Find, Fix & Prevent OWASP Top 10 Vulnerabilities (Defensive AppSec)
Track: Security
Breaking into security is a chicken-and-egg problem: jobs want experience, and experience needs a job. The way out is a project that does real security work — find vulnerabilities in a deliberately broken app, fix them, and build the automated checks that stop them coming back. That’s the job, in miniature, and it’s entirely buildable on your laptop.
What you’ll build: a defensive AppSec project — run a known, deliberately-vulnerable training app (OWASP Juice Shop or DVWA), find and document OWASP Top 10 issues, fix them in your own fork, and wire SAST, dependency scanning, and DAST into a CI pipeline. The deliverable is a findings register, a hardened fork, and a green security pipeline. Only ever test apps you own or are explicitly authorized to test.
Security hiring is flooded with certificate-holders who’ve never shipped a fix. A repo that documents real findings, the remediations you wrote, and a CI pipeline that scans every push proves you can do defensive work, not just name the OWASP Top 10. It maps to the keywords these roles list: application security, OWASP Top 10, vulnerability, secure coding, SAST, DAST, dependency scanning, threat modeling, remediation.
Skills & keywords you’ll demonstrate
Identifying OWASP Top 10 classes of vulnerability in a real app
Writing the fixes — input validation, authn/authz, secrets handling
Automating security testing — SAST, dependency audit, DAST — in CI
Clear vulnerability write-ups and a tracked findings register
Starter repo
Clone github.com/OptimalMatch/resume-project-appsec-lab — a findings register and write-up template, a threat-model template, a secure-coding checklist, and a CI security-scan stub. It contains no exploit code — it’s a hardening framework you fill in. Build it under your own account, committing per milestone, and only test authorized targets.
Build it in milestones
Set the scope. Fork/run a known vulnerable training app locally; write a one-line authorization & scope note. Commit.
Threat model. Sketch assets, trust boundaries, and the most likely abuse cases. Commit.
Find & document. Identify several OWASP Top 10 issues; log each in the findings register with severity and evidence. Commit.
Remediate. Fix the issues in your fork — validation, access control, secrets, dependency upgrades. Commit each fix referencing its finding.
Automate. Add a CI pipeline that runs SAST, a dependency audit, and a DAST scan on every push. Commit — screenshot the green run.
Report. A README summarizing what you found, how you fixed it, and how CI now prevents regressions. Commit.
Stretch goals
Add secret-scanning and a software bill of materials (SBOM) to the pipeline.
Write a remediation runbook mapping each finding to a secure-coding control.
Container or IaC scanning if the app ships as an image.
Put it on your résumé
“Identified and remediated OWASP Top 10 vulnerabilities in a deliberately-vulnerable app, documenting findings, severity, and fixes in a tracked register.”
“Built a CI security pipeline (SAST, dependency scanning, DAST) that scans every push, preventing regressions; produced a threat model and secure-coding checklist.”
Update your résumé and check it with the free ATS resume score — security roles weight exactly these keywords.
Frequently asked questions
Is this project legal and safe to do? Yes, when scoped correctly. You test a known, deliberately-vulnerable training app that exists for this purpose (OWASP Juice Shop, DVWA) on your own machine, or any app you are explicitly authorized to test. The project is about defense — finding, fixing, and preventing issues — not attacking systems you do not own.
Do I need to be a hacker to do a security project? No. This is a defensive AppSec project: you identify well-documented OWASP Top 10 weaknesses, write the fixes, and automate scanning in CI. The valued skills are secure coding, threat modeling, and building prevention into a pipeline — exactly what entry-level AppSec roles screen for.