Security Testing Owasp Checklist

The OWASP Checklist You Actually Run

We built this so you don't have to maintain a sprawling markdown file of security checks that nobody reads. When you're shipping APIs and web applications, manual OWASP Top 10 verification is a leaky bucket. You run a linter here, a dependency audit there, and hope a pentest catches the rest. The reality is that SAST, SCA, and DAST tools operate in silos. They don't share context. Semgrep flags a taint source but doesn't know if the dependency it relies on is vulnerable. ZAP scrapes endpoints but doesn't understand your auth context. You're left stitching outputs together, chasing false positives, and guessing whether A01 Broken Access Control or A02 Security Misconfiguration is actually patched. If you're also integrating vulnerability scanning across microservices, you'll notice the same fragmentation bleeding into your CI pipeline.

The OWASP Top 10 exists as a standard awareness document for developers and web application security ^[1], but awareness doesn't catch injection payloads or misconfigured CORS headers. What catches them is a deterministic pipeline that forces each scanner to operate against the same threat model. Without a unified workflow, you're manually mapping CVEs to OWASP categories, cross-referencing alert IDs, and hoping your staging environment matches production. We ship this skill so you can stop treating security testing as a pre-deployment ritual and start treating it as a continuous, automated control plane.

What Manual Security Checks Cost You in Production

Ignoring a unified workflow isn't just a compliance checkbox—it's a liability multiplier. When you manually verify OWASP categories, you inevitably miss the intersection points. A taint flow from a user input to a database query might pass your SAST scan because the sink is wrapped in an ORM, but your SCA tool flags the underlying driver as vulnerable to a known CVE. That gap is where incidents live. We've seen teams burn 15–20 engineering hours per sprint reconciling scanner outputs, only to ship a P1 vulnerability that triggers a SOC2 audit finding. Downtime, hotfixes, and customer trust erosion compound fast.

The OWASP Top 10:2025 explicitly calls out A10 Mishandling of Exceptional Conditions as a critical risk ^[4], yet most teams still rely on ad-hoc error handling that leaks stack traces or exposes internal IPs. Every missed alert is a ticket in your backlog and a potential breach vector. When you run scanners in isolation, you also waste CI minutes spinning up containers, waiting for baseline scans, and debugging authentication bypasses in ZAP because the context definition was incomplete. The introduction to the Top 10 highlights how category scoping has evolved to catch modern architectural flaws ^[3], but your pipeline hasn't caught up. You're paying for compute, engineering time, and incident response while your security posture drifts. If you want to deepen your vulnerability assessment coverage, you'll find the same time-sink when trying to correlate findings across disconnected tools.

How a Single Misconfigured Context Blew Up a Deployment

Imagine a platform team shipping a REST API with 150 endpoints. They run Semgrep for SAST, Dependency Cruiser for SCA, and ZAP for DAST, but each tool runs in isolation. During a pre-release checklist, the lead engineer marks "A01 Broken Access Control" as verified because the routing layer has middleware. They don't realize the context definition in the DAST scanner doesn't include the JSON API authentication flow, so ZAP's active scan runs as an unauthenticated user and reports zero critical alerts. Meanwhile, the SCA scan flags a transitive dependency with a known SSRF sink, but the SAST taint analysis doesn't join the dependency graph, so the rule never fires. The team ships. Two days later, a malicious payload hits an unvalidated URL parameter, triggers an internal metadata service call, and exfiltrates credentials.

The postmortem reveals three separate tooling gaps that a unified workflow would have caught in CI. Fragmented security testing is exactly how A04 Insecure Design and A02 Security Misconfiguration slip through ^[8]. The team had to roll back, patch the dependency, harden the error handling, and rewrite the ZAP automation config. That's three days of lost velocity and a credibility hit with the product team. The OWASP Top Ten Web Application Security Risks document emphasizes that these categories aren't isolated—they compound when your testing tools don't share state ^[2]. A mapped cheat sheet can help you identify which controls apply to each category, but it won't run the scans for you ^[5]. You need a pipeline that enforces context, validates configs, and fails fast on structural misconfigurations before they reach staging.

What Changes Once the OWASP Workflow Is Locked In

With this skill installed, security testing stops being a manual reconciliation exercise and becomes a deterministic pipeline. The orchestrator runs SAST, SCA, and DAST in sequence, passing context between each phase. Semgrep's taint analysis now cross-references dependency metadata, catching SQLi and XSS join-mode detections before they hit staging. ZAP's automation framework uses your exact JSON API auth context, so baseline scans actually test authenticated flows and flag critical alert conditions. Dependency Cruiser enforces the Stable Dependencies Principle and flags unknown module types that often hide supply-chain risks.

You get structured, machine-readable outputs that map directly to bug trackers. No more guessing if A03 Injection or A07 Identification and Authentication Failures are resolved. The validator scripts catch structural failures in your ZAP configs before they waste CI minutes. Errors are RFC 9457 compliant out of the box, and every scan produces a deterministic report you can diff across PRs. The worked example report demonstrates how to track known issues, map alert IDs to bug trackers, and manage in-progress vulnerability states without manual spreadsheet gymnastics. If you're already using structured logging across services, this pipeline integrates cleanly with your observability stack, feeding scan results directly into your incident management workflow. You stop chasing false positives and start shipping secure APIs.

What's in the security-testing-owasp-checklist Pack

• skill.md — Orchestrator skill that defines the 3-phase security testing workflow (SAST -> SCA -> DAST), references all templates, references, scripts, validators, and examples by relative path, and provides execution context for the AI agent.
• references/owasp-top10-2025.md — Canonical knowledge base for OWASP Top 10:2025 categories (A01 Broken Access Control, A02 Security Misconfiguration, A10 Mishandling of Exceptional Conditions, etc.) with specific testing focus and remediation guidance.
• references/zap-api-reference.md — Authoritative reference for ZAP Automation Framework YAML structure, alert test conditions, authentication context configuration, baseline progress tracking, and key API endpoints.
• references/semgrep-taint-analysis.md — Canonical guide for Semgrep rule authoring: taint analysis modes, pattern-sources/sinks, join mode for cross-file analysis, metavariable unification, and mandatory security metadata fields.
• templates/zap-automation.yaml — Production-grade ZAP Automation Framework configuration including context definition, JSON API authentication, active scan job with duration limits, and alert test assertions for critical vulnerabilities.
• templates/semgrep-security-rules.yaml — Production Semgrep rule set targeting OWASP Top 10: SQLi taint tracking, XSS join-mode detection, SSRF sinks, and insecure cryptographic defaults with proper CWE/metadata.
• templates/dep-cruise-security.json — Dependency Cruiser configuration for SCA and architecture validation: excludes node_modules, enforces Stable Dependencies Principle, flags unknown/undetermined dependency types, and outputs JSON.
• scripts/run-security-scan.sh — Executable orchestration script that runs the full security pipeline: validates configs, executes Semgrep SAST, runs Dependency Cruiser SCA, and prepares ZAP DAST baseline scan. Uses set -e and proper exit codes.
• validators/validate-zap-config.sh — Validator script that parses templates/zap-automation.yaml to ensure mandatory keys (jobs, tests, context, authentication) exist and alert tests have required fields. Exits non-zero on structural failure.
• examples/worked-example-report.json — Real-world ZAP baseline scan progress JSON demonstrating how to track known issues, map alert IDs to bug trackers, and manage in-progress vulnerability states.

Stop Guessing. Start Scanning.

You don't need another checklist to manually verify. You need a deterministic pipeline that catches OWASP Top 10:2025 risks before they reach production. Upgrade to Pro to install this skill and lock in your security workflow. If you want to deepen your vulnerability assessment coverage, pair it with the audit pack for full-spectrum compliance. Stop chasing false positives. Start shipping secure APIs.