OWASP Top 10

What Is the OWASP Top 10?

The OWASP Top 10 is a standard awareness document published by the Open Web Application Security Project (OWASP) that ranks the ten most critical security risks to web applications. First released in 2003 and updated roughly every three to four years, the list is compiled from vulnerability data contributed by hundreds of organizations worldwide, covering tens of thousands of applications and millions of data points. The most recent edition, the OWASP Top 10:2021, reflects the current threat landscape and serves as a baseline for web application security programs across the industry.

OWASP is a nonprofit foundation dedicated to improving software security. It operates as an open community where security professionals, developers, and organizations collaborate on tools, documentation, and standards. The Top 10 is its most widely recognized publication, referenced by compliance frameworks (PCI DSS, NIST, ISO 27001), regulatory bodies, and corporate security policies around the world.

The Top 10 is not a comprehensive catalog of all possible vulnerabilities — that role is filled by CWE and CVE databases. Instead, it distills the most prevalent and impactful risk categories into a digestible format that development teams can use to prioritize their security efforts. Each entry in the list describes the risk, explains how it manifests, and provides guidance on prevention and detection.

How It Works

The OWASP Top 10:2021 includes the following categories:

1. A01: Broken Access Control — Users acting outside their intended permissions.
2. A02: Cryptographic Failures — Failures related to cryptography that expose sensitive data.
3. A03: Injection — SQL, NoSQL, OS command, and LDAP injection via untrusted input.
4. A04: Insecure Design — Flaws in architecture and design that cannot be fixed by implementation.
5. A05: Security Misconfiguration — Missing hardening, default credentials, open cloud storage.
6. A06: Vulnerable and Outdated Components — Using components with known vulnerabilities.
7. A07: Identification and Authentication Failures — Broken authentication, session management.
8. A08: Software and Data Integrity Failures — Code and infrastructure without integrity verification.
9. A09: Security Logging and Monitoring Failures — Insufficient logging to detect breaches.
10. A10: Server-Side Request Forgery (SSRF) — Application fetches remote resources without validation.

Teams use the Top 10 as a checklist to evaluate their applications. Here is an example of a security review workflow that maps findings to OWASP categories:

# Semgrep configuration targeting OWASP Top 10 categories
# .semgrep.yml
rules:
  - id: owasp-a03-sql-injection
    patterns:
      - pattern: |
          $QUERY = "..." + $INPUT + "..."
          $CURSOR.execute($QUERY)
    message: "Potential SQL injection (OWASP A03). Use parameterized queries."
    severity: ERROR
    metadata:
      owasp: "A03:2021 Injection"
      cwe: "CWE-89"

  - id: owasp-a02-hardcoded-secret
    pattern: |
      $KEY = "AKIA..."
    message: "Hardcoded AWS key detected (OWASP A02). Use environment variables."
    severity: ERROR
    metadata:
      owasp: "A02:2021 Cryptographic Failures"
      cwe: "CWE-798"

A broken access control example — the most common category in the 2021 list — and its fix:

# Vulnerable: Broken Access Control (OWASP A01)
# Any authenticated user can view any other user's data
@app.route('/api/users/<int:user_id>/profile')
@login_required
def get_profile(user_id):
    profile = db.get_user_profile(user_id)
    return jsonify(profile)

# Fixed: verify the requesting user has permission to view the profile
@app.route('/api/users/<int:user_id>/profile')
@login_required
def get_profile(user_id):
    if current_user.id != user_id and not current_user.is_admin:
        abort(403)
    profile = db.get_user_profile(user_id)
    return jsonify(profile)

Security misconfiguration (A05) is another frequent finding:

# Vulnerable: debug mode enabled in production, default secret key
app = Flask(__name__)
app.config['DEBUG'] = True
app.config['SECRET_KEY'] = 'default-secret-key'

# Fixed: production-safe configuration
app = Flask(__name__)
app.config['DEBUG'] = os.environ.get('FLASK_DEBUG', 'false') == 'true'
app.config['SECRET_KEY'] = os.environ['SECRET_KEY']  # Fails if not set

Why It Matters

The OWASP Top 10 matters because it provides a common language and shared priorities for application security. When a security team says “we need to address our A01 findings,” every developer and stakeholder understands what that means. This shared vocabulary accelerates communication between development, security, and compliance teams.

From a compliance perspective, the OWASP Top 10 is effectively mandatory. PCI DSS Requirement 6.5 explicitly requires that organizations address the OWASP Top 10 in their secure development practices. SOC 2 audits frequently reference OWASP guidelines. Many enterprise procurement processes require vendors to demonstrate that their applications have been tested against the Top 10.

The list also drives the tooling ecosystem. SAST tools like Semgrep and SonarQube, DAST tools like OWASP ZAP, and SCA tools like Snyk all organize their vulnerability detection rules around OWASP Top 10 categories. This alignment means that adopting the Top 10 as a framework naturally integrates with the tools teams already use.

Historically, each edition of the Top 10 reflects real shifts in the threat landscape. The 2021 edition elevated Broken Access Control to the number one position (up from fifth in 2017) based on data showing it is now the most commonly found vulnerability category. It also introduced new categories like Insecure Design and Software and Data Integrity Failures, reflecting emerging attack patterns targeting supply chains and CI/CD pipelines.

Best Practices

• Use the OWASP Top 10 as a starting point, not a finish line. The list covers the most critical risks but is not exhaustive. Supplement it with CWE coverage, threat modeling, and application-specific risk assessments.
• Map your SAST and DAST tool rules to OWASP categories. Ensure your automated security testing covers all ten categories. Identify gaps and add custom rules or manual testing procedures to fill them.
• Train developers on the Top 10 annually. Security awareness training should walk through each category with code examples relevant to your technology stack. OWASP provides free training materials and cheat sheets for each category.
• Track OWASP findings as a key security metric. Report the count and trend of findings by category across your application portfolio. This data drives prioritization and demonstrates improvement over time.
• Review the Top 10 after each new release. When OWASP publishes an updated list, compare it against your current security program. New categories or re-rankings may require adjustments to your testing strategy and developer training.

Common Mistakes

• Treating the Top 10 as a compliance checkbox. Organizations that “address the OWASP Top 10” by running a scan once a year and filing the report miss the point. The Top 10 is meant to drive continuous improvement in security practices, not produce a document for auditors.
• Focusing only on injection and XSS. While injection (A03) and XSS are well-known, Broken Access Control (A01) is now the most prevalent category. Teams that concentrate their security efforts on traditional injection attacks while ignoring authorization flaws leave their most common vulnerability class unaddressed.
• Ignoring Insecure Design (A04). Unlike implementation bugs that can be caught by scanners, insecure design flaws require architectural changes. If threat modeling and security architecture reviews are not part of your development process, no amount of SAST scanning will address A04.
• Assuming frameworks handle everything. Modern frameworks mitigate many Top 10 risks by default, but only when used correctly. A framework that auto-escapes HTML does not protect against injection if developers use raw query methods. Understanding what the framework protects and where gaps remain is essential.