Products
Edge AI
AI Training
GPU Cloud
GPU CloudBoost AI/ML training with servers powered by NVIDIA
AI Applications
Image Generator
Image GeneratorCreate realistic and stunning images with ease
Speech-to-Text Translator
Speech-to-Text TranslatorTranslate from English to Luxembourgish seamlessly
Edge Cloud
Compute
Basic VMs
Basic VMsManage workloads on affordable shared virtual servers
Virtual Machines
Virtual MachinesRun apps on customizable dedicated virtual servers
Bare Metal
Bare MetalDeploy apps on powerful dedicated physical servers
Containers
Managed Kubernetes
Managed KubernetesDeploy, manage, and scale Kubernetes clusters easily
Container as a Service
Container as a ServiceRun containerized apps without server provisioning
Function as a Service
Function as a ServiceExecute serverless code functions efficiently
Networking
Load Balancer
Load BalancerRoute traffic optimally to improve app performance
5G Network
5G NetworkDeploy apps and securely connect mobile devices via 5G
Virtual Private Cloud
Virtual Private CloudManage resources in a secure isolated private cloud
Hosting
Virtual Servers
Virtual ServersHost on virtual servers with no traffic restrictions
Dedicated Servers
Dedicated ServersHost on physical servers with worldwide availability
Storage
Object Storage
Object StorageStore data in fast and scalable S3-compatible storage
File Shares
File SharesShare files across servers easily using NFS protocol
Databases
Managed PostgreSQL
Managed PostgreSQLProvision fully managed PostgreSQL databases with ease
Monitoring
Managed Logging
Managed LoggingCollect, store, and analyze application logs
About Edge Cloud
Edge Network
Application Performance
CDN
CDNAccelerate dynamic and static content delivery
FastEdge
FastEdgeDeploy serverless apps with low-latency edge computing
Media Delivery
Video Streaming
Video StreamingDeliver high-quality live and on-demand video at scale
DNS
Managed DNS
Managed DNSEnsure application availability with authoritative DNS
Public DNS
Public DNSProtect online privacy with a free DNS resolver
About Edge Network
Edge Security
Network Security
DDoS Protection
DDoS ProtectionProtect your infrastructure from evolving DDoS attacks
Application Security
Web Application Security
Web Application SecuritySafeguard web resources against attacks and threats
WAAP
WAAPSecure apps and APIs from DDoS, bots and OWASP attacks
Solutions
By Industry
Gaming
CDN for Gaming
Game Server Protection
Game Development
Retail
CDN for E-commerce
Media & Entertainment
CDN for Video
Metaverse Streaming
TV & Online Broadcasters
Sport Broadcasting
Online Events
Financial Services
Cloud for Financial Services
Technology
Image Optimization
Web Acceleration
Wordpress CDN
Education
AI Universities
Online Education
By Need
Web Acceleration
Web Acceleration
Image Optimization
Wordpress CDN
Security
Game Server Protection
Video Streaming
CDN for Video
Video Hosting
Live Streaming
Video Calls
Availability
Multi-CDN
Cloud
Web Service
Game Development
Online Store
Migration to the Cloud
ERP in the Cloud
Pricing
Resources
Resources
Blog
Customer Stories
White Papers
Events
Documentation
Docs
API
Product Roadmap
Help Center
Tools
Looking Glass
Speed Test
Developer Tools
Gcore Status
Partners
Partners
Intel
Intel | New CPU Generation
Intel | Ice Lakes
Hesp
Equinix
InData Labs
Ampere
Unum
Programs
White Label Program
Referral Program
Why Gcore
Company
About Gcore
Press
Awards
Careers
Platform
Network
Infrastructure
Internet Peering Points
Compliance
Legal Information
Under attack?Under attack?
en
Contact usContact us
Contact us

Select the Gcore Platform

Recommended
Gcore Edge Solutions Go to Gcore Platform → Go to Gcore Platform →

Products:

  • Edge Delivery (CDN)
  • DNS with failover
  • Virtual Machines
  • Bare Metal
  • Cloud Load Balancers
  • Managed Kubernetes
  • AI Infrastructure
  • Edge Security (DDOS+WAF)
  • FaaS
  • Streaming
  • Object Storage
  • ImageStack (Optimize and Resize)
  • Edge Compute (Coming soon)
Show full list
Gcore Hosting Go to Gcore Hosting →
  1. Home
  2. Learning
  3. What Is OWASP and What Is the OWASP Top 10?

What Is OWASP and What Is the OWASP Top 10?

October 11, 2023 11 min read
What Is OWASP and What Is the OWASP Top 10?

The OWASP (Open Web Application Security Project) Top 10 is a list of the most critical and widespread application security risks, chosen by top security experts based on data from hundreds of thousands of applications. In this article, you’ll learn how to use the OWASP Top 10 to protect your web app from cyberthreats, how to test for these vulnerabilities, and how to avoid the OWASP Top 10 vulnerabilities.

What Is the OWASP Top 10? Why Does It Matter?

The OWASP Top 10 is a list of today’s ten most critical and widespread web app security risks. Top security experts update the list every few years based on data from hundreds of thousands of applications. Each risk includes a description, vulnerability examples, attack examples, guidance on how to avoid them, and references to more detailed resources. Public-facing applications were the most common initial attack vector in 2022, and almost 70% of applications have flaws that fall under the OWASP Top 10, meaning that most apps have cybersecurity flaws that could be remedied by paying attention to the OWASP Top 10.

The OWASP Top 10 isn’t the only application security framework—there are others more advanced and industry specific, such as ISO/IEC 27001 and NIST Cybersecurity Framework—and it’s not comprehensive, since it addresses only the most common vulnerabilities. But the OWASP Top 10 list is a good place to start with your application security program, since it covers the most common and dangerous vulnerabilities that you should fix first.

What the OWASP Top 10 list looks like on the OWASP website

How Are the OWASP Top 10 Selected?

To choose and prioritize the top security risks, OWASP experts rely on two sources of information and go through the following steps.

  1. A call for data is publicized through social media channels.
  2. Security companies submit their data.
  3. Vulnerabilities are categorized based on their root cause.
  4. The OWASP team selects eight top risk categories based on incidence rate.
  5. Eight categories are ranked in order of risk based on generalized factors for exploitability and technical impact.
  6. Seasoned security practitioners are surveyed to identify the last two risks.
  7. The process is repeated every three to four years.

As mentioned, the OWASP Top 10 updates every 3-4 years. Here is what had changed in the last review of the list in 2021. The dotted arrows illustrate vulnerabilities that became a part of another related category. Solid arrows indicate a risk’s shift in priority ranking position. There are also three new risk categories.

OWASP Top 10 recent changes compared to the previous versions
Recent changes to the OWASP Top 10

How Businesses Use OWASP Top 10

Businesses can use the OWASP Top 10 in a number of ways to improve their web app security stance.

  • Awareness: OWASP Top 10 informs a broad audience including non-technical staff and executives. It allows developers, security experts, and managers to be on the same page about web app security priorities.
  • Training: OWASP Top 10 can be a training core for developers, security professionals, and other technical staff involved in software development.
  • Prioritization: OWASP Top 10 highlights which application security areas a business should fix first. By identifying the top risks from the list for your company, you’ll be empowered to allocate your resources appropriately.
  • Software development: The OWASP Top 10 is used in almost every stage of the software development cycle:
    • During the design phase, to ensure a team implements baseline security practices
    • In the software-development supply chain, to ensure the security of third-party components and services used to develop an application
    • As a checklist for secure code review
    • As a reference for unit testing, integration testing, and penetration testing
  • Security compliance: Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry Data Security Standard (PCI DSS)-compliant organizations use the OWASP Top 10 as a checklist to measure the application security level of their partners.
  • Contractor requirements. Some companies include the OWASP Top 10 list in contractor requirements. For example, you can set security expectations for a software development company.
  • Hiring. Companies may employ the OWASP Top 10 to assess the candidate’s security knowledge.

The OWASP Top 10 List Overview

To better understand how the OWASP Top 10 vulnerabilities relate to your web application and how they can impact your business, let’s walk through each category.

RiskRisk explanation ExampleFactorsSpecific consequences (general below)
1. Broken access controlIneligible users can access resources or perform actions for which they don’t have permission. In the worst case scenario, the threat actor can modify a website’s content or take over the entire website.Various WordPress plugins are susceptible to this type of attack. Successful exploitation allows a hacker to take over a site with this or that plugin enabled.– Inadequate implementation of authentication and authorization controls that doesn’t correspond with potential risks for your specific business case. – Adding unverified third-party components to your software.- Outdated access control mechanisms, such as static permissions or single authentication point.
2. Cryptographic failuresCryptography protects your data by converting it into an unreadable and secure form. When the cryptography process fails, attackers can access your data.An example of this is one of the LastPass 2022 attacks. Some of their source code and technical information was stolen from their development environment. The hacker used the information to target an employee, obtained credentials and keys to decrypt some storage volumes, and accessed basic customer account information.– Outdated cryptographic algorithms; for example, Triple DES (Data Encryption Algorithm.) You can check for cryptographic algorithms’ updates on the NIST (National Institute of Standards and Technology) website. – Implementation of outdated key management practices (encryption keys that are not securely generated, stored, or protected.)- Use of default or weak keys, meaning they aren’t long and complex enough to resist brute-force attacks.- Unprotected communication channels e.g., HTTP instead of HTTPS.
3. Injection vulnerabilitiesA web application fails to filter, sanitize, or validate users’ commands or added data. Threat actors use such attacks to access sensitive data, manipulate the application’s behavior, or perform unauthorized actions.In spring 2023 attackers were able to install a web shell on the MOVEit Transfer application via SQL injection vulnerability and extract all data contained on the app.Poor user input validation that doesn’t correspond to best practices. For example, an application that allows users to upload files without checking file types.
4. Insecure designThe usage of code patterns and features that are insecure by default. For example, lack of input validation or embedding credentials (e.g., usernames, passwords, API keys) directly within the source code.A cinema chain provides discounts for group bookings accommodating up to fifteen individuals. Exploiting this vulnerability, malicious individuals could attempt to secure all available cinema seats in just a few clicks. When a website allows numerous reservations without mandating a deposit or credit card details, it becomes susceptible to significant revenue loss over time.Not all of the necessary application’s security controls are implemented throughout the software development process.– Limited business growth. Potential clients and partners may have concerns about a company’s security posture.

– Higher cost of remediation. To fix a vulnerability you might need fundamental changes.
5. Security misconfigurationThese arise from an insecurely configured application stack. Default account passwords, unnecessary features, and insecure settings in application frameworks and libraries are all potential openings for an attack.Users of Apache Tomcat, an open-source Java application server, had default username and password credentials. Threat actors targeted this misconfiguration and gained control over the server to spread Marai botnet malware.
A lack of knowledge about how to securely configure software used with an application. For example, failure to use configuration best practices for specific software.
6. Vulnerable and outdated componentsUsing outdated and/or unsupported software, tools, libraries, frameworks, and infrastructure. Hackers can use such components’ flaws to enter your perimeter.Open-source libraries are widespread because they increase go-to-market speed. However, they are often subject to attacks—hackers can reach multiple applications at once. Failing to timely update a library (which might be embedded in the core of your app) will result in a high risk of being hacked.A company doesn’t have a system and tools to monitor new versions of components they are using and those that are no longer updated.
7. Identification and authentication failuresWeak login and access control mechanisms. For instance, if a system accepts easy-to-guess passwords and lacks multi-factor authentication, it can lead to unauthorized access to users’ accounts and data breaches.In the 2023 Norton Life Lock case, over 6,000 accounts were breached due to staffing, meaning that users used the same passwords as in other systems with which they are registered. The company offered their users multi-factor authentication as an option, but it wasn’t obligatory.Insufficient identification and authentication mechanisms, like failing to implement specific authentication requirements for the relevant app type.– Users’ sensitive data stolen.

– Unauthorized transactions on the users’ behalf.
8. Software and data integrity failuresFailure to check the integrity and security of third-party components such as plugins, libraries, or modules. A threat actor can make unauthorized changes to the software or data, like introducing malicious code in an application.A high-profile example of the risk is SolarWinds case. Hackers added malicious code to one of their products used by 33,000 customers, including big corporations and government agencies. These malicious updates were sent to all clients.Failure to verify the source of software or data; failure to check new components for vulnerabilities.
9. Security logging and monitoring failuresFailure to track all activities within an application. Without proper monitoring, it becomes difficult to detect suspicious activities promptly or figure out the root cause of a breach and fix it. A hospital’s electronic health records system suffered a data breach because the security team failed to configure proper logging and monitoring. An insider accessed and stole patient records. The breach went unnoticed until the stolen data started surfacing on the dark web.– Auditable events not logged.

– Suspicious activity not monitored in application logs or API logs.

– Logs only stored locally, meaning it is easy to lose them and it’s impossible to gain a holistic view of the application’s security.		Prolonged data breaches, when attacks or malicious activities go undetected for an extended period.
10. Server side request forgery (SSRF) An application fetches data to the user without validating their URL request. A malicious user can send a crafted request to an unexpected destination in your system.A cloud security company Orca Security discovered numerous SSRF vulnerabilities in Azure with only minimal effort. Microsoft addressed the flaws.– Poor user input validation. For instance, an app doesn’t validate URL structure and restrict certain URL schemes; lacks URL whitelisting.

– Enabled HTTP redirections, so attackers may manipulate redirection URLs to access internal resources.

– A system allows raw responses from the server to the client.		Port scanning for vulnerable services or potential entry points into the network.

General OWASP Top 10 Causes and Implications

As well as the risk-specific implications in the table above, there are a number of causes and implications of the OWASP Top 10 that are relevant across the list.

General Causes

  • Application complexity: In complex apps, developers may unintentionally overlook some security risks. For example, multiple interdependencies and extensive functionality create such a risk.
  • Insufficient testing: Security testing needs to be sufficient or various vulnerabilities could be overlooked. Examples of insufficient testing include a company using only automated scanners without manual code review and penetration testing, or conducting testing on an app less than once a year.
  • Rapid development: If an app is developed unusually fast, certain vulnerabilities may not be sufficiently addressed.

General Business Consequences

  • Reputation and financial loss: Assuming they become public—as they almost certainly will—data breaches resulting from OWASP Top 10 vulnerabilities can damage a company’s reputation and lose customers’ trust. A natural result is financial loss, as customers take their business elsewhere.
  • Legal ramifications: Lawsuits may occur when affected users seek damages.
  • Compliance violations: If your business is subject to regulatory requirements such as HIPAA or PCI DSS, having OWASP Top 10 vulnerabilities in your app can lead to compliance violations. The Top 10 list intersects with these standards. For example, if personal health information is compromised, HIPAA compliance is violated, which means you are liable for financial penalties.
  • Downtime: System disruption and downtime may result when a breach occurs, and loss of service means loss of revenue and a damaged reputation as your customers turn to competitors. 

How to Test Your App for OWASP Top 10 Vulnerabilities

Let’s explore the most common ways to test your software for these top app security risks. To test for the whole OWASP Top 10 effectively, you should implement all three methods. Here, we list the testing methods from the most basic to the most advanced.

Automated Scanners: SAST and DAST

Both static application security testing (SAST) and dynamic application security testing (DAST) are automated vulnerability scanners. SAST is used during the development phase to review software code for common secure coding errors. Most SAST solutions can test your application for these OWASP Top 10 categories:

  • Injection flaws
  • Identification and authentication failures (limited vulnerabilities only)
  • Vulnerable and outdated components
  • Software and data integrity failures

DAST tools test a running application. Companies use DAST solutions in both testing and production environments. They attack software and document how it responds to malicious inputs. With DAST, you can test your app for:

  • Injection
  • Security misconfiguration (with limited capacity)
  • Identification and authentication failures
  • Broken access control
SAST and DAST to test for OWASP Top 10

Secure Code Review

Secure code review is a small part of the code review process whereby reviewers manually inspect the source code to identify application vulnerabilities. A human reviewer can check for those OWASP Top 10 issues that aren’t fully testable automatically, like logical problems and design flaws. This method is most effective when used in combination with automated scanners (SAST and DAST.) A secure code review is conducted during the development phase and during major application updates—ideally, with every new feature and code change. 

Secure code review allows you to check for these OWASP Top 10 flaws: 

  • Broken access control
  • Injection flaws
  • Cryptographic failures 
  • Identification and authentication failures

Penetration Testing

Web application penetration testing (pen testing) involves simulating an attack on an application. Pen testing allows you to test for all OWASP Top 10 issues. The method isn’t a substitute for the methods discussed above. However, it allows you to get the most comprehensive and accurate information about OWASP Top 10 flaws in your application.
Ideally, you should invest in a web application penetration testing service during the testing stage of your software development to identify all vulnerabilities early on. After a critical application is in production, we recommend pen testing it with every major update or even more often, depending on your risk tolerance.

How to Mitigate OWASP Top 10 Risks

To decrease OWASP Top 10 risks, start with these general application security best practices that apply to the list as a whole.

Educate Your Development Team

Many OWASP Top 10 vulnerabilities arise because the development team hasn’t implemented certain security measures in an app code. Security isn’t developers’ main focus, so they may consider it extra work that will go unnoticed, or they might not be up to date on best practices.

Upskilling your team with an OWASP-specific course is a good first step on the way to diminishing OWASP Top 10 risks. When choosing a training solution make sure that the OWASP Top 10 course:

  • Is engaging, relevant to your specific projects, and actionable, so that your developers can implement the learnings right away.
  • Clearly and credibly explains the importance of secure coding for developers’ work.

Conduct training regularly, since new vulnerabilities, secure coding practices, and tools continuously arise.

Motivate Developers To Implement Secure Coding Practices

After training, your goal as a manager is to enable change in your development team’s working routine. Here is what you can do about it:

  • Involve internal or external security experts to help developers prioritize which vulnerabilities to fix first. 
  • Develop and support security champions—team members who are application security enthusiasts.
  • Make application security a factor in assessing the development team’s performance.
  • Integrate security testing into developer workflows.

Prioritize The Risks For Your Specific Case

OWASP Top 10 is listed in risk-based order. However, each company’s security priorities may differ. You want to fix flaws that are most critical specifically to you. For example, despite broken access control being a top-ranking risk based on OWASP data, it will have lower priority for internal-only applications. Here’s how to prioritize OWASP Top 10 flaws for your company:

  1. Take the list of vulnerabilities you found during testing for OWASP Top 10. 
  2. Identify vulnerabilities that affect key business processes, mission-critical systems, or sensitive data.
  3. Rank them based on how easy it is to break through your controls.
  4. Take into account a vulnerability category position in the OWASP Top 10 list.

Use Application Security Tools

Using security tools decreases human errors and makes it easier for your development team to achieve a good level of application security. Here are the tool types we recommend using.

  • A web application firewall (WAF) filters software traffic and stops suspicious requests or potential attacks. For example, a WAF can prevent injection risks by blocking malicious inputs. Here is how it works, using Gcore WAF as an example:
How a web application firewall works
  • Security libraries help developers implement secure coding practices without reinventing the wheel. They are prebuilt software components with built-in security measures. They include input validation libraries, access control libraries, and authentication libraries.
  • Dependency scanners check for common vulnerabilities in open-source components of your application. Such solutions review your application for vulnerable components based on updated threats and scan newly added components for known vulnerabilities.
  • Configuration management (CM) tools help to ensure that machines, software packages, and updates are configured and installed correctly. CM tools may also provide version control and change control.

Continuously Test Your Software

Test your application at multiple points during the development cycle and after each major software update as a minimum. The precise testing frequency depends on your business’ risk tolerance, development practices, application complexity, regulatory requirements, and the evolving threat landscape.

Conclusion

Compliance with OWASP Top 10 (and other security frameworks) is the basis for application security. However, the OWASP Top 10 doesn’t cover all existing vulnerabilities and is updated only every 3–4 years, while new attack techniques come through far more frequently. Your business and application specifics will determine exactly how you ensure compliance with the OWASP Top 10, and this guide is a good starting point to ensuring your web app’s security corresponds with the list.

To protect your business fully, save money, and effectively prioritize risks, consider outsourcing your web application security to experts. The Gcore penetration testing team can help you identify priority risks for your organization including and beyond the OWASP Top 10, and our WAAP product (Web Application Firewall and API Protection) mitigates any and all security threats to your app.

Try for free

Table of contents

Try Gcore Web Security

Related articles

Choosing Between Edge AI and Cloud AI: The Best Strategy for Your Project
Choosing Between Edge AI and Cloud AI: The Best Strategy for Your Project
In today’s fast-paced technological environment, grasping the distinct functions and capabilities of Edge AI and Cloud AI is essential for...
May 6, 2024 6 min read
The Development of AI Infrastructure: Transitioning from On-Site to the Cloud and Edge
The Development of AI Infrastructure: Transitioning from On-Site to the Cloud and Edge
AI infrastructure—a backbone of modern technology—has undergone a significant transformation. Originally rooted in traditional on-premises setups, it has evolved toward...
April 26, 2024 9 min read
What is Managed Kubernetes
What is Managed Kubernetes
Managed Kubernetes services simplify the complexity of containerized environments, handling the entire lifecycle of Kubernetes clusters for businesses moving towards...
April 24, 2024 6 min read
Ways to Harm: Understanding DDoS Attacks from the Attacker’s View
Ways to Harm: Understanding DDoS Attacks from the Attacker’s View
Distributed denial-of-service (DDoS) attacks pose a significant challenge to digital security, aiming to overload systems with traffic and disrupt service....
April 19, 2024 8 min read
What Is a Data Breach and How Can It Be Prevented?
What Is a Data Breach and How Can It Be Prevented?
Data breaches are alarming incidents where unauthorized access to sensitive data jeopardizes the confidentiality, integrity, and availability of information. They’ve...
April 17, 2024 7 min read
Optimizing Costs for Container-as-a-Service Architectures Using Zero Scaling
Optimizing Costs for Container-as-a-Service Architectures Using Zero Scaling
In container-as-a-service (CaaS) architectures, balancing product performance and cost optimization hinges on eliminating unnecessary cloud expenditure. One method to reduce...
April 16, 2024 6 min read
What Is Machine Learning (ML) and Why Is It Important?
What Is Machine Learning (ML) and Why Is It Important?
Machine learning (ML) is a subset of artificial intelligence (AI) that transcends traditional programming boundaries. ML offers solutions to complex...
April 4, 2024 8 min read
How to Secure PCI DSS Compliance as a Business Owner
How to Secure PCI DSS Compliance as a Business Owner
Payment Card Industry Data Security Standard (PCI DSS) compliance is a set of mandatory practices for every business that processes credit...
April 3, 2024 7 min read

Subscribe and discover the newest
updates, news, and features

We value your inbox and are committed to preventing spam