Skip to content
Cybersecurity

OWASP Top 10

OWASP Top 10 is a ranking of the most critical security risks for web applications, published by the Open Web Application Security Project. The list is regularly updated (most recent 2021) and serves as the foundation for web application security testing.

What is OWASP Top 10?

OWASP Top 10 Definition

OWASP Top 10 is a periodically updated list of the ten most critical security risks for web applications. Published by OWASP (Open Web Application Security Project), the list is a global standard for application security, used by developers, security teams, and auditors.

OWASP Top 10 2021

A01:2021 - Broken Access Control:

  • Bypassing access controls
  • Unauthorized access to data
  • Moved from 5th to 1st place

A02:2021 - Cryptographic Failures:

  • Weak encryption
  • Data exposure
  • Previously “Sensitive Data Exposure”

A03:2021 - Injection:

  • SQL Injection
  • XSS
  • Command Injection

A04:2021 - Insecure Design:

  • New category
  • Design and architecture flaws
  • Threat modeling deficiencies

A05:2021 - Security Misconfiguration:

  • Default configurations
  • Unnecessary features
  • Missing hardening

A06:2021 - Vulnerable and Outdated Components:

  • Libraries with vulnerabilities
  • Unpatched software
  • SCA importance

A07:2021 - Identification and Authentication Failures:

  • Weak authentication
  • Session management
  • Credential stuffing

A08:2021 - Software and Data Integrity Failures:

  • New category
  • CI/CD security
  • Deserialization

A09:2021 - Security Logging and Monitoring Failures:

  • Missing logs
  • Lack of monitoring
  • Slow detection

A10:2021 - Server-Side Request Forgery (SSRF):

  • New category
  • Attacking internal services
  • Cloud metadata access

Using OWASP Top 10

  • Developers: Understanding common vulnerabilities
  • Testing: Penetration test checklist
  • Training: Security education foundation
  • Compliance: PCI DSS requirement
  • Procurement: Security requirements

Changes from 2017 to 2021

Major changes:

  • Broken Access Control moved to #1
  • New categories: Insecure Design, Integrity Failures, SSRF
  • XXE merged with Security Misconfiguration
  • XSS moved under Injection

Other OWASP Lists

  • OWASP API Security Top 10: For APIs
  • OWASP Mobile Top 10: Mobile applications
  • OWASP LLM Top 10: AI/LLM applications

OWASP Top 10 is an essential knowledge resource for anyone involved in creating or securing web applications.

Learn more

Explore our services

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist