← Back to Glossary

What is the OWASP Top 10?

by Iwan Price-Evans on Security • March 22, 2022

The OWASP Top 10 provides web application developers and security professionals an insight into the most widespread security risks. This is an awareness document that is published annually by the Open Web Application Security Project (OWASP). 

What is OWASP?

OWASP is a non-profit organization that works to help developer communities ensure their applications are secure. It has published the Top 10 since 2003.

The OWASP Top 10 isn't a standard, it's a reference document that describes the most critical security concerns developers should be aware of to ensure web application security.

The document is created by a team of security experts who collate and analyze security information from a wide range of organizations.

The purpose of the Top 10 is for organizations to incorporate the findings into their business and development processes to mitigate security risks.

Any individual or organization can contribute to the OWASP Top 10 project, and this is what makes it so useful because the data analyzed comes from sources around the globe.

What is the OWASP Top 10 used for?

Identified security risks and vulnerabilities are ranked by frequency of discovery, severity, and the size of their potential impact.

The Top 10's key benefit is that it contains actionable information for application developers. Many organizations use this security checklist as part of their development process.

It has become an expected standard by many compliance standards such as ISO. Compliance auditors will often assess a technology product or implementation and check if the OWASP Top 10 risks have been addressed. If not, they will consider this a failure of meeting their required security standards.

Are there different types of OWASP Top 10?

OWASP produces a Top 10 document for web applications and they also produce a Top 10 document that lists similar risks and vulnerabilities relating to application programming interfaces (APIs). The web application Top 10 lists risks and vulnerabilities with codes A01 to A10. The API Security Top 10 lists codes from API1 to API10. The listed vulnerabilities can remain on the lists or may change from year to year.

Web application vulnerabilities can include risks such as:

  • Cross-site Scripting (XSS)
  • Broken Access Control
  • Sensitive Data Exposure.

Most modern web applications use APIs in some form and, by nature, these expose application logic and data.

The OWASP API Security Top 10 is focused on identifying and mitigating security risks and vulnerabilities that apply to APIs. API-specific security risks may include problems such as:

  • Broken User Authentication
  • Excessive Data Exposure
  • Security Misconfiguration.

Both the Top 10 and the API Top 10 have each risk listed in order of importance. For each risk, detailed information is listed with an overview of the vulnerability; a full description; information on how to prevent it; and also scenarios or examples of how it may occur. Each vulnerability is also rated on how easy it is to exploit, how easy it is to detect, and what the business impact might be.

Vulnerabilities are also linked to the Common Weakness Enumeration (CWE) index. Any CWE that is applicable to the identified vulnerability is listed in the related Top 10 or API Top 10 entry.

The current OWASP Top 10s can be found at the respective OWASP project sites:

OWASP Top 10

OWASP API Security Top 10