OWASP
OWASP (Open Worldwide Application Security Project) is an open community project dedicated to improving software security, widely known for its vulnerability risk ranking "OWASP Top 10."
If you have worked in web application security, you have likely encountered the OWASP Top 10. It systematizes vulnerability patterns that developers repeatedly fall into—SQL injection, XSS, authentication flaws—and publishes them as risks to prioritize.
OWASP itself is not a specific tool or vendor but a nonprofit project run by security experts worldwide on a volunteer basis. Beyond the Top 10, it publishes numerous projects including the OWASP Testing Guide, vulnerability assessment methodology (ASVS), and security integration into the development lifecycle (SAMM).
With the spread of generative AI, the OWASP Top 10 for LLM Applications was published. It organizes LLM-specific risks into 10 items, including prompt injection, sensitive information disclosure, and excessive permissions. Unlike traditional web security, inputs are natural language, making attacks that conventional validation cannot prevent a distinctive characteristic.
In the DevSecOps context, integrating OWASP guidelines into CI/CD pipelines to detect vulnerabilities early in the development cycle has become common practice.
Related Terms
DevSecOps
DevSecOps is an approach that integrates security measures into the DevOps pipeline from the outset, unifying the three domains of development, security, and operations.
Prompt Injection
An attack technique that manipulates LLM behavior in unintended ways through malicious input. Classified as the top critical risk in the OWASP LLM Top 10.
AI Red Teaming (AI Red Teaming)
An evaluation method that systematically tests AI system vulnerabilities from an attacker's perspective to proactively identify safety risks.
