What is the OWASP Top 10 and how to use it?

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Cybersecurity has been a rising concern in the last decade. In 2021, researchers have seen 50% more attacks per week on corporate networks compared to 2020, according to Check Point Research. Increasing your organisations’ efforts to implement better security practices is essential, but where do you start?

Since 2003, a non-profit organisation has led the effort to raise awareness of the most common vulnerabilities and issues and common ways to resolve them. We’ll be covering the OWASP top 10 web application security risks in more detail, including why they’re important and what’s included in the updated list. 

What is OWASP?

In 2001, the non-profit organisation Open Web Application Security Project (OWASP) was founded to promote web application security. This was to address the early days of the internet, where application security was an afterthought and was often ignored.

OWASP was one of the first foundations to standardise security when coding, as there had been an increase in malicious attacks on older applications. They became an official non-profit organization in 2004, promising to remain neutral from any businesses or commercial endeavours. Following the foundation of OWASP, the organisation would go on to create their own open-source license and several projects within their community, most notably being the OWASP Top 10.

What is the OWASP Top 10?

OWASP releases a standard awareness document known as the OWASP Top Ten every three years. This document lists the OWASP top 10 security risks for web applications and provides statistics on how common they are, as well as general ways to prevent them.

These security risks are ordered by how prevalent they're found in testing and are a mixture of Common Weakness Enumerations (CWE). They may also include several other CWEs. These can be root causes that might amount to several other risks, with a small number of individual symptoms that may be too common to be included in their own category.

OWASP gathers data starting with security specialists at the Open Security Summit and organisations that work with testing and application security. Because they operate entirely transparently, they make this entire process public and show how to submit data on their Project Page.

What are the OWASP Top 10 Vulnerabilities?

1. Broken Access Control

This category of CWE includes any policies that allow a regular user to act outside of their intended permissions. Examples can include improperly granted access, API’s with missing controls for POST, PUT, and DELETE, as well as CORS misconfiguration to allow API access from unauthorised origins.

2. Cryptographic Failures

Previously known as Sensitive Data Exposure, this category is a more broad category related to cryptography that usually results in the exposure of sensitive information. CWEs include a lack of encryption, poor password protection, and depreciated hash functions being used to protect sensitive data.

3. Injection

Injection vulnerabilities tend to be flaws that allow attackers to send malicious code (also known as hostile data) through an application to a system or other clients connected to a system. This can include exploits such as SQL injections, or user-supplied data that doesn’t get modified by a system before entering an application

4. Insecure Design

OWASP created this new category of CWE for the OWASP Top 10 2021 report, including design and architectural flaws within the development cycle. It’s a fairly broad category that includes several different CWEs, but it’s explicitly unrelated to poor implementation. Instead, it focuses on poor design practices that lack proper security measures, or vulnerabilities that cannot be fixed by even a perfect implementation.

5. Security Misconfiguration

These CWEs are typically due to poor security practices or lack thereof. These issues can include out of date components, security features that are disabled, or errors that return detailed information to users.

6. Vulnerable and Outdated Components

Unlike other entries on this list, this category is notoriously challenging to test and assess risks due to how wildly different it can be between two applications. Security vulnerabilities can include unsupported, out of date software and operating systems - or a lack of upgrades when components are updated.

7. Identification and Authentication Failures

Formerly known as Broken Authentication, this category includes CWEs related to identification failures and authentication issues, as the name implies. Common CWEs can consist of allowing brute force attacks, weak passwords (like “admin” or “Password1”), and poorly encrypted password data stores.

8. Software and Data Integrity Failures

Another new category, Software and Data Integrity Failures can include issues related to CI/CD pipelines and software updates that are automatically updated. These issues can link to automatically updated components or using unsigned data sent to clients without an integrity check.

9. Security Logging and Monitoring Failures

This category is primarily to help detect and respond to security breaches. A critical vulnerability can go completely undetected whenever there is poor logging or detection. Common CWEs include inserting sensitive information into log files, events that could be audited that do not end up being logged, or logs going completely unchecked.

10. Server-Side Request Forgery

Server-Side Request Forgery, one of the smaller categories, is new to the 2021 report. These flaws result from web applications that fetch remote resources without validating the user-supplies URL, leading to a request that can bypass firewalls and VPNs. This has risen due to modern web applications’ more complex architecture in recent years, and the rise of cloud services in today’s modern software stacks.

Why is OWASP Top 10 important?

Application security is paramount in today’s world, but it’s challenging for an application to be free from any vulnerability. OWASP’s Top 10 helps bring awareness to the most common and most critical of these weaknesses.

OWASP’s Top 10 has become an industry standard, and can be used as a guideline as well as a battle plan. Developing with these weaknesses in mind leads to a more secure application, and better designed code for the future.

What are the latest OWASP Top 10 categories in 2021

While the OWASP Top 10 doesn’t constantly update annually, they do often work to restructure and combine CWEs into umbrella categories to explain security risks as a whole better. With this restructuring, these new categories were added to the Top 10:

  • Insecure Design
  • Software and Data Integrity Failures
  • Server-Side Request Forgery

As these categories were consolidated since 2017, there are a few notable changes to the Top 10 list:

  • Broken Authentication is now grouped into Identification and Authentication Failures.
  • Sensitive Data Exposure was added into Cryptographic Failures.
  • XML External Entities has been consolidated into Security Misconfiguration
  • Cross-Site Scripting is now included in Injection.
  • Insecure Deserialization was added to the new category Software and Data Integrity Failures.

How to meet OWASP Compliance to Ensure Secure Code

OWASP provides a basis for testing web application security known as the Application Security Verification Standard (ASVS) Project. Utilising this resource can help your team establish testing and security controls and covers common vulnerabilities to form a baseline of protection. It also acts as a guideline for future security requirements as an application evolves, leading to a more secure future


Uleska helps security and development teams manage application security at scale by automating and orchestrating their preferred security tools within CI/CD.

With Uleska, teams can confidently start an AppSec program using open-source, commercial, and custom tools and then quickly change, add or scale tools as the technology and business needs evolve. Uleska also brings speed and scale when integrating into development tools, and reporting of metrics and risk.

By bringing security, DevOps and development teams together, we help reduce manual tasks so application security takes less time, cost and can scale, allowing teams to focus resources on the issues and metrics that matter.

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog

Open Source Security Testing Tools

Security tools are an essential part of software development today, especially with the ever-increasing number of attacks we see every year....


Security Orchestration Automation and Response (SOAR)

Security teams frequently struggle with the volume of alerts and issues they are tasked with daily. On average, most enterprises receive between...


Secure Software Development Life Cycle

Software development has evolved into an incredibly complex machine, with several moving parts to keep track of. Teams get more extensive, and...


Application Security Orchestration & Correlation

Application Security is a constantly evolving industry, with new threats and methods to combat them appearing regularly. One of the more recent...


Top 5 AppSec Productivity Hacks 2022

The application security (AppSec) industry moves fast. Development, security and operations (DevSecOps) practitioners are having to find creative...


How to improve security tool selection and customisation with Uleska Toolkits

We know starting your application security (AppSec) journey can be a little overwhelming. After all, choosing your tools from scratch and setting...

Application Security

What is Application Security? A Beginner’s Guide

What is Application Security? Application Security is defined by developing, adding, and testing security features in an application or website....


Vulnerability Assessments in Application Security

Did you know that over 79% of developers surveyed in 2020 stated their applications had 20 or more vulnerabilities on average? As the digital world...


Defining and breaking down Vulnerability Management

No system is perfectly secure, as proven by software analysis firm CAST, which reviewed 278 million lines of code and discovered more than 1.3...

Company News, Featured

Toolkits: Taking the guesswork out of security tool selection and customisation

There are thousands of amazing AppSec tools out there, but this can be both a blessing and a curse. While the headway and innovation we are seeing...


How to eliminate risk when scaling application security

Building robust application security is a lot like building a house—you want it done thoroughly, without any missing parts. However, there is a...


What is Shift Left? Ultimate Guide to Shift Left Security

With today’s fast development speeds, it’s hard to keep up with security practices for some organisations. This is especially true in the last few...


What is Software Composition Analysis?

Open-source software has become a vital part of development in the last decade. However, utilising these components often comes with several caveats,...


DevSecOps tool examples that will alleviate your workload

The saying goes: “Many hands make light work.” Nowhere is this more apparent than in DevSecOps where developers and releases outnumber security...


What is CI/CD? A Complete Guide to CI/CD

Software development cycles have changed immensely in the last ten years. New practices and design philosophies are being tried every day. One of...