The OWASP Top 10
Author: HollyGraceful Published: 03 December 2021 Last Updated: 03 November 2022
OWASP, or the Open Web Application Security Project, are a non-profit organisation that produces a range of articles, tools, and other resources on security topics. Including topics such as web application, API, and mobile application security issues.
It also produces the "OWASP Top 10", an awareness document that is updated roughly every three years and covers ten significant categories of vulnerabilities that organisations should be concerned about.
The vulnerability categories are ordered based on a combination of potential impact, exploitability, and prevalence. The latest version was released in September 2021 and sees many changes over the previous (2017) release – with issues being reordered, renamed, and added to the list.
The OWASP Top 10 2021
- A01 Broken Access Control
- A02 Cryptographic Failures
- A03 Injection
- A04 Insecure Design
- A05 Security Misconfiguration
- A06 Vulnerable and Outdated Components
- A07 Identification and Authentication Failures
- A08 Software and Data Integrity Failures
- A09 Security Logging and Monitoring Failures
- A10 Server Side Request Forgery (SSRF)
It's important to note that these are categories of vulnerabilities and each title includes many vulnerabilities.
Whilst it’s a simple idea for a project, listing the top ten vulnerabilities you should care about, a significant amount of work has gone on behind the scenes to create this list and the associated guidance material describing these categories and the issue remediation.
For example, the data behind the vulnerabilities, such as their prevalence is gathered from organisations from real world applications and security assessments (for example, from Hacker One) as well as from a community survey.
Weaknesses with the OWASP Top 10
Naturally when discussing something like the "Top 10 vulnerabilities" it's natural to think, but what about number 11? Well OWASP often includes details on issues that were not included within the list – and this year they've included a section titled "A11:2021 Next Steps" which does just this. It includes the following issues:
- Code Quality Issues
- Denial of Service
- Memory Management Errors
Notable Changes in This Release
Injection issues sees a fall from A01 to A03, which feels significant given that it held the number one spot for 2017, 2013, and 2010 (and even back in 2007 it was A02).
The top spot is now help by Broken Access Control, which moved up from the fifth position and now includes Cross-site Request Forgery, which back in 2017 was not included in the Top 10 but was considered " Retired but not Forgotten". Instead, now it is included alongside issues such as Insecure Direct Object Reference, Path Traversal, and Forced Browsing.
Issues that have merged include Cross-site Scripting (previously A07) merging into Injection, XML External Entity Injection (previously A04) merging into Security Misconfiguration, and Insecure Deserialization merging into a new category, Software and Data Integrity Failures.
There are two other new categories too: Insecure Design and Server-side Request Forgery.
In short, the OWASP Top 10 is a useful resource when introducing people to web application security, it helps by presenting data about the prevalence of issues, and helps us create a shared vocabulary to discuss the security issues we find. It's a great starting point to build on.