The OWASP (Open Web Application Security Project) Top 10 is a list of the most critical and widespread application security risks, chosen by top security experts based on data from hundreds of thousands of applications. In this article, you’ll learn how to use the OWASP Top 10 to protect your web app from cyberthreats, how to test for these vulnerabilities, and how to avoid the OWASP Top 10 vulnerabilities.
What Is the OWASP Top 10? Why Does It Matter?
The OWASP Top 10 is a list of today’s ten most critical and widespread web app security risks. Top security experts update the list every few years based on data from hundreds of thousands of applications. Each risk includes a description, vulnerability examples, attack examples, guidance on how to avoid them, and references to more detailed resources. Public-facing applications were the most common initial attack vector in 2022, and almost 70% of applications have flaws that fall under the OWASP Top 10, meaning that most apps have cybersecurity flaws that could be remedied by paying attention to the OWASP Top 10.
The OWASP Top 10 isn’t the only application security framework—there are others more advanced and industry specific, such as ISO/IEC 27001 and NIST Cybersecurity Framework—and it’s not comprehensive, since it addresses only the most common vulnerabilities. But the OWASP Top 10 list is a good place to start with your application security program, since it covers the most common and dangerous vulnerabilities that you should fix first.
How Are the OWASP Top 10 Selected?
To choose and prioritize the top security risks, OWASP experts rely on two sources of information and go through the following steps.
- A call for data is publicized through social media channels.
- Security companies submit their data.
- Vulnerabilities are categorized based on their root cause.
- The OWASP team selects eight top risk categories based on incidence rate.
- Eight categories are ranked in order of risk based on generalized factors for exploitability and technical impact.
- Seasoned security practitioners are surveyed to identify the last two risks.
- The process is repeated every three to four years.
As mentioned, the OWASP Top 10 updates every 3-4 years. Here is what had changed in the last review of the list in 2021. The dotted arrows illustrate vulnerabilities that became a part of another related category. Solid arrows indicate a risk’s shift in priority ranking position. There are also three new risk categories.
How Businesses Use OWASP Top 10
Businesses can use the OWASP Top 10 in a number of ways to improve their web app security stance.
- Awareness: OWASP Top 10 informs a broad audience including non-technical staff and executives. It allows developers, security experts, and managers to be on the same page about web app security priorities.
- Training: OWASP Top 10 can be a training core for developers, security professionals, and other technical staff involved in software development.
- Prioritization: OWASP Top 10 highlights which application security areas a business should fix first. By identifying the top risks from the list for your company, you’ll be empowered to allocate your resources appropriately.
- Software development: The OWASP Top 10 is used in almost every stage of the software development cycle:
- During the design phase, to ensure a team implements baseline security practices
- In the software-development supply chain, to ensure the security of third-party components and services used to develop an application
- As a checklist for secure code review
- As a reference for unit testing, integration testing, and penetration testing
- Security compliance: Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS)-compliant organizations use the OWASP Top 10 as a checklist to measure the application security level of their partners.
- Contractor requirements. Some companies include the OWASP Top 10 list in contractor requirements. For example, you can set security expectations for a software development company.
- Hiring. Companies may employ the OWASP Top 10 to assess the candidate’s security knowledge.
The OWASP Top 10 List Overview
To better understand how the OWASP Top 10 vulnerabilities relate to your web application and how they can impact your business, let’s walk through each category.
Risk | Risk explanation | Example | Factors | Specific consequences (general below) |
1. Broken access control | Ineligible users can access resources or perform actions for which they don’t have permission. In the worst case scenario, the threat actor can modify a website’s content or take over the entire website. | Various WordPress plugins are susceptible to this type of attack. Successful exploitation allows a hacker to take over a site with this or that plugin enabled. | – Inadequate implementation of authentication and authorization controls that doesn’t correspond with potential risks for your specific business case. – Adding unverified third-party components to your software.- Outdated access control mechanisms, such as static permissions or single authentication point. | ー |
2. Cryptographic failures | Cryptography protects your data by converting it into an unreadable and secure form. When the cryptography process fails, attackers can access your data. | An example of this is one of the LastPass 2022 attacks. Some of their source code and technical information was stolen from their development environment. The hacker used the information to target an employee, obtained credentials and keys to decrypt some storage volumes, and accessed basic customer account information. | – Outdated cryptographic algorithms; for example, Triple DES (Data Encryption Algorithm.) You can check for cryptographic algorithms’ updates on the NIST (National Institute of Standards and Technology) website. – Implementation of outdated key management practices (encryption keys that are not securely generated, stored, or protected.)- Use of default or weak keys, meaning they aren’t long and complex enough to resist brute-force attacks.- Unprotected communication channels e.g., HTTP instead of HTTPS. | ー |
3. Injection vulnerabilities | A web application fails to filter, sanitize, or validate users’ commands or added data. Threat actors use such attacks to access sensitive data, manipulate the application’s behavior, or perform unauthorized actions. | In spring 2023 attackers were able to install a web shell on the MOVEit Transfer application via SQL injection vulnerability and extract all data contained on the app. | Poor user input validation that doesn’t correspond to best practices. For example, an application that allows users to upload files without checking file types. | ー |
4. Insecure design | The usage of code patterns and features that are insecure by default. For example, lack of input validation or embedding credentials (e.g., usernames, passwords, API keys) directly within the source code. | A cinema chain provides discounts for group bookings accommodating up to fifteen individuals. Exploiting this vulnerability, malicious individuals could attempt to secure all available cinema seats in just a few clicks. When a website allows numerous reservations without mandating a deposit or credit card details, it becomes susceptible to significant revenue loss over time. | Not all of the necessary application’s security controls are implemented throughout the software development process. | – Limited business growth. Potential clients and partners may have concerns about a company’s security posture. – Higher cost of remediation. To fix a vulnerability you might need fundamental changes. |
5. Security misconfiguration | These arise from an insecurely configured application stack. Default account passwords, unnecessary features, and insecure settings in application frameworks and libraries are all potential openings for an attack. | Users of Apache Tomcat, an open-source Java application server, had default username and password credentials. Threat actors targeted this misconfiguration and gained control over the server to spread Marai botnet malware. | A lack of knowledge about how to securely configure software used with an application. For example, failure to use configuration best practices for specific software. | ー |
6. Vulnerable and outdated components | Using outdated and/or unsupported software, tools, libraries, frameworks, and infrastructure. Hackers can use such components’ flaws to enter your perimeter. | Open-source libraries are widespread because they increase go-to-market speed. However, they are often subject to attacks—hackers can reach multiple applications at once. Failing to timely update a library (which might be embedded in the core of your app) will result in a high risk of being hacked. | A company doesn’t have a system and tools to monitor new versions of components they are using and those that are no longer updated. | ー |
7. Identification and authentication failures | Weak login and access control mechanisms. For instance, if a system accepts easy-to-guess passwords and lacks multi-factor authentication, it can lead to unauthorized access to users’ accounts and data breaches. | In the 2023 Norton Life Lock case, over 6,000 accounts were breached due to staffing, meaning that users used the same passwords as in other systems with which they are registered. The company offered their users multi-factor authentication as an option, but it wasn’t obligatory. | Insufficient identification and authentication mechanisms, like failing to implement specific authentication requirements for the relevant app type. | – Users’ sensitive data stolen. – Unauthorized transactions on the users’ behalf. |
8. Software and data integrity failures | Failure to check the integrity and security of third-party components such as plugins, libraries, or modules. A threat actor can make unauthorized changes to the software or data, like introducing malicious code in an application. | A high-profile example of the risk is SolarWinds case. Hackers added malicious code to one of their products used by 33,000 customers, including big corporations and government agencies. These malicious updates were sent to all clients. | Failure to verify the source of software or data; failure to check new components for vulnerabilities. | ー |
9. Security logging and monitoring failures | Failure to track all activities within an application. Without proper monitoring, it becomes difficult to detect suspicious activities promptly or figure out the root cause of a breach and fix it. | A hospital’s electronic health records system suffered a data breach because the security team failed to configure proper logging and monitoring. An insider accessed and stole patient records. The breach went unnoticed until the stolen data started surfacing on the dark web. | – Auditable events not logged. – Suspicious activity not monitored in application logs or API logs. – Logs only stored locally, meaning it is easy to lose them and it’s impossible to gain a holistic view of the application’s security. | Prolonged data breaches, when attacks or malicious activities go undetected for an extended period. |
10. Server side request forgery (SSRF) | An application fetches data to the user without validating their URL request. A malicious user can send a crafted request to an unexpected destination in your system. | A cloud security company Orca Security discovered numerous SSRF vulnerabilities in Azure with only minimal effort. Microsoft addressed the flaws. | – Poor user input validation. For instance, an app doesn’t validate URL structure and restrict certain URL schemes; lacks URL whitelisting. – Enabled HTTP redirections, so attackers may manipulate redirection URLs to access internal resources. – A system allows raw responses from the server to the client. | Port scanning for vulnerable services or potential entry points into the network. |
General OWASP Top 10 Causes and Implications
As well as the risk-specific implications in the table above, there are a number of causes and implications of the OWASP Top 10 that are relevant across the list.
General Causes
- Application complexity: In complex apps, developers may unintentionally overlook some security risks. For example, multiple interdependencies and extensive functionality create such a risk.
- Insufficient testing: Security testing needs to be sufficient or various vulnerabilities could be overlooked. Examples of insufficient testing include a company using only automated scanners without manual code review and penetration testing, or conducting testing on an app less than once a year.
- Rapid development: If an app is developed unusually fast, certain vulnerabilities may not be sufficiently addressed.
General Business Consequences
- Reputation and financial loss: Assuming they become public—as they almost certainly will—data breaches resulting from OWASP Top 10 vulnerabilities can damage a company’s reputation and lose customers’ trust. A natural result is financial loss, as customers take their business elsewhere.
- Legal ramifications: Lawsuits may occur when affected users seek damages.
- Compliance violations: If your business is subject to regulatory requirements such as HIPAA or PCI DSS, having OWASP Top 10 vulnerabilities in your app can lead to compliance violations. The Top 10 list intersects with these standards. For example, if personal health information is compromised, HIPAA compliance is violated, which means you are liable for financial penalties.
- Downtime: System disruption and downtime may result when a breach occurs, and loss of service means loss of revenue and a damaged reputation as your customers turn to competitors.
How to Test Your App for OWASP Top 10 Vulnerabilities
Let’s explore the most common ways to test your software for these top app security risks. To test for the whole OWASP Top 10 effectively, you should implement all three methods. Here, we list the testing methods from the most basic to the most advanced.
Automated Scanners: SAST and DAST
Both static application security testing (SAST) and dynamic application security testing (DAST) are automated vulnerability scanners. SAST is used during the development phase to review software code for common secure coding errors. Most SAST solutions can test your application for these OWASP Top 10 categories:
- Injection flaws
- Identification and authentication failures (limited vulnerabilities only)
- Vulnerable and outdated components
- Software and data integrity failures
DAST tools test a running application. Companies use DAST solutions in both testing and production environments. They attack software and document how it responds to malicious inputs. With DAST, you can test your app for:
- Injection
- Security misconfiguration (with limited capacity)
- Identification and authentication failures
- Broken access control
Secure Code Review
Secure code review is a small part of the code review process whereby reviewers manually inspect the source code to identify application vulnerabilities. A human reviewer can check for those OWASP Top 10 issues that aren’t fully testable automatically, like logical problems and design flaws. This method is most effective when used in combination with automated scanners (SAST and DAST.) A secure code review is conducted during the development phase and during major application updates—ideally, with every new feature and code change.
Secure code review allows you to check for these OWASP Top 10 flaws:
- Broken access control
- Injection flaws
- Cryptographic failures
- Identification and authentication failures
Penetration Testing
Web application penetration testing (pen testing) involves simulating an attack on an application. Pen testing allows you to test for all OWASP Top 10 issues. The method isn’t a substitute for the methods discussed above. However, it allows you to get the most comprehensive and accurate information about OWASP Top 10 flaws in your application.
Ideally, you should invest in a web application penetration testing service during the testing stage of your software development to identify all vulnerabilities early on. After a critical application is in production, we recommend pen testing it with every major update or even more often, depending on your risk tolerance.
How to Mitigate OWASP Top 10 Risks
To decrease OWASP Top 10 risks, start with these general application security best practices that apply to the list as a whole.
Educate Your Development Team
Many OWASP Top 10 vulnerabilities arise because the development team hasn’t implemented certain security measures in an app code. Security isn’t developers’ main focus, so they may consider it extra work that will go unnoticed, or they might not be up to date on best practices.
Upskilling your team with an OWASP-specific course is a good first step on the way to diminishing OWASP Top 10 risks. When choosing a training solution make sure that the OWASP Top 10 course:
- Is engaging, relevant to your specific projects, and actionable, so that your developers can implement the learnings right away.
- Clearly and credibly explains the importance of secure coding for developers’ work.
Conduct training regularly, since new vulnerabilities, secure coding practices, and tools continuously arise.
Motivate Developers To Implement Secure Coding Practices
After training, your goal as a manager is to enable change in your development team’s working routine. Here is what you can do about it:
- Involve internal or external security experts to help developers prioritize which vulnerabilities to fix first.
- Develop and support security champions—team members who are application security enthusiasts.
- Make application security a factor in assessing the development team’s performance.
- Integrate security testing into developer workflows.
Prioritize The Risks For Your Specific Case
OWASP Top 10 is listed in risk-based order. However, each company’s security priorities may differ. You want to fix flaws that are most critical specifically to you. For example, despite broken access control being a top-ranking risk based on OWASP data, it will have lower priority for internal-only applications. Here’s how to prioritize OWASP Top 10 flaws for your company:
- Take the list of vulnerabilities you found during testing for OWASP Top 10.
- Identify vulnerabilities that affect key business processes, mission-critical systems, or sensitive data.
- Rank them based on how easy it is to break through your controls.
- Take into account a vulnerability category position in the OWASP Top 10 list.
Use Application Security Tools
Using security tools decreases human errors and makes it easier for your development team to achieve a good level of application security. Here are the tool types we recommend using.
- A web application firewall (WAF) filters software traffic and stops suspicious requests or potential attacks. For example, a WAF can prevent injection risks by blocking malicious inputs. Here is how it works, using Gcore WAF as an example:
- Security libraries help developers implement secure coding practices without reinventing the wheel. They are prebuilt software components with built-in security measures. They include input validation libraries, access control libraries, and authentication libraries.
- Dependency scanners check for common vulnerabilities in open-source components of your application. Such solutions review your application for vulnerable components based on updated threats and scan newly added components for known vulnerabilities.
- Configuration management (CM) tools help to ensure that machines, software packages, and updates are configured and installed correctly. CM tools may also provide version control and change control.
Continuously Test Your Software
Test your application at multiple points during the development cycle and after each major software update as a minimum. The precise testing frequency depends on your business’ risk tolerance, development practices, application complexity, regulatory requirements, and the evolving threat landscape.
Conclusion
Compliance with OWASP Top 10 (and other security frameworks) is the basis for application security. However, the OWASP Top 10 doesn’t cover all existing vulnerabilities and is updated only every 3–4 years, while new attack techniques come through far more frequently. Your business and application specifics will determine exactly how you ensure compliance with the OWASP Top 10, and this guide is a good starting point to ensuring your web app’s security corresponds with the list.
To protect your business fully, save money, and effectively prioritize risks, consider outsourcing your web application security to experts. The Gcore penetration testing team can help you identify priority risks for your organization including and beyond the OWASP Top 10, and our WAAP product (Web Application Firewall and API Protection) mitigates any and all security threats to your app.