Awesome Open Source
Awesome Open Source

A curated list of awesome Java security-related resources.


List inspired by the awesome list thing.

Supported by:



Web Framework Hardening

  • Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
  • JJWT - Java JWT: JSON Web Token for Java and Android.
  • OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
  • PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Spring Security - A powerful and highly customizable authentication and access-control framework.
  • Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

  • hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
  • GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.

Static Code Analysis

  • Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
  • Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
  • Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
  • Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
  • Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
  • Oversecured - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.

Runtime Analysis

  • Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
  • OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
  • Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.

Vulnerabilities and Security Advisories


  • Bouncy Castle - Java implementation of cryptographic algorithms.
  • Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
  • Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
  • Keyczar - Easy-to-use crypto toolkit by Google.
  • Keywhiz - System for distributing and managing secrets.
  • Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.


Hacking Playground

  • BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
  • OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
  • Security Shepherd - Web and mobile application security training platform.
  • WebGoat - A deliberately insecure Java Web Application.

Articles, Guides & Talks




Reporting Bugs


Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!



Alternative Project Comparisons
Related Awesome Lists
Top Programming Languages

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Java (411,578
Web (37,743
Security (32,258
Vulnerability (15,340
Awesome (13,875
Awesome List (13,875
Cryptography (11,421
Security Tools (2,193
Static Analysis (1,453
Owasp (1,079
Security Testing (220