Analysis graphics on a tablet

What is the OWASP Top 10?

The Open Web Application Security Project (OWASP), a non-profit organization, is dedicated to the security of applications and services on the internet. According to the organization, it is made up of tens of thousands of members worldwide, organized into hundreds of local chapters. OWASP runs a variety of projects designed to provide greater security in the development and operation of web services. The most well-known project is the OWASP Top 10, a ranking of the greatest security risks for web applications.

Protect your web applications with our WAF!
Analysis graphs printed on paper


A definition of the OWASP Top 10

The OWASP Top 10 is a ranking of the most significant security risks, attack vectors, and vulnerabilities that should be factored into online application development. Since 2003, the list has been compiled by its namesake non-profit organization, the Open Web Application Security Project (OWASP), and is updated every two to three years. The most recent update of the OWASP Top 10 was in 2021. The risks listed, along with best practices for addressing them, are primarily intended to raise awareness among web developers.


What security risks are included in the OWASP Top 10 (2021)?

In the latest OWASP Top 10 of 2021, three new categories have been added from the previous 2017 version: Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery. Individual categories have also been renamed or redefined. The list consists of the following security risks:

A01:2021 – Broken Access Control

Access controls can be used in web development to ensure that users cannot act outside their intended permissions. Failures in access control can lead to unauthorized disclosure of sensitive information or even to damaging manipulation of accessible data.

A02:2021 – Cryptographic Failures

The category “Cryptographic Failures” (“Sensitive Data Exposure” in previous versions of the OWASP Top 10) refers to vulnerabilities in the encryption of data and data transfers as well as the failure to use adequate encryption methods per se. A high level of cryptographic protection is required, in particular for passwords, credit card numbers, health records, personal information, and business secrets – mainly if the information is protected by regulations, such as the GDPR or the PCI DSS.

A03:2021 – Injection

Attackers use injection attacks to sneak their malicious code into other people’s systems and execute it. This means that all the data contained on the affected system and connected networks and services are potentially at risk. The most common injection attacks include SQL injections and cross-site scripting (XSS). In the 2017 version of the OWASP Top 10, injection attacks were still listed as the number one threat to web applications.

Error message

A04:2021 – Insecure Design

The new category with the rather generic designation “Insecure Design” deals with risks in connection with design and architecture flaws. One example given here is Generation of Error Message Containing Sensitive Information (CWE-209). Insecure design is not related to the implementation process, as even a perfect implementation cannot fix design flaws. Much more relevant here are the lack of security controls and business risk profiling in software development. Without them, it would not be possible to adequately determine what level of security design is required.

A05:2021 – Security Misconfiguration

“Security Misconfiguration” was still listed at number 6 in the previous version of the OWASP Top 10. The category includes errors in the configuration of security measures such as missing or insufficient system hardening, improperly configured permissions on cloud services, the use of default passwords, or even ports being enabled unnecessarily.

A06:2021 – Vulnerable and Outdated Components

Previously #9, “Vulnerable and Outdated Components” now ranks number 6 in the OWASP Top 10. This indicates that the failure to use up-to-date and secure components is still a major problem in the development of web applications. Vulnerabilities in this category result, for example, from lack of transparency (which components are used in which version (on the client- and server-side)), faulty software (vulnerable, outdated, or no longer supported programs and APIs), or lack of compatibility tests (especially for updates, upgrades, and patched libraries).

Code on a screen

A07:2021 – Identification and Authentication Failures

The category formerly known as “Broken Authentication” slid down from second position (OWASP Top 10 2017) to #7. Here, vulnerabilities associated with logins and authentications are listed. These include inadequate protection against brute force, credential stuffing, credential cracking, passwords stored in plain text, and missing or ineffective multi-factor authentication.

A08:2021 – Software and Data Integrity Failures

The new category includes vulnerabilities in software updates, critical data, and CI/CD pipelines without verifying integrity. For example, significant risks result when applications rely on plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can serve as a gateway for cybercriminals to inject malicious code and compromise systems. Automatic updates of individual components without sufficient integrity verification jeopardize the security of the entire application, as malicious code could be introduced via software supply chains.


A09:2021 – Security Logging and Monitoring Failures

Previously called “Insufficient Logging and Monitoring,” this category now includes additional risks. Overall, logging and monitoring are used to detect, escalate, and respond to active security breaches. Problems arise here when, for example, errors generate no or only inadequate log messages, when logs are only backed up locally, or when alerting thresholds and escalation processes are ineffectively defined.

A10:2021 – Server-Side Request Forgery (SSRF)

Server-side request forgery (SSRF) is when a web application fetches a remote resource without validating the user-supplied URL. This creates a risk that cybercriminals will abuse the affected application to send specially crafted requests to unexpected destinations. This can allow attackers to gain access to sensitive information or even execute remote code. The server itself and the connected network, as well as external third parties, are all vulnerable to SSRF.


Who uses the OWASP Top 10?

The project is primarily aimed at developers to help them create highly secure programs and APIs. This awareness is intended to contribute to a holistic approach to the topic of IT security in the development process – in other words, security by design. In addition, the ranking also serves to actively protect against specific threats. For example, the Myra Hyperscale WAF (Web Application Firewall) sometimes includes special filter rules based on the OWASP Top 10 and that address the vulnerabilities listed in it (as far as technically possible).

Cyber Security lettering on a laptop screen


What you need to know about the OWASP Top 10

The OWASP Top 10 is a ranked list of security risks and attack vectors. Since 2003, the list has been maintained and regularly updated by its namesake non-profit organization, the Open Web Application Security Project (OWASP). The project is mainly intended for developers and aims to draw attention to essential, security-related areas and developments. In addition, the OWASP Top 10 provides practical examples for fixing the security vulnerabilities listed and general recommendations for secure web application development and maintenance.