Safeguard
AppSec

The OWASP Top 10, Explained: The Web App Risks That Matter Most

The OWASP Top 10 is the industry's reference list of the most critical web application security risks. Here is what each category means and how to defend against it.

Safeguard Team
Product
6 min read

The OWASP Top 10 is a regularly updated, community-driven list of the ten most critical web application security risks, published by the Open Worldwide Application Security Project as the de facto starting point for any AppSec program. It is not a compliance checklist and it is not exhaustive, but it captures the categories responsible for the majority of real-world web breaches. This guide walks the current 2021 edition category by category, explaining what each one means and how to defend against it.

What the OWASP Top 10 is and is not

The list is built from data contributed by security firms and organizations worldwide, combined with an industry survey to catch emerging risks that data alone lags behind on. Each entry is a category of related weaknesses, not a single bug. The 2021 revision reorganized several entries around root causes rather than symptoms, which is why some names sound broader than they used to.

Treat it as a prioritization aid and a shared vocabulary, not a certification. Covering all ten does not make an application secure; missing several of them almost guarantees it is not.

The ten categories

Here is the current list, with what each one actually means in practice.

A01: Broken Access Control. This moved to the top spot because it is both common and damaging. It covers any failure that lets a user act outside their intended permissions: viewing another user's records by changing an ID in the URL (insecure direct object reference), reaching admin functions without admin rights, or tampering with a JWT to elevate privileges. Defend it by enforcing authorization server-side on every request, denying by default, and never trusting a client-supplied identifier to decide what a user may see.

A02: Cryptographic Failures. Formerly "Sensitive Data Exposure," renamed to point at the root cause. It covers weak or missing encryption, transmitting sensitive data in cleartext, hardcoded keys, and outdated algorithms. Use TLS everywhere, encrypt sensitive data at rest with vetted algorithms, and never roll your own crypto.

A03: Injection. SQL, NoSQL, OS command, and LDAP injection all live here, along with cross-site scripting, which was folded into this category in 2021. The fix is consistent: separate code from data using parameterized queries, safe APIs, and output encoding, and validate input against an allowlist.

A04: Insecure Design. A newer category that addresses flaws baked into the architecture before a line of code is written, like a password-reset flow with no rate limit. You cannot patch your way out of a bad design; the answer is threat modeling and secure design patterns early.

A05: Security Misconfiguration. Default credentials, verbose error messages, unnecessary features left enabled, and permissive cloud storage. Harden configurations, remove what you do not use, and automate configuration so environments do not drift.

A06: Vulnerable and Outdated Components. Running libraries, frameworks, or runtimes with known vulnerabilities. This is one of the easiest categories to address with tooling and one of the most neglected. An SCA tool such as Safeguard can inventory your dependencies and flag the ones with known CVEs, which is exactly what this category asks for. Our SCA product page explains the workflow.

A07: Identification and Authentication Failures. Weak password policies, broken session management, credential stuffing that succeeds because there is no throttling. Use multi-factor authentication, strong session handling, and protection against automated credential attacks.

A08: Software and Data Integrity Failures. Trusting code or data without verifying its integrity, including insecure deserialization and, notably, unverified CI/CD pipelines and update mechanisms. This is where supply chain attacks land. Verify signatures, use trusted registries, and secure your build pipeline.

A09: Security Logging and Monitoring Failures. You cannot respond to what you cannot see. Insufficient logging, logs that omit security events, and no alerting mean breaches go undetected for months. Log security-relevant events, protect the logs, and alert on anomalies.

A10: Server-Side Request Forgery (SSRF). New in 2021, added largely by community survey. An attacker coerces the server into making requests to internal systems it should not reach, often to hit cloud metadata endpoints. Validate and restrict outbound requests, and segment internal networks.

How to use the list in a real program

Do not try to boil the ocean. Map your existing findings to these ten categories to see where your risk actually concentrates, then invest there first. A few pragmatic moves:

  • Automate the categories tooling covers well. Injection and cross-site scripting are found by static and dynamic testing; vulnerable components by SCA. Wire those into CI so they run continuously. Our DAST product page covers the dynamic side.
  • Design and review for the ones tooling misses. Broken access control and insecure design need human threat modeling and code review; no scanner reliably catches business-logic authorization flaws.
  • Track findings to closure by category so you can see whether a class of problem is shrinking over time rather than just counting individual bugs.

The Safeguard Academy has deeper material on operationalizing this without overwhelming your developers.

FAQ

How often is the OWASP Top 10 updated?

Roughly every three to four years. The list is data-driven, combining vulnerability data contributed by many organizations with an industry survey. The 2021 edition is the current stable version, with newer revisions in progress.

Is the OWASP Top 10 a compliance standard?

No. It is an awareness and prioritization document, widely referenced by standards and regulations but not itself a certification. Covering all ten categories is a strong baseline, not a guarantee of security or a formal compliance checkmark.

What is the number one risk in the current OWASP Top 10?

A01: Broken Access Control. It reached the top of the 2021 list because access control failures are both extremely common and high-impact, letting users act outside their intended permissions.

Which OWASP Top 10 categories can tools catch automatically?

Injection and cross-site scripting are found well by static and dynamic testing, and vulnerable components by software composition analysis. Categories like broken access control and insecure design rely more on threat modeling and manual review, since business-logic flaws evade scanners.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.