OWASP Top 10
7.5 OWASP Top Ten project
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP Top Ten is a flagship documentation project and is one of the very first OWASP projects.
What is the OWASP Top 10?
The OWASP Top 10 Web Application Security Risks project is probably the most well known security concept within the security community, achieving wide spread acceptance and fame soon after its release in 2003. Often referred to as just the ‘OWASP Top Ten’, it is a list that identifies the most important threats to web applications and seeks to rank them in importance and severity.
The OWASP Top 10 is periodically revised to keep it up to date with the latest threat landscape. The latest version was released in 2021 to mark twenty years of OWASP:
- A01:2021-Broken Access Control
- A02:2021-Cryptographic Failures
- A03:2021-Injection
- A04:2021-Insecure Design
- A05:2021-Security Misconfiguration
- A06:2021-Vulnerable and Outdated Components
- A07:2021-Identification and Authentication Failures
- A08:2021-Software and Data Integrity Failures
- A09:2021-Security Logging and Monitoring Failures
- A10:2021-Server-Side Request Forgery
The project itself is actively maintained by a project team. The list is based on data collected from identified application vulnerabilities and from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions. The data is normalized to allow for level comparison between ‘Human assisted Tooling and Tooling assisted Humans’.
How to use it
The OWASP Top 10 has various uses that are foundational to application security:
- as a training aid on the most common web application vulnerabilities
- as a starting point when testing web applications
- to raise awareness of vulnerabilities in applications in general
- as a set of demonstration topics
There is not one way to use this documentation project; use it in any way that promotes application security. The OWASP Spotlight series provides an overview of the Top Ten: ‘Project 10 - Top10’.
OWASP Top 10 versions
The OWASP Top 10 Web Application Security Risks document was originally published in 2003, making it one of (or even the most) longest lived OWASP project, and since then has been in active and continuous development. Listed below are the versions up to the latest in 2021, which was released to mark 20 years of OWASP.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.