OWASP Foundation
owasp.org › www-community › Free_for_Open_Source_Application_Security_Tools
Free for Open Source Application Security Tools | OWASP Foundation
Free for Open Source Application Security Tools on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
OWASP Foundation
owasp.org › www-project-web-security-testing-guide › v41 › 6-Appendix › A-Testing_Tools_Resource
Testing Tools Resource
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases.
Open source Web application security scan tool
Check out the OWASP ZAP tool. It takes a lot of effort to get it running but should do what you need.
More on reddit.comHow do Open-Source Tools/Frameworks like OWASP make money?
They don’t make money. They are non-profit orgs funded by donations from individuals, foundations, supported by volunteers, sponsored by companies and governments. (source: the “about us” page on every project or organization’s website) More on reddit.com
Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone
How would one compare DepScan with say Mend (formerly whitesource) More on reddit.com
OWASP ZAP - What is it, and how does it work?
In your experience, is cross site Scripting the main type of vulnerability you find with the OWASP Zap Scanner? Or have you found others as well? Btw, for those who want a basic understanding of cross site Scripting, you can go to the following link: https://www.smithsec.net/posts/basic-website-hacking-cross-site-scripting-xss More on reddit.com
How do False Positives from AppSec Tools Cause Burnout?
False positives force engineers to waste hours reviewing issues that won’t have a true impact. Over time, these conditions lead teams to ignore alerts, which raises the chance of missing a genuine vulnerability. OX Security lowers false positives and reduces the cycle of burnout by applying risk-based prioritization.
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
How can Organizations Mitigate Alert Fatigue in AppSec Testing?
Alert fatigue happens when teams receive too many irrelevant alerts. Mitigation strategies include tuning scanners to reduce false positives, rotating responsibilities, and balancing on-call workloads. OX Security directly addresses this issue by correlating results and surfacing only high-risk vulnerabilities.
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
How does Cloud Based Application Security Testing Work?
Cloud-based AppSec testing delivers SAST, DAST, IAST, or SCA capabilities through SaaS platforms. It avoids complex on-premise setups, scales with CI/CD pipelines, and keeps policies consistent across distributed teams. OX Security’s cloud-native model is built for large enterprises, offering risk-based triage and supply chain visibility.
ox.security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
Videos
11:04
Web Application Security 101: Learn OWASP ZAP in Minutes! - YouTube
37:23
The Ultimate OWASP Tool for Finding Vulnerabilities - YouTube
08:49
Learn OWASP ZAP In 8 Minutes - Automated Hacking Tool - YouTube
52:23
Deep Dive into the OWASP Top 10 for Agentic AI Applications - John ...
41:30
OWASP API Top 10 #2 - Broken Authentication Explained (With Live ...
04:56
OWASP Top 10: Essential Web Application Security Risks to Know ...
OWASP Foundation
owasp.org › www-community › Vulnerability_Scanning_Tools
Vulnerability Scanning Tools | OWASP Foundation
Vulnerability Scanning Tools on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
StackHawk
stackhawk.com › stackhawk, inc. › tooling guides › owasp zap (zed attack proxy): everything you need to know
OWASP ZAP (Zed Attack Proxy): Everything You Need to Know
March 4, 2026 - ZAP (Zed Attack Proxy, also known as OWASP ZAP) is a popular free security tool designed to help identify security vulnerabilities in web applications. Actively maintained by an international team of volunteers, ZAP is widely used by developers, functional testers, and experienced penetration ...
Orca Security
orca.security › home › 16 best open source application security tools 2026
Best 16 Open Source AppSec Tools for 2026 | Orca Security
2 weeks ago - Primary use cases: remediating vulnerable dependencies before deployment, enforcing compliance with OWASP Top 10 A06:2021 (Vulnerable and Outdated Components), and generating SBOMs for compliance reporting. It does not analyze proprietary code logic, runtime behavior, or cloud infrastructure configuration. Retire.js is an open-source SCA tool focused specifically on JavaScript components.
OX Security
ox.security › blog › top 10 application security testing tools (2026 edition)
Top 10 Application Security Testing Tools (2026 Edition) - OX Security
May 14, 2026 - TLDR; Most teams prioritize infrastructure and cloud security, but 82% of known vulnerabilities actually originate in the application layer, making AppSec tools essential to use early in the pipeline. Legacy scanners flood teams with alerts, and most of it is noise that buries real risk.
OWASP Foundation
owasp.org › www-community › Source_Code_Analysis_Tools
Source Code Analysis Tools | OWASP Foundation
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, can help analyze source code or compiled versions of code to help find security flaws.
OWASP
mas.owasp.org › MASTG › tools
Testing Tools - OWASP Mobile Application Security
The OWASP MASTG includes many tools to assist you in executing test cases, allowing you to perform static analysis, dynamic analysis, network interception, etc. These tools are intended to help you perform your own assessments, rather than provide a conclusive result on the security status ...
GitHub
github.com › OWASP › Nettacker
GitHub - OWASP/Nettacker: Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management · GitHub
OWASP Nettacker is an open-source, Python-based automated penetration testing and information-gathering framework designed to help cyber security professionals and ethical hackers perform reconnaissance, vulnerability assessments, and network ...
Starred by 5.4K users
Forked by 1.1K users
Languages Python 72.5% | CSS 17.9% | JavaScript 9.2%
Reddit
reddit.com › r/asknetsec › open source web application security scan tool
r/AskNetsec on Reddit: Open source Web application security scan tool
March 12, 2022 -
Is there any good Open Source Web Application Security Scan Tool you can recommend?
We've developed a few web applications and look to build better protections.
thanks,
Top answer 1 of 2
6
Check out the OWASP ZAP tool. It takes a lot of effort to get it running but should do what you need.
2 of 2
2
Burp, OWASP, NIKTO, Metasploit/Armitage for more of the advanced payloads, Maltego.
There are suites of other cli based web pentesting tools in kali/parrot/pentoo distros as well.
OWASP
owasp.org › www-project-dependency-check
OWASP Dependency-Check | OWASP Foundation
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries. The OWASP ...
OWASP Foundation
owasp.org › www-community › api_security_tools
API Security Tools | OWASP Foundation
| | | | AppSentinels platform helps developers build secure API's as well as helps security teams in protecting their Applications from OWASP and OWASP API attacks. Delivered from cloud as well as on-prem. Highly scalable architecture . Contact at [email protected] ... | | | | Note: Contrast performs vulnerability detection and runtime protection of APIs using an instrumentation-based approach ... | | | | Note: Command line tool that runs HTTP requests defined in a simple plain text format.
Bank of America
careers.bankofamerica.com › en-us › job-detail › 26014985 › svp-senior-offensive-security-professional-charlotte-north-carolina-united-states
Job ID:26014985 - SVP; Senior Offensive Security Professional - Charlotte, North Carolina
April 28, 2026 - Utilizing vulnerability assessment tools including Checkmarx, Burp, Invicti, SOAP UI, and penetration testing techniques for exploring, corelating & crafting successful exploits as part of the correlational effort pertaining to source code and ...
Reddit
reddit.com › r/cybersecurity › how do open-source tools/frameworks like owasp make money?
r/cybersecurity on Reddit: How do Open-Source Tools/Frameworks like OWASP make money?
February 24, 2024 -
As the title says, how?
For OWASP it looks like maybe sponsorships since the site gets a lot of traffic?
Top answer 1 of 4
30
They don’t make money. They are non-profit orgs funded by donations from individuals, foundations, supported by volunteers, sponsored by companies and governments. (source: the “about us” page on every project or organization’s website)
2 of 4
9
In the case of the Open Source Security Testing Methodology Manual (OSSTMM), it is developed by a global team of passionate volunteers. Our goal isn't to make money but to make better security. Not being affiliated with any donors, sponsors, or partners allows us to speak the truth on critical issues. Finding and publishing the truth in security isn't easy these days. Everyone wants to hear that their network security investments are correct and vendors don't want to disclose the ugly facts. Lots of sec folks don't want the truth so we provide them tools to determine the truth on their own, if they so choose.