What is OWASP Top 10?

  • 4 minutes

As application complexity increases, so does the effort of making it secure. Modern applications, in contrast with single-project monolith legacy applications, have many dependencies, including external libraries, services for hosting, building and releasing, to name a few. None of these services are simple "plug and play" affairs. Developers need to understand them, and know how to configure and implement the flows and processes securely in their own code.

Security is everyone’s job. Developers, service engineers, and program and product managers must understand security basics and know how to build security into software and services.

Training and education is an essential stage in the security application development lifecycle (or SDL). For developers, OWASP Top 10 is a great start.

From a software development point of view, your team's security journey should begin by familiarizing yourself with the concepts behind each item on top 10 list.

OWASP logo

Although security is everyone’s job, it’s important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands the attacker’s perspective, their goals, and the art of the possible will help capture the attention of everyone and raise the collective knowledge bar.*

What is OWASP?

The Open Web Application Security Project (OWASP) is a global nonprofit organization focused on improving software security. OWASP periodically releases a list of 10 categories of application security vulnerabilities. Each category covers different areas of application and information security. Their mission is to make software security visible so that individuals and organizations can make informed decisions.

The list is curated and ordered by the severity of reported vulnerabilities, industry suggested guidelines, and probability of attacks.

OWASP Top 10

The OWASP Top 10 (2023) is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

  1. Broken Access Control​
  2. Cryptographic Failures​
  3. Injection​
  4. Insecure Design​
  5. Security Misconfiguration​
  6. Vulnerable and Outdated Components​
  7. Identification and Authentication Failures​
  8. Software and Data Integrity Failures​
  9. Security Logging and Monitoring Failures​
  10. Server-Side Request Forgery​