What is the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a non-profit organization that strives to improve web application security by offering research and free resources. The organization provides easily accessible materials on its website to make it possible for anyone to improve the security of their web applications.
The organization offers a wealth of information through documentation, videos, forums, and tools. The OWASP Top 10 is a popular project that provides information about web application security risks. It serves development teams worldwide as a standard for securing web applications.
The organization published the first version of the list in 2003 and updated it in 2004, 2007, 2010, 2013, and 2017. The latest update was published in 2021.
In this article:
- How Should You Use the OWASP Top 10 List?
- OWASP Top 10 2021
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable and Outdated Components
- A07: Identification and Authentication Failures
- A08: Software and Data Integrity Failures
- A09: Security Logging and Monitoring Failures
- A10: Server-Side Request Forgery
- Other OWASP Top 10 Lists
- Are These the Only Vulnerabilities You Need to Watch Out For?
- Find Out if Your App is Exposed to OWASP Top 10 with Bright Security
How Should You Use the OWASP Top 10 List?
The OWASP Top 10 list was introduced in 2003 and is updated every few years in line with the evolution of application security threats and practices. The importance of this list lies in the highly practical information it provides, in the sharp focus it offers developers and organizations of all sizes (by prioritizing the most important threats), and as a standard for anyone developing and delivering web applications.
Many security auditors treat the OWASP Top 10 as a basic threshold of application security. Failure to secure applications against one or more of the Top 10 indicates that the organization does not have basic security measures and may not meet other compliance requirements.
On the other hand, by incorporating the Top 10 risks into the software development lifecycle (SDLC), an organization demonstrates its commitment to security best practices. Securing applications against the OWASP Top 10 is not enough to comprehensively secure applications, because there are many other threats, but it is a big step towards sound application security.
Here are a few important points that can help you make use of the OWASP list and research:
- Address the most serious threats—the OWASP Top 10 focuses on the most severe threats, not specific vulnerabilities. Threats are always a more reliable measure of risk because they help you consider possible attack vectors, which can strike in many different places in your application.
- Keep up with changes—OWASP updates the Top 10 list every three years, making recommendations that reflect important, long-term changes in the application security field and do not reflect short-term volatility.
- Get detailed technical information—behind each of the OWASP Top 10 items is a wealth of technical information that can help you better understand the risk, learn about development antipatterns that can lead to vulnerabilities, and remediate them. OWASP also provides open source tools you can use to test software packages and identify security issues.
OWASP Top 10 2021
A01: Broken Access Control
Ideally, web applications should make each piece of information available only to certain users according to their privileges. Broken access control can lead to critical security risks, allowing users to access the information they are not truly authorized to access.
How to prevent broken access control:
- Set up and implement a secure development lifecycle that includes designing and evaluating security and privacy controls.
- Set up and implement a library of secure design patterns.
- Employ threat modeling for critical access control, authentication, key flows, and business logic.
- Integrate security controls into user stories.
- Add plausibility checks to each application tier, from front-end to back-end.
- Depending on the required exposure and protection, segregate tier layers on the system and network layers.
A02: Cryptographic Failures
Cryptographic failures occur when cryptographic methods do not protect data appropriately. Common cryptographic control issues include poorly implemented cryptographic protocols and obsolete cryptographic ciphers.
In the past, this category of web security risks was called ‘sensitive data exposure’. OWASP changed the category’s name to emphasize the seriousness of cryptographic failures and the dangerous role they play in exposing sensitive information.
How to prevent cryptographic failures:
- Turn off autocomplete on any form that collects data and disable caching on these forms.
- Minimize the data surface area.
- Encrypt your data in transit as well as at rest.
- Implement only the most updated encryption techniques.
- Set up and enforce strong adaptive and salted hashing functions for passwords.
Injection vulnerabilities allow threat actors to insert malicious data into an application. The injection may include malicious commands that redirect stored data to a malicious website or force changes to the application.
The list mentions SQLi injection as a common attack vector. You can remediate this risk by explicitly authenticating all untrusted data, particularly data submitted by your end-users. In 2021, the OWASP updated this category to include cross-site scripting (XSS).
How to prevent injection attacks:
- Segregate commands from data—this technique can help prevent attacks that replace data with unauthorized command execution.
- Code SQL queries with parameters—instead of structuring a command only from user input content, use parameterized queries (also called prepared statements).
- Eliminate the interpreter—you can use a safe API to eliminate the interpreter.
- Implement positive server-side validation—use this technique with an intrusion detection system to identify suspicious client-side behaviors.
A04: Insecure Design
Design flaws can introduce critical threats to your web application. They are caused by an insecure design that does not include threat modeling, reference architectures, or secure design principles and patterns. Failure to assess the business risks inherent in the system being developed can also cause design flaws.
How to avoid design flaws:
- A secure development lifecycle—set up and enforce a lifecycle that includes security in the design of the software and all development phases.
- A library of secure design patterns—set up a library and use it consistently to standardize security.
- Threat modeling—implement threat modeling for critical access control, authentication, key flows, and business logic.
- User stories—use security controls for all user stories.
- Plausibility checks—include these checks for each application tier, from front-end to back-end.
- Segregate tier layers—implement segregation for the system and network layers according to your project’s exposure and protection needs.
A05: Security Misconfiguration
Security misconfigurations occur when issues in the application’s configurations allow unauthorized access, usage, modification, and data exfiltration. For example, applications that incorrectly filter incoming packets may allow unauthorized use of a default user ID or password. In 2021, OWASP added EML external entities (XXE) vulnerabilities to this category.
How to avoid security misconfigurations:
- Implement a repeatable hardening process—this process can help you quickly deploy an appropriately locked down environment. Ideally, you should configure all environments identically—including development, testing, and production—but with different credentials.
- Use a minimal design—do not add unnecessary components, features, samples, or documentation. If you find any redundancies, remove these unused features and frameworks.
- Set up a patch management process—this process should include configuration reviews followed by updates and fixes.
- Configure a segmented application architecture—use this to isolate components or tenants to ensure threats are contained to the location of initial intrusion. You can use various techniques, including containerization, segmentation, and cloud security groups.
- Automated your processes—automation helps drive efficiencies and reduce the scope of human error. You can use automation to verify the effectiveness of your configurations and settings across all environments.
A06: Vulnerable and Outdated Components
This category refers to unsupported, out-of-date, and vulnerable software components, including direct and indirect dependencies. Using these components without regular scanning and testing mechanisms can introduce critical risks. In the past, this category was called ‘Using Components with Known Vulnerabilities’. It was updated to include outdated components.
How to avoid using vulnerable and outdated components:
- Remove redundancies—including unused dependencies and any unnecessary features, files, documentation, and components.
- Check your versions—you must continuously inventory all used versions of server-side and client-side components as well as their dependencies. You can use tools like OWASP Dependency Check and retire.js.
- Scan for vulnerabilities—you should continuously monitor various sources, such as the National Vulnerability Database (NVD), for known vulnerabilities in your software. You can employ software composition analysis (SCA) tools to automate this process.
- Use official sources—obtain components only from official sources and use secure links. Ideally, you should use signed packages to avoid including a modified, malicious component.
- Monitor for activity—do not use libraries and components that are no longer maintained or do not provide security patches for older versions. If it is impossible to patch, deploy a virtual patch to monitor, detect, and protect against these issues.
A07: Identification and Authentication Failures
This category includes vulnerabilities caused by identification and authentication failures. These failures allow attackers to launch brute force attacks and credential stuffing. Common vulnerabilities include a lack of multi-factor authentication (MFA) and no user-session validation for inactive or expired sessions.
This category was introduced in 2017 under the name ‘broken authentication’. In 2021, OWASP updated the category and renamed it to include broken session management and broken authentication.
How to prevent broken authentication and identification:
- Implement MFA and enforce strong passwords.
- Never deploy using default credentials and constantly monitor all failed login attempts.
- Employ a secure session manager to generate time-limited, random session IDs. Do not include session IDs in URLs.
A08: Software and Data Integrity Failures
This category includes assumptions made regarding software updates, CI/CD pipelines, and critical data without verifying integrity. Additionally, the category mentions insecure deserialization, which occurs when applications do not deserialize vulnerable objects. Threat actors can manipulate data received by back-end code to launch attacks.
How to avoid software and data integrity failures:
- Digital signatures—mechanisms like digital signatures can verify the data or software originates from an expected, trusted source and was not altered.
- Trusted repositories—your libraries and dependencies should consume trusted repositories like Maven or npm. You can also host an internal, vetted repository.
- A review process—use a review process for all code and configuration changes to reduce the probability of malicious code or configuration added to the pipeline.
- Integrity—CI/CD pipelines require proper segregation, access control, and configuration to ensure the integrity of any code moving through build and deploy stages.
A09: Security Logging and Monitoring Failures
This category was previously referred to as ‘insufficient logging and monitoring’. It covers vulnerabilities related to security monitoring and logging failures, which can lead to errors in your ability to identify, escalate, and respond to active breaches. Logging and monitoring are crucial mechanisms to detect breaches. These failures impact visibility, forensics, and incident alerting.
How to prevent security logging and monitoring failures:
- Context—you should log all failures related to login, server-side input validation, and access control with sufficient user context. This context is key to helping you identify suspicious accounts and perform accurate forensic analysis.
- Format—ideally, your set up logging so that the system generates logs in a format your log management solutions can consume easily.
- Encoding—you can prevent injections and attacks on your logging and monitoring systems by ensuring log data is properly encoded.
- Audit trails—you should set up an audit trail with integrity controls, such as append-only database tables, for high-value transactions. It can help you prevent deletion and tampering.
A10: Server-Side Request Forgery
Server-side request forgery (SSRF) vulnerabilities allow threat actors to force a server-side application to send HTTP requests to domains chosen by the actor. It occurs when a web application fetches remote resources without validating user-supplied URLs. It can occur even if you use a firewall or VPN because threat actors can still force the application to send a forged request to an unauthorized location.
How to prevent SSRF:
- Enforce network access control rules or firewall policies that deny by default—to allow only essential intranet traffic.
- Always validate and sanitize client-supplied input data.
- Use a positive allow list to enforce the URL schema, port, and destination.
- Disable HTTP redirections and never send raw responses to clients.
- Reduce the impact of SSRF attacks by segmenting remote resource access functionality in separate networks.
Other OWASP Top 10 Lists
In addition to the OWASP Top 10 Application Security Vulnerabilities list, covered in this article, OWASP has released two other important lists that can help you secure mobile applications and APIs. Learn about them in our detailed guides:
- OWASP Mobile Top 10 (coming soon)
- OWASP API Top 10 (coming soon)
Are These the Only Vulnerabilities You Need to Watch Out For?
The OWASP Top 10 is a great resource for web developers and security professionals. It provides a solid foundation and highlights key issues observed in production web applications. However, it is not a good idea to build an entire application security program on these 10 issues, for several reasons.
Threats not covered in the OWASP Top 10
There are many other types of vulnerabilities and techniques that can be used to break into applications and steal data.
For example, Cross-Site Request Forgery (CSRF) was removed from the 2017 OWASP Top 10 list, because it is a less significant threat in the current technology environment. This doesn’t mean you don’t need CSRF protection—it only means that most organizations and frameworks already protect themselves, so OWASP considers it a less severe risk.
Rapid evolution of appsec technology and threats
Another concern is the rapid evolution of web application technology, and rising new threats. Because OWASP Top 10 is updated only once every three years, it does not reflect the latest technologies, newly discovered vulnerabilities, and the latest tactics, techniques, and procedures (TTP) used by attackers.
The need for comprehensive security testing
Automated security tools can help you scan software projects for vulnerabilities and security weaknesses, including but not limited to the OWASP Top 10 risks. This is critical to ensuring that you did not miss an important vulnerability that was not included in the Top 10, but can still pose a risk to your application and business.
Find Out if Your App is Exposed to OWASP Top 10 with Bright Security
Bright Security is a developer-first Dynamic Application Security Testing (DAST) scanner that can test your applications and APIs (SOAP, REST, GraphQL), enabling you to bake security testing into your development and CI/CD pipelines.
Detect the OWASP (API) Top 10, MITRE 25 and more, including Business Logic Vulnerabilities. You can easily reduce your security and technical debt by scanning early and often, on every build, to be secure by design.
With NO false positives, there is no need for manual validation of security findings, removing costly and time consuming human bottlenecks that cripple your rapid releases and drain your security team’s limited resources.
Detect OWASP Top 10 security vulnerabilities in your apps and APIs for FREE: Register for a Bright account!