<- Go back to blog

Getting to Know the OWASP Top 10 Vulnerability List for Web Application Security

Hopefully you’ve at least heard of – or are somehow utilizing – the Open Worldwide Application Security Project (OWASP) Top 10 in your application security work. The OWASP Top 10 is, at its core, a consensus list of top web application security concerns. It provides guidance on what vulnerability and penetration testers should be looking for as well as what software developers and quality assurance (QA) experts need to keep in mind in their areas of contribution. The OWASP Top 10 is a great tool for those working in audit and compliance as well as those in charge of security. It’s also a good resource for getting others outside of IT on board with application security efforts within the business.

Chart Showing OWASP updates from 2017 to the newest 2021 version. Source: OWASP.org

What’s New in the OWASP Top 10?

Having undergone several updates over the past two decades, the most recent version of the OWASP Top 10 was released for the year 2021. The big changes in this version include:

  • Sensitive Data Exposure has been relabeled as Cryptographic Failures
  • Cross-Site Scripting is now part of the Injection category
  • New categories for Insecure Design, Software and Data Integrity Failures, and Service-Side Request Failures (SSRF)
  • Security Misconfiguration now includes the XML External Entities (XXE) category
  • Using Components with Known Vulnerabilities has been relabeled as Vulnerable and Outdated Components
  • Broken Authentication has been relabeled Identification and Authentication Failures
  • Insufficient Logging & Monitoring has been relabeled Security Logging and Monitoring Failures

Given the above changes, the OWASP Top 10 for 2021 is comprised of the following:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server Side Request Forgery (SSRF)

On the OWASP Top 10 website, each of the 10 items is broken down in the following areas:

  • Factors, which includes average incidence rate and total CVEs involved
  • Overview, which provides a background of the category along with notable Common Weakness Enumerations (CWEs) 
  • Description, which outlines considerations in specific vulnerabilities that can contribute to the category
  • How to Prevent, which includes recommendations on how to avoid or stop the associated vulnerabilities/exploits
  • Example Attack Scenarios, which outlines how vulnerabilities can be exploited
  • References, which includes related OWASP and external resources
  • List of Mapped CWEs, which links to CWEs related to this category of vulnerabilities

I recommend you check out the OWASP Top 10 site for specific details in each of the Top 10 areas. This information can be very valuable for determining specific risks or as part of threat modelling or related exercises.

Applying the OWASP Top 10 to the Real World

In my web application vulnerability and penetration testing reports, I like to include an OWASP Top 10 gap analysis that shows the areas impacted and where improvements are needed. Interestingly and predictably, there are only a small number of the OWASP Top 10 items that exist. Of the many web applications I’ve tested since the Top 10 for 2021 came out, the following were the only critical- or high-rated issues of concern:

  1. Broken Access Control
  2. Injection
  3. Security Misconfiguration
  4. Identification and Authentication Failures

Your mileage will likely vary.

I recommend leveraging the OWASP Top 10 wherever you can. It’s a great resource to learn from and also to help keep your application security efforts in check. It’s not the end-all be-all solution for improving application security and minimising its associated business risks. Some of the items may apply directly to your situation. Others not so much. Your specific application environment, risk tolerance, and web security needs are unique. Leverage the OWASP Top 10 to the extent you can. If you’re new to it, there’s never been a better time to get on board. Even if you’re quite familiar with the OWASP Top 10, you could be leaving some on the table. Do what you can to not only use it to your advantage but also to spread the word to others who might benefit from it. 

Additional Resources

You may find that the OWASP Download and the Cheat Sheet Series pages are just as valuable as the Top 10 itself, so check those out. The OWASP API Security Top 10 2023 looks promising as well. In the event you’re looking to further dig into application security, an additional resource that complements the OWASP Top 10 is the CWE Top 25 Most Dangerous Software Weaknesses (currently in version 2022). Whichever resources you choose to leverage, the important thing is that you’re doing something to improve your application security program. Ideally both ongoing web vulnerability scanning combined with in-depth vulnerability and penetration testing. Even if it’s just little things over time, everything you do counts.  

Probely is proud to be a Corporate Member of OWASP.