes And Ladders
Snakes and Ladders is an educational project. It uses gamification to
promote awareness of application security controls and risks, and in
particular knowledge of other OWASP documents and tools.
https://owasp.org/www-project-snakes-and-ladders/
OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to
assist software development teams identify security requirements
in Agile, conventional and formal development processes. It is
language, platform and technology agnostic.
https://owasp.org/www-project-cornucopia/

35. AppSec Framework with Open Source (OWASP) Tools
• Code
Review
Guide
• Risk
Assessment
Framework
• Threat
Dragon
• pytm
• SecurityRat
• SKF
• ASVS
• SKF
• Snakes And
Ladders
• Cornucopia
Training
• Mutilldae
• Webgoat
• Security
Shepherd
• Juice Shop
• DevSlop
Awareness
• Web App Top
10
• Mobile Top
10
• Proactive
Controls
• Automated
Threats to
Web Apps
• Top 10
Privacy Risks
• Web testing
guide
• Mobile
testing
guide
• API Top 10
• ZAP
Defect Dojo
• ModSecurity
Core Rule Set
• CSRFGuard
• Dependency
Track
• Dependency
Check
Source Code Review
Software Component
Analysis (SCA)
Threat
Modeling
Vulnerability
Testing
Defect Tracking
Defensive
controls
Training &
Awareness
Knowledge
Management
Requirement
Gathering
Running an AppSec program with Open Source Projects – Vandana Verma Sehgal
OWASP SAMM

36. Contribute
If you wish to contribute to the projects, or to suggest any
improvements or changes, then please do so via the issue tracker on
the GitHub repository.
1. Code Contribution (add features, kill bugs)
2. Write Test Cases, Help curate bug trackers.
3. Create Documentation, blogs, tutorials, videos, testimonials.
4. Promote or discuss about the tool in public
5. Suggest features / report bugs
6. Last but not least help by donation / money

37. HOW DO WE MOVE FORWARD

38. Free places to learn AppSec
OWASP
https://www.owasp.org/
Your nearest local OWASP Chapter
https://owasp.org/chapters/

39. As a Community
If you look like you don’t
belong, then buckle up,
believe in yourself and
engage with the
technical community
Leverage the many
opportunities for
scholarships, travel
grants, meetup groups,
networks and more.

40. Reach Me!
Twitter: @InfosecVandana
LinkedIn: vandana-verma
Email: vandana.infosec@gmail.com

41. Thank you!