OWASP

If you have worked in web application security, you have likely encountered the OWASP Top 10. It systematizes vulnerability patterns that developers repeatedly fall into—SQL injection, XSS, authentication flaws—and publishes them as risks to prioritize. OWASP itself is not a specific tool or vendor but a nonprofit project run by security experts worldwide on a volunteer basis. Beyond the Top 10, it publishes numerous projects including the OWASP Testing Guide, vulnerability assessment methodology (ASVS), and security integration into the development lifecycle (SAMM). With the spread of generative AI, the **OWASP Top 10 for LLM Applications** was published. It organizes LLM-specific risks into 10 items, including prompt injection, sensitive information disclosure, and excessive permissions. Unlike traditional web security, inputs are natural language, making attacks that conventional validation cannot prevent a distinctive characteristic. In the DevSecOps context, integrating OWASP guidelines into CI/CD pipelines to detect vulnerabilities early in the development cycle has become common practice.