Skip to content
>_ITDITDWeb Security Platform

Glossary

What is the OWASP Top 10 — the standard list of the 10 biggest web-app risks

The OWASP Top 10 is the standard list of the most critical web-application security risks. This explains what each category — broken access control, injection, misconfiguration, and more — actually means, and what to prioritize defending in your own app, with links to this site's explainers.

Published 2026-07-04 Updated 2026-07-04 3 min read

The "OWASP Top 10" is the common language for talking about web-app security. Here's what each item means — framed as a lens for defense, not attack steps — linked to this site's deeper explainers.

The 10 risks at a glance (2021)

Each item is a category. Map it onto your own app and work down as an audit lens.

#RiskRoughly what it meansRelated on this site
A01Broken Access Control"logged in = allowed"; missing owner checksauthn vs authz / IDOR
A02Cryptographic Failuressecrets in plaintext, weak crypto, TLS gapspublic-key crypto / password hashing
A03Injectioninput hijacks a query/commandSQL injection / XSS
A04Insecure Designthreats not considered at design timethe minimum checklist
A05Security Misconfigurationprod debug, defaults, exposed featuresCORS
A06Vulnerable & Outdated Componentsignored known CVEs in dependenciesmonitoring dependency CVEs
A07Authentication Failuresweak auth, no brute-force resistance, no MFA2FA / passkeys
A08Software & Data Integrity Failurestampered supply chain / update pathhistory of security (supply chain)
A09Logging & Monitoring Failurescan't detect or trace an incidentwhy audit logs matter
A10SSRFthe server is made to fetch internal targetsSSRF

How to use it: a prioritization start, not a checklist

Don't treat 'covering' the Top 10 as done

The Top 10 is the ten most representative categories, not a guarantee of sufficiency. Use it as a starting point for prioritization and gap-finding, and also shore up foundations it doesn't directly cover — dependency CVE monitoring, secret management, backups, and detection.

1

Start at the top (A01–A03) in your own app

Audit access control, cryptography, and injection in your own code first — the most frequent incident sources cluster here.

2

Check config and dependencies (A05, A06) mechanically

Tighten production config (no debug exposure) and make dependency CVE monitoring a mechanism.

3

Have detection (A09) before an incident

Without logs and monitoring you can't notice or trace an incident. Retain at least basic audit and access logs.

This site's view: a tool for mapping onto your own code

The value of the Top 10 isn't memorizing numbers — it's mapping each category onto your own app and auditing it. This site keeps per-risk explainers translated into "how you defend." Use the Top 10 as an entry point, and start with the top items — access control, cryptography, injection — in your own code.

FAQ

QWhat is the OWASP Top 10?
A

It's a list the non-profit OWASP (Open Worldwide Application Security Project) publishes every few years of the 'most critical web-application security risks,' organized into ten categories. It isn't a set of attack recipes — it's a common language developers and operators use to check 'where do I at least need to look.' The current edition is the 2021 version.

QWhat is number one on the OWASP Top 10?
A

The 2021 edition is led by Broken Access Control — the design hole where being logged in is treated as being allowed, without checking whether that user may actually perform that action or touch that data. IDOR (reaching someone else's data by supplying their ID) is a classic example of this category.

QIf I cover the OWASP Top 10, am I safe?
A

No. The Top 10 is the ten most representative categories, not a checklist that guarantees sufficiency. Use it as a starting point for prioritization and gap-finding, and also shore up the foundations it doesn't directly cover — dependency CVE monitoring, secret management, backups, and detection.