OWASP Top 10
A list of the ten most critical web application security risk categories, published by OWASP - the standard for application security awareness.
What is the OWASP Top 10?
The OWASP Top 10 is a list of the ten most critical web application security risks, published by the Open Worldwide Application Security Project (OWASP). The current version (2021) was developed based on data analysis from hundreds of organisations and hundreds of thousands of applications.
The OWASP Top 10 (2021) includes: A01 - Broken Access Control (the most common issue). A02 - Cryptographic Failures (formerly Sensitive Data Exposure). A03 - Injection (SQL, NoSQL, LDAP, OS command). A04 - Insecure Design (new category). A05 - Security Misconfiguration. A06 - Vulnerable and Outdated Components. A07 - Identification and Authentication Failures. A08 - Software and Data Integrity Failures (new). A09 - Security Logging and Monitoring Failures. A10 - Server-Side Request Forgery (new).
OWASP also publishes specialist Top 10 lists: OWASP API Security Top 10 (for REST/GraphQL APIs), OWASP Mobile Top 10 (for mobile applications), OWASP LLM Top 10 (for applications using language models) and others.
Why does it matter?
The OWASP Top 10 is the de facto standard in web application security. It is used as a benchmark in penetration testing, a reference point in regulatory requirements (PCI DSS requires testing against the OWASP Top 10), a developer training programme and an evaluation criterion in procurement processes. Every web application penetration test should at minimum cover risks from the OWASP Top 10 list.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.