The OWASP Developer Guide 2014 is a dramatic re-write of one of OWASP's first and most downloaded projects. The focus moves from countermeasures and weaknesses to secure software engineering. See our roadmap.

The OWASP Developer Guide is the original OWASP project. It was first published in 2002, when Ajax was only a mote in Microsoft's eye with the new e-mail notification in Outlook Web Access (and only if you used Internet Explorer). Since then, the web has come a long way. Unfortunately, the Developer Guide never really took off with the intended audience: developers. The original Guide was more a how to perform a web application penetration test, material now better covered in the OWASP Testing Guide.

The Developer Guide 2014 is a "first principles" book - it's not specific to any one language or framework, as they all borrow ideas and syntax from each other. There are highly specific issues in different languages, such as PHP configuration settings or Spring MVC issues, but we need to look past these differences and apply the basic tenets of secure system engineering to application security.

The major themes in the Developer Guide include:

• Foundation
• Architecture
• Design
• Build
• Configure
• Operate

We are re-factoring the original material from the Developer Guide 2.0, released in July 2005, and bring it into the modern world, and focus it tightly on modern web apps that use Ajax and RESTful API, and of course, mobile applications. All testing material will move to the OWASP Testing Guide and all code review material to the OWASP Code Review Guide.

The primary audience for the new version of the Developer Guide is Architects and Developers. The Developer Guide can still be used by penetration testers who want to move up to software verification or improve their craft, but the primary focus will become how to implement secure software from first principles.

• Brad Chesney bradchesney79@gmail.com
• Steven van der Baan steven.van.der.baan@owasp.org

• OWASP Developer Guide 3.0 (current development - master branch)

• OWASP Developer Guide 2010 (abandoned)

• OWASP Developer Guide 2.0 (July 2005)

  • English Word | PDF (to be linked?)
  • Japanse Word | PDF (to be linked?)
  • Spanish Word | PDF (to be linked?)

• OWASP Developer Guide 1.1.1

  • English PDF (to be linked?)
  • We are looking for the original Word or XML document

• OWASP Developer Guide 1.1 (September 2002)

  • English PDF (to be linked?)
  • We are looking for the original Word document

• OWASP Developer Guide 1.0 (June 2002)

  • English PDF
  • We are looking for the original Word document