0% found this document useful (0 votes)
40 views1 page

OWASP Top Ten - OWASP Foundation

bien

Uploaded by

berlidesv7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
40 views1 page

OWASP Top Ten - OWASP Foundation

bien

Uploaded by

berlidesv7
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Please support the OWASP mission to improve software security through open source initiatives and community education.

Donate Now! ×

PROJECTS CHAPTERS EVENTS ABOUT   Store Donate Join

OWASP Top Ten Watch 315 Star 1,108

Main Translation Efforts Sponsors Data 2025 The OWASP® Foundation works to
improve the security of software through
Important note: its community-led open source software
projects, hundreds of chapters worldwide,
OWASP Top Ten 2025
tens of thousands of members, and by
Current project status as of September 2024: hosting local and global conferences.

We are planning to announce the release of the OWASP Top 10:2025 in the first half of 2025.
Data Collection (Now - December 2024): Please donate your application penetration testing statistics. Project Information
Stay Tuned! • OWASP Top 10:2021
• Making of OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It • OWASP Top 10:2021 - 20th
represents a broad consensus about the most critical security risks to web applications. Anniversary Presentation (PPTX)
x
This website uses cookies to analyze our traffic and only share that information with our analytics partners.  Flagship Project
Accept
 Documentation
Globally recognized by developers as the first step  Builder
 Defender
towards more secure coding. • Previous Version (2017)

Downloads or Social Links


Companies should adopt this document and start the process of ensuring that their web applications minimize • OWASP Top 10 2017
these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software • Other languages → tab ‘Translation
development culture within your organization into one that produces more secure code. Efforts’

Social
Top 10 Web Application Security Risks Twitter
There are three new categories, four categories with naming and scoping changes, and some consolidation in
Code Repository
the Top 10 for 2021.
repo

Leaders
Andrew van der Stock
Brian Glas
Neil Smithline
Torsten Gigler

Upcoming OWASP Global Events


A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for
OWASP Global AppSec Washington DC
some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to
2025
Broken Access Control had more occurrences in applications than any other category.
November 3-7, 2025
A02:2021-Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data
Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures OWASP Global AppSec San Francisco
related to cryptography which often leads to sensitive data exposure or system compromise. 2026
A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form November 2-6, 2026
of injection, and the 33 CWEs mapped into this category have the second most occurrences in
applications. Cross-site Scripting is now part of this category in this edition.
A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If
we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design
patterns and principles, and reference architectures.
A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications
were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not
surprising to see this category move up. The former category for XML External Entities (XXE) is now part
of this category.
A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known
Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10
via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test
and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs)
mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their
scores.
A07:2021-Identification and Authentication Failures was previously Broken Authentication and is
sliding down from the second position, and now includes CWEs that are more related to identification
failures. This category is still an integral part of the Top 10, but the increased availability of standardized
frameworks seems to be helping.
A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making
assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.
One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability
Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization
from 2017 is now a part of this larger category.
A09:2021-Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring
and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to
include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS
data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data
shows a relatively low incidence rate with above average testing coverage, along with above-average
ratings for Exploit and Impact potential. This category represents the scenario where the security
community members are telling us this is important, even though it’s not illustrated in the data at this
time.

Edit on GitHub

PRIVACY SITEMAP CONTACT  

Open Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless
otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our General
Disclaimer. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security
worldwide. Copyright 2024, OWASP Foundation, Inc.

A selection of our Corporate Supporters

Become a corporate supporter

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy