OWASP Explained: Today’s OWASP Top 10

Over the past few years, cyberattacks have escalated to unprecedented heights:

• Phishing attacks are up 48%.
• Ransomware increased 41%.
• Fraud cases have grown 70% since 2020.

Organizations and users need help understanding and navigating these changing risks to fight against the rising tide of cybercrimes.

Thankfully, that is exactly what The OWASP Foundation aims to do.

What is OWASP?

OWASP, or the Open Worldwide Application Security Project, is an international non-profit focused on improving software security. Founded in 2001, OWASP is an open community with a membership in the tens of thousands to help organizations develop, obtain, maintain and manage trusted applications.

What’s the OWASP Top 10?

One of OWASP’s most ambitious and widely known projects is the OWASP Top 10, a regularly updated report outlining the ten biggest web application security risks. Their very own website describes it as a "standard awareness document for developers and web application security", and we can sum up its two main purposes:

1. To provide a consensus from members about the most critical security risks web applications and organizations face.
2. To help the community secure their applications by identifying and explaining the most common vulnerabilities.

OWASP Top 10 for Large Language Model Applications (v1.0)

So, for years, the OWASP has focused on these web app risks. Tellingly, in August 2023, OWASP officially released a brand new Top 10 and this one is for LLMs, or more precisely: applications using Large Language Models (LLMs).

Certainly this is in response to the sudden speed and power that developers and hackers alike have for using generative AI to develop and/or detect vulnerabilities and threats. 

The rest of this article will focus on the long-running Top 10 for web app vulnerabilities, not including LLMs. 

(Concerned about security in your LLMs? Learn how to defend against the OWASP Top 10 for LLMs.)

2021 OWASP Top 10: Why It Matters and What’s Changed

OWASP Top 10 is a crucial resource for organizations dedicated to enhancing web application security. It outlines the most pressing security vulnerabilities in web applications, serving as a critical guide for organizations to identify and manage potential risks.

Organizations use this guide to develop a robust shield for their systems and minimize the chance of breaches that can lead to data loss, reputational damage and other adverse impacts.

Understanding and adhering to OWASP Top 10 is not only good practice but a critical way to support regulatory compliance. Many industry regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), reference OWASP Top 10 as a standard for security applications. Organizations must align with these guidelines in order to:

• Meet regulatory requirements
• Avoid penalties
• Promote client and partner trust

The OWASP Top 10 empowers organizations to implement secure coding practices. It provides actionable information on common security vulnerabilities, which helps educate developers, QA personnel, critical employees, and stakeholders on certain web application development essentials. It’s an effective tool to prioritize security efforts, directing attention and resources to the most severe threats.

Web application security is dynamic and continuously evolving: staying up-to-date on the OWASP Top 10 is crucial to assess the current landscape accurately. New vulnerabilities are constantly surfacing while older ones become less significant, and the OWASP Top 10 is regularly updated to reflect these changes. This commitment to relevancy enables companies and organizations the information they need to prepare for and defend against the most current threats to their web applications, allowing them to take a proactive security posture.

The current OWASP Top 10

The OWASP Top 10 was updated in 2021 from the 2017 version to better reflect the transforming landscape of web application security risks. Some of the most notable changes include:

• New risks. The 2021 added risks not present in the 2017 version to reflect the changes in the cybersecurity landscape.
• Reframed risks. Some risks from the 2017 version were reframed and broadened in 2021.
• Ranking changes. Changes in the ranking of various risks indicate shifts in their severity or prevalence.
• Removed risks. Some risks from the 2017 version don’t appear in the 2021 version, which suggests they’re less prevalent or other risks have surpassed them in importance.

The 2021 version reflects a broader approach to modern security, with an emphasis not just on individual vulnerabilities but also on security design and management practices.

(Understand the relationship between vulnerabilities, threat and risk.)

OWASP Top 10 Vulnerabilities for 2021

Here are the top ten security risks according to OWASP:

#1: Broken access control

OWASP moved this to number one after discovering that 94% of the applications they tested had some broken access control after their 2017 list. Broken Access Control occurs when organizations don’t adequately enforce authenticated user restrictions. Attackers exploit this weakness to access sensitive data and functionality.

#2: Cryptographic failures

Known as sensitive data exposure in 2017, this vulnerability moved up one spot from number 3. It includes anything related to misusing or not using cryptography when needed to protect data. These failures lead to data exposure that cybercriminals can exploit.

#3: Injection

Injection moved down from the number 1 spot in 2017 and added cross-site scripting as a part of the category. Injection flaws happen when data from unverified sources is relayed to an interpreter as an element of a command or query. It potentially deceives interpreters into performing commands that were not intended, or gaining access to restricted information.

(Read our article on SQL injections for an exploration of injection attacks.)

#4: Insecure design

This is an entirely new category in 2021. Insecure design includes all vulnerabilities from insufficient consideration of security during the design and architecture of the software. It leads to inherently insecure software that is open to exploitation.

#5: Security misconfigurations

This moved up from number 6 in 2017. Security misconfiguration occurs at any level of an application stack, including the platform, network services, application server, web server, frameworks, database, custom code, pre-installed containers, virtual machines, or storage. 

Attackers exploit these misconfigurations to access unauthorized information or functionality.

#6: Vulnerable and outdated components

This moved up from the ninth slot in 2017 and now includes components that pose both potential in addition to known risks. Applications that incorporate components with recognized vulnerabilities weaken the defensive system measures, opening up opportunities for various forms of attacks and consequences. These components are the vulnerable points that attackers look for when exploiting systems.

#7: Identification and authentication failures

This was called “broken authentication” in 2017 and moved down from number two. If the software fails to identify and authenticate users properly, it cannot enforce access controls. Attackers exploit these issues to impersonate other users or elevate their privileges.

(Learn how zero trust policies can bolster proactive security.)

#8: Software and data integrity failures

This is a new category in the 2021 OWASP Top 10. This involves insecure code or data handling, leading to potential manipulation and untrusted information within the software lifecycle.

These types of vulnerabilities can result in unauthorized changes to data or software execution paths.

#9: Security logging and monitoring failures

This entry moved up from #10 on the 2017 list when it was known as insufficient logging and monitoring. Inadequate logging and monitoring, along with poor or non-existent coordination with incident management, provides bad actors with opportunities to: 

• Escalate system attacks
• Establish ongoing access
• Higrate to additional systems
• Interfere with, extract, or destroy data

#10: Server-side Request Forgery (SSRF)

This is another new category for 2021. In an SSRF attack, a cybercriminal can manipulate server functionalities to access or alter internal resources. The bad actor has the capability to provide or modify a URL, to which the server-based code will retrieve or input, often leading to unauthorized actions.

(Want to know where you stand? Review the 5 steps of risk management assessments.)

Understanding risks inside web applications 

As organizations navigate an evolving and threatening digital landscape, it’s critical that we understand the potential security risks. The OWASP Top 10 servers are a vital guide to identifying, understanding, and mitigating these risks. It reflects the changing threat landscape and highlights the need for constant vigilance and adaptation in the face of emerging threats.

As technology continues to transform, so too will the threats your organization faces. Staying up to date on lists like the OWASP Top 10 is crucial for maintaining a robust defense. In today’s interconnected world, a commitment to cybersecurity is not just an option — it’s a necessity.