🌐
OWASP Foundation
owasp.org › www-community › Free_for_Open_Source_Application_Security_Tools
Free for Open Source Application Security Tools | OWASP Foundation
Free for Open Source Application Security Tools on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
🌐
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › v41 › 6-Appendix › A-Testing_Tools_Resource
Testing Tools Resource
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases.
Discussions

Open source Web application security scan tool

Check out the OWASP ZAP tool. It takes a lot of effort to get it running but should do what you need.

More on reddit.com
🌐 r/AskNetsec
6
3
March 12, 2022
How do Open-Source Tools/Frameworks like OWASP make money?
They don’t make money. They are non-profit orgs funded by donations from individuals, foundations, supported by volunteers, sponsored by companies and governments. (source: the “about us” page on every project or organization’s website) More on reddit.com
🌐 r/cybersecurity
4
0
February 24, 2024
Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone
How would one compare DepScan with say Mend (formerly whitesource) More on reddit.com
🌐 r/devsecops
4
12
December 5, 2023
OWASP ZAP - What is it, and how does it work?
In your experience, is cross site Scripting the main type of vulnerability you find with the OWASP Zap Scanner? Or have you found others as well? Btw, for those who want a basic understanding of cross site Scripting, you can go to the following link: https://www.smithsec.net/posts/basic-website-hacking-cross-site-scripting-xss More on reddit.com
🌐 r/netsecstudents
6
3
September 7, 2021
People also ask

How do False Positives from AppSec Tools Cause Burnout?
False positives force engineers to waste hours reviewing issues that won’t have a true impact. Over time, these conditions lead teams to ignore alerts, which raises the chance of missing a genuine vulnerability. OX Security lowers false positives and reduces the cycle of burnout by applying risk-based prioritization.
🌐
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
How can Organizations Mitigate Alert Fatigue in AppSec Testing?
Alert fatigue happens when teams receive too many irrelevant alerts. Mitigation strategies include tuning scanners to reduce false positives, rotating responsibilities, and balancing on-call workloads. OX Security directly addresses this issue by correlating results and surfacing only high-risk vulnerabilities.
🌐
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
How does Cloud Based Application Security Testing Work?
Cloud-based AppSec testing delivers SAST, DAST, IAST, or SCA capabilities through SaaS platforms. It avoids complex on-premise setups, scales with CI/CD pipelines, and keeps policies consistent across distributed teams. OX Security’s cloud-native model is built for large enterprises, offering risk-based triage and supply chain visibility.
🌐
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
🌐
OWASP Foundation
owasp.org › www-community › Vulnerability_Scanning_Tools
Vulnerability Scanning Tools | OWASP Foundation
Vulnerability Scanning Tools on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
🌐
StackHawk
stackhawk.com › stackhawk, inc. › tooling guides › owasp zap (zed attack proxy): everything you need to know
OWASP ZAP (Zed Attack Proxy): Everything You Need to Know
March 4, 2026 - ZAP (Zed Attack Proxy, also known as OWASP ZAP) is a popular free security tool designed to help identify security vulnerabilities in web applications. Actively maintained by an international team of volunteers, ZAP is widely used by developers, functional testers, and experienced penetration ...
🌐
HostedScan
hostedscan.com › owasp-vulnerability-scan
OWASP Online Scan - HostedScan Security
These scans test websites and web apps for OWASP Top 10 risks and more. ZAP is the industry-standard open-source dynamic application security testing tool trusted by security teams worldwide, covering SQL injection, XSS, and dozens of other vulnerability classes.
🌐
Orca Security
orca.security › home › 16 best open source application security tools 2026
Best 16 Open Source AppSec Tools for 2026 | Orca Security
2 weeks ago - Primary use cases: remediating vulnerable dependencies before deployment, enforcing compliance with OWASP Top 10 A06:2021 (Vulnerable and Outdated Components), and generating SBOMs for compliance reporting. It does not analyze proprietary code logic, runtime behavior, or cloud infrastructure configuration. Retire.js is an open-source SCA tool focused specifically on JavaScript components.
Find elsewhere
🌐
GitHub
github.com › owasp
OWASP · GitHub
9 hours ago - AI-powered Docker security scanner that explains vulnerabilities in plain English. An OWASP Lab Project.
🌐
Beagle Security
beaglesecurity.com › blog › article › best-owasp-security-testing-tools.html
The 6 best OWASP security testing tools in 2026
In 2026, the security tooling ecosystem spans dynamic analysis tools (DAST), static scanners (SAST), interactive testing (IAST), automated penetration testing engines, and full-fledged offensive security platforms.
🌐
OX Security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
May 14, 2026 - TLDR; Most teams prioritize infrastructure and cloud security, but 82% of known vulnerabilities actually originate in the application layer, making AppSec tools essential to use early in the pipeline. Legacy scanners flood teams with alerts, and most of it is noise that buries real risk.
🌐
Aikido
aikido.dev › home › articles › top owasp scanners in 2026 for web application security
Best OWASP Scanners in 2026 for Web App Security
June 1, 2026 - ... Snyk has become one of the best-known companies in the application security space, which can be both an advantage and a disadvantage. Tools necessary for OWASP scanning, such as SCA, SAST, and DAST are all available from Snyk and well-regarded ...
🌐
OWASP Foundation
owasp.org › www-community › Source_Code_Analysis_Tools
Source Code Analysis Tools | OWASP Foundation
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws.
🌐
OWASP
mas.owasp.org › MASTG › tools
Testing Tools - OWASP Mobile Application Security
The OWASP MASTG includes many tools to assist you in executing test cases, allowing you to perform static analysis, dynamic analysis, network interception, etc. These tools are intended to help you perform your own assessments, rather than provide a conclusive result on the security status ...
🌐
GitHub
github.com › OWASP › Nettacker
GitHub - OWASP/Nettacker: Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management · GitHub
OWASP Nettacker is an open-source, Python-based automated penetration testing and information-gathering framework designed to help cyber security professionals and ethical hackers perform reconnaissance, vulnerability assessments, and network ...
Starred by 5.4K users
Forked by 1.1K users
Languages   Python 72.5% | CSS 17.9% | JavaScript 9.2%
🌐
OWASP
owasp.org › www-project-dependency-check
OWASP Dependency-Check | OWASP Foundation
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. The OWASP ...
🌐
OWASP Foundation
owasp.org › www-community › api_security_tools
API Security Tools | OWASP Foundation
| | | | AppSentinels platform helps developers build secure API's as well as helps security teams in protecting their Applications from OWASP and OWASP API attacks. Delivered from cloud as well as on-prem. Highly scalable architecture . Contact at [email protected] ... | | | | Note: Contrast performs vulnerability detection and runtime protection of APIs using an instrumentation-based approach ... | | | | Note: Command line tool that runs HTTP requests defined in a simple plain text format.
🌐
Bank of America
careers.bankofamerica.com › en-us › job-detail › 26014985 › svp-senior-offensive-security-professional-charlotte-north-carolina-united-states
Job ID:26014985 - SVP; Senior Offensive Security Professional - Charlotte, North Carolina
April 28, 2026 - Utilizing vulnerability assessment tools including Checkmarx, Burp, Invicti, SOAP UI, and penetration testing techniques for exploring, corelating & crafting successful exploits as part of the correlational effort pertaining to source code and ...
🌐
NIST
nist.gov › cyberframework
Cybersecurity Framework | NIST
November 12, 2013 - Helping organizations to better understand and improve their management of cybersecurity risk
🌐
SANS Institute
sans.org › cybersecurity training events › sans ai cybersecurity summit fall 2026
SANS AI Cybersecurity Summit Fall 2026 | Cybersecurity Training
Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely