OWASP Top 10 report

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to your web applications.

The threat landscape for applications and APIs constantly changes. The key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, the OWASP organization periodically updates the OWASP Top 10 report.

From AppScan Enterprise 10.0.7 onwards, the OWASP Top 10 2021 report is supported.

What's changed in the Top 10 for 2021

There are three new categories added, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021. Name changes were made to focus on the root cause over the symptom.

Table 1. Vulnerabilities in the OWASP Top 10 2021 report
2021 What changed from 2017
A01 Broken Access Control ⇧ Moves up from #5 as the category with the most serious web application security risk.
A02 Cryptographic Failures ⇧ Previously known as A3:2017-Sensitive Data Exposure, moves up from #3, focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.
A03 Injection ⇩ Slides down from #1. A07:2017-Cross-site Scripting (XSS) is now a part of this category.
A04 Insecure Design (New) Newly added category that focus on risks related to design flaws.
A05 Security Misconfiguration ⇧ Moves up from #6. A4:2017-XML External Entities (XXE) is now a part of this category.
A06 Vulnerable and Outdated Components ⇧ Previously known as A09:2017-Using Components with Known Vulnerabilities, moves up from #9.
A07 Identification and Authentication Failures ⇩ Previously known as A02:2017-Broken Authentication, slides down from #2. This category now includes Common Weakness Enumerations (CWEs) that are more related to identification failures.
A08 Software and Data Integrity Failures (New) Newly added category that focus on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
A09 Security Logging and Monitoring Failures ⇧ Previously known as A10:2017-Insufficient Logging & Monitoring, moves up from #10. It is expanded to include more types of failures, is challenging to test for, and isn't well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A10 Server-Side Request Forgery (SSRF) (New) Newly added category based on its importance reported by security community members.
⇧ ⇩ Indicates change in position (A0-A10) relative to the 2017 report.