OWASP 10 is not a distinct standard — it's a shortened way people write or search for "OWASP Top 10," and the real source of confusion is that OWASP publishes several different Top 10 lists for different contexts. The direct answer when someone asks about owasp 10 is that they almost certainly mean one specific list — most often the OWASP Top 10 for web applications — but there are now separate Top 10s for APIs, mobile, and large language model applications, and mixing them up leads teams to test against the wrong risk categories.
What is the original OWASP Top 10, the one most people mean?
The original and most widely referenced OWASP Top 10 is the Top 10 Web Application Security Risks, first published in 2003 and updated periodically (most recently 2021, with a new edition typically following a multi-year cycle) by the Open Worldwide Application Security Project, a nonprofit foundation. It ranks the most critical and common risk categories in web applications based on real-world data contributed by organizations and testing firms. The 2021 edition's categories include Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery. It's a risk-category list, not a line-by-line vulnerability checklist — each category covers a family of related weaknesses rather than one specific bug pattern.
Why do people write "OWASP 10" when they mean "OWASP Top 10"?
Most of the "owasp 10" search traffic is simply a dropped word — shorthand, autocomplete, or a typo for OWASP Top 10 — rather than a reference to any different or older list. There isn't a separate "OWASP 10" standard distinct from the Top 10; if a team's documentation or a vendor's marketing material references "OWASP 10" as if it were something else, it's worth clarifying which specific list (and which year's edition) they actually mean, since the category names and numbering do change between editions.
Which other OWASP Top 10 lists exist, and why does mixing them up matter?
OWASP maintains several purpose-specific Top 10 lists beyond the original web application one, and confusing them leads to testing the wrong things entirely:
- The OWASP API Security Top 10, covering risks specific to APIs (broken object-level authorization, excessive data exposure) that don't map cleanly onto the web application list's categories.
- The OWASP Top 10 for Large Language Model Applications, covering LLM-specific risks like prompt injection and insecure output handling — categories that didn't exist in any earlier list because the risk itself didn't exist until LLM applications became common.
- The OWASP Mobile Top 10, covering risks specific to mobile app security.
A team running only the classic web application Top 10 against an API-first product will miss broken object-level authorization entirely, because that risk category simply isn't in the web application list — it's a distinct category defined in the API-specific Top 10.
How should a team actually use the Top 10 in practice, rather than just citing it?
The Top 10 is best used as a coverage checklist for a testing program, not as a substitute for actual scanning. Concretely, that means mapping each category to a specific control: injection risks map to input validation and parameterized queries, checked by SAST; vulnerable and outdated components map directly to SCA scanning against dependency manifests; security misconfiguration maps to infrastructure and container configuration checks. Citing "we follow the OWASP Top 10" without a concrete testing program behind each category is a common compliance-checkbox failure mode — auditors increasingly ask for the mapping, not just the citation.
How does Safeguard's scanning map onto the Top 10 categories?
Safeguard's SCA scanning directly covers the Vulnerable and Outdated Components category, while SAST and DAST cover injection, broken access control, and security misconfiguration categories from both a code and runtime perspective. Teams building out a testing program around the Top 10 categories often use it as a starting checklist before layering in framework-specific requirements from the academy or a formal comparison of tooling options.
FAQ
Is "OWASP 10" a real, separate standard from the OWASP Top 10?
No. It's shorthand or a typo for OWASP Top 10 — there's no distinct standard by that name. Always confirm which specific Top 10 list (web, API, mobile, LLM) is actually meant.
How often is the OWASP Top 10 updated?
The web application list has been updated a handful of times since 2003, most recently in 2021, generally on a multi-year cycle based on new contributed data rather than a fixed annual schedule.
Does passing an OWASP Top 10 checklist mean an application is secure?
No. It means an application has been checked against ten broad risk categories — a useful baseline, not a guarantee. Plenty of serious vulnerabilities exist outside any Top 10 category, and each category itself covers a wide range of specific implementation flaws.
Is the OWASP API Security Top 10 a subset of the web application Top 10?
No, it's a separate list with different categories tailored to how APIs are actually attacked (object-level authorization, excessive data exposure, resource consumption) rather than a trimmed-down version of the web application list.