OWASP Top Ten Reference

The OWASP Top Ten is a consensus-based ranked list of the 10 most critical web application security risks, published by the Open Web Application Security Foundation (OWASP) and updated periodically to reflect observed threat patterns across the global application security community. It functions as a baseline standard for application security assessment, developer training programs, and regulatory compliance frameworks. Security professionals, auditors, and software development teams reference it when evaluating the risk posture of web-facing applications and establishing minimum remediation thresholds.

Definition and scope

The OWASP Top Ten is maintained by OWASP, a nonprofit foundation whose publications are referenced in procurement requirements, audit standards, and federal guidance. The list is not a technical specification or enforceable regulation — it is a risk taxonomy derived from data contributed by security testing firms, bug bounty platforms, and application security vendors. The 2021 edition incorporated data from more than 500,000 applications, making it one of the largest empirical datasets used to rank web application vulnerabilities.

Scope boundaries distinguish the OWASP Top Ten from adjacent resources. It applies specifically to web applications, not to network-layer threats, physical security controls, or cloud infrastructure misconfigurations (which fall under the separately maintained OWASP Cloud-Native Application Security Top 10). The list does not enumerate every possible vulnerability class — it identifies the risk categories most likely to affect a broad cross-section of deployed web applications.

Regulatory and standards bodies have formally incorporated the OWASP Top Ten as a reference baseline. The Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council, cites OWASP methodology in its requirements for web application security testing under Requirement 6. The NIST National Vulnerability Database (NVD) cross-references OWASP categories in its Common Weakness Enumeration (CWE) mappings. Organizations navigating application security vendor selection can cross-reference service categories through the Digital Security Listings on this platform.

How it works

The OWASP Top Ten is structured as a ranked list of risk categories, each defined by a combination of exploitability, prevalence, detectability, and technical impact. The 2021 edition introduced a methodology change: rankings are driven partly by incidence rate data rather than purely by severity scoring, which separates it from vulnerability scoring systems like the Common Vulnerability Scoring System (CVSS).

The 10 categories in the OWASP Top Ten 2021 are:

  1. A01 – Broken Access Control — moved from fifth to first; found in 94% of tested applications.
  2. A02 – Cryptographic Failures — previously "Sensitive Data Exposure"; covers weak or missing encryption.
  3. A03 – Injection — includes SQL, LDAP, OS command, and cross-site scripting (XSS) injection variants.
  4. A04 – Insecure Design — a new 2021 category addressing architectural flaws rather than implementation errors.
  5. A05 – Security Misconfiguration — covers default credentials, unnecessary features, and unpatched systems.
  6. A06 – Vulnerable and Outdated Components — previously "Using Components with Known Vulnerabilities".
  7. A07 – Identification and Authentication Failures — previously "Broken Authentication".
  8. A08 – Software and Data Integrity Failures — new in 2021; covers insecure deserialization and CI/CD pipeline integrity.
  9. A09 – Security Logging and Monitoring Failures — previously ranked tenth; elevated due to incident response implications.
  10. A10 – Server-Side Request Forgery (SSRF) — new in 2021; added based on community survey data.

Each category entry in the official documentation includes mapped CWE identifiers, attack scenario examples, verification guidance, and references to NIST controls. The CWE mappings connect OWASP categories to the MITRE Corporation's Common Weakness Enumeration (CWE) taxonomy, enabling integration with static analysis tools and secure development lifecycle (SDL) programs.

Common scenarios

Web application penetration testing — Security assessors use the OWASP Top Ten as a scope checklist during penetration tests. Engagements structured around OWASP categories ensure that Broken Access Control (A01) and Cryptographic Failures (A02) receive explicit test coverage, which satisfies audit requirements under frameworks like SOC 2 and PCI DSS.

Secure code review — Development teams apply OWASP Top Ten categories to pull request review checklists and static analysis rule sets. Injection (A03) and Security Misconfiguration (A05) are the two categories most commonly addressed through automated scanning tools integrated into CI/CD pipelines.

Compliance gap analysis — Organizations subject to the HIPAA Security Rule (45 CFR Part 164) or FTC Safeguards Rule (16 CFR Part 314) use the OWASP Top Ten to map application-layer risks to administrative and technical safeguard requirements, since neither regulation specifies a web application risk taxonomy directly.

Vendor security evaluation — Procurement teams require software vendors to attest OWASP Top Ten coverage in security questionnaires, particularly for SaaS platforms handling regulated data. The Digital Security Authority directory purpose and scope page provides context on how application security service providers are categorized within this reference platform.

Decision boundaries

The OWASP Top Ten applies at the application layer (OSI Layer 7). It does not govern network intrusion prevention, endpoint detection, or identity infrastructure — domains covered by separate NIST Special Publications including NIST SP 800-53 Rev. 5 and NIST SP 800-63.

A critical distinction separates design flaws (A04) from implementation bugs (A03, A05). Insecure Design failures require threat modeling and architectural revision; they cannot be patched after deployment the way an injection vulnerability can. This classification boundary affects remediation timelines, budget allocation, and the professional qualifications required of the security team assigned to remediation.

The OWASP Top Ten also differs from the OWASP Application Security Verification Standard (ASVS), which provides 286 discrete verification requirements across three assurance levels. The Top Ten is a risk awareness and prioritization tool; ASVS is a testing and certification standard. Organizations requiring formal application security attestation — as distinct from general risk awareness — reference ASVS rather than the Top Ten alone. Practitioners locating application security assessment vendors and consultancies can consult the how to use this digital security resource page for navigation guidance across service categories on this platform.

References

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...