What is OWASP? Intro to OWASP Top 10 Vulnerabilities and Risks

OWASP is a nonprofit foundation that works to improve the security of software.

OWASP (Open Worldwide Application Security Project) is an open community dedicated to enabling organizations to design, develop, acquire, operate, and maintain software for secure applications that can be trusted. Its programs include community-led open-source software projects and local and global conferences, involving hundreds of chapters worldwide with tens of thousands of members.

Why Is OWASP Important?

OWASP plays a crucial role in raising awareness about web application security risks, and provides valuable resources, tools, documentation, and best practices to address the increasing challenges of web application security. OWASP helps developers, security professionals, and organizations understand potential threats and adopt security best practices.  

OWASP maintains a list of the ten most critical web application security risks, along with effective processes, procedures, and controls to mitigate them. OWASP also provides a list of the Top 10 API Security Risks to educate those involved in API development and maintenance and increase awareness of common API security weaknesses.

The OWASP community encourages individuals and organizations to contribute to its projects and resources. This collaborative and survey-driven approach allows the community to harness the collective knowledge and expertise of its members, resulting in comprehensive and up-to-date resources.

There are security risks common to both apps and APIs that bear consideration when implementing security solutions. For example: 

  • Weak authentication/authorization controls 
  • Misconfiguration 
  • Business logic abuse (credential stuffing, account takeover)  
  • Server-side request forgery (SSRF).


OWASP Top 10 Application Security Risks

The OWASP Top 10 is a widely recognized list of the most critical web application security risks. The list serves as a guide for developers, security professionals, and organizations as they prioritize their efforts in identifying and mitigating critical web application security risks. 

The presence of a risk on the OWASP Top 10 list does not necessarily indicate its prevalence or severity in all web applications, and the Top Ten is not ranked in a specific order or by priority.  

The OWASP Top 10 web application security risks for 2021 are:

  1. Broken Access Controls. This vulnerability results when insufficient enforcement of access controls and authorization allow attackers to access unauthorized functionality or data. This may be due to insecure direct object references (IDORs), which can arise when an application fails to validate or authorize user input that is used as a direct reference to an internal object. It may also occur due to missing function level access controls, when the application only validates access controls at the initial authentication or authorization stage but does not consistently enforce those controls throughout the application's functions or operations. A web application firewall (WAF) can help protect against these attacks by monitoring and enforcing access controls to prevent unauthorized access to sensitive objects or resources.

  2. Cryptographic failures. This risk occurs due to inadequate protection of sensitive data during transit and at rest. Cryptographic failures can lead to data breaches, unauthorized access to confidential information, and non-compliance with data privacy regulations, such as the EU General Data Protection Regulation (GDPR), and financial standards like PCI Data Security Standards (PCI DSS). These failures can result from insecure cryptographic storage, storing data in plain text, or insecure key management. The risk can also derive from information leakage, which can originate from weak key or random number generation or from flaws in cryptographic protocols. 
  3. Injection attacks. Injection flaws occur when attackers insert untrusted or hostile data into command or query languages, or when user-supplied data is not validated, filtered, or sanitized by the application, leading to unintended execution of malicious commands. This risk category spans NoSQL, OS command, LDAP, and SQL injection attacks, and also includes Cross-Site Scripting (XSS), in which attackers inject malicious client-side scripts, such as JavaScript, into web pages viewed by other users. This can result in the theft of sensitive information, such as login credentials, personal data, or session cookies. A WAF can help detect and block malicious code injection attempts by inspecting and filtering incoming requests,  including reflected (non-persistent), stored (persistent), and document object module- (DOM-) based XSS, preventing them from reaching the application.
  4. Insecure design. This is a broad category representing different weaknesses, expressed as missing or ineffective security controls and architectural flaws. These flaws can occur when an application is designed to rely on processes that are inherently insecure, or when needed security controls to defend against specific attacks are not implemented. These risks can be lessened through increased use of threat modeling, secure design patterns, and reference architectures.  
  5. Security misconfigurations. A lack of security hardening in web application frameworks, platforms, servers, or security controls can lead to unauthorized access, exposure of sensitive information, or other security vulnerabilities. Risks due to security misconfigurations can also result from improperly configured permissions on cloud services or the installation or enablement of unnecessary features such as unused ports, services, accounts, or privileges. Misconfiguration for both web apps and APIs is a significant risk because major cloud providers have varying default security postures and architecture is increasingly becoming decentralized and distributed across a multi-cloud fabric.    
  6. Vulnerable and outdated components. Using outdated, unpatched, or vulnerable components, such as libraries, frameworks, or plugins can expose applications to known security flaws, increasing the risk of exploitation. These risks can result from unsupported or out-of-date software, including the operating system (OS), web/application server, database management system (DBMS), applications, APIs, and all components, runtime environments, and libraries. These threats are particularly dangerous when organizations do not have timely, risk-based measures in place for fixing or upgrading a system’s underlying platform, frameworks, and dependencies, leaving the system open to days or weeks of unnecessary exposure to known risks. Complex software supply chains and automation via CI/CD pipelines increase the risk of introducing vulnerable software into the IT stack. A WAF can serve as a critical stopgap to guard against vulnerability exploitation.  
  7. Identification and authentication failures. Weaknesses in authentication, identity, and session management can allow attackers to compromise user accounts, passwords, session tokens, or to exploit insecure session handling. Failures in these areas can permit automated attacks such as credential stuffing. Password-related vulnerabilities are the most common source of these risks, as many people reuse passwords or use default, weak, or well-known passwords. Session management issues can also lead to authentication-related attacks, particularly if user sessions or authentication tokens aren't properly invalidated during logout or a period of inactivity. Attacks that bypass authentication controls are an increasing risk for both web apps and APIs, as detailed in the OWASP Top 10, API Security Top 10, and Automated Threats projects.  
  8. Software and data integrity failures. These vulnerabilities result from application code and infrastructure that fail to protect against integrity violations of data and software. This can result when an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and CDNs. It can also occur during software updates, sensitive data modifications, and CI/CD pipeline changes that are not validated. Attackers can potentially upload their own updates to be distributed and run on all installations. Insecure deserialization, where an application takes untrusted serialized data and consumes that data without ensuring that it is valid, is also a part of this risk category, allowing for attacks such as remote code execution (RCE) and privilege escalation. 
  9. Security logging and monitoring failures. Inadequate logging and monitoring can hinder timely detection and response to security incidents, making it difficult to identify and mitigate attacks or unauthorized activities. This can mean that auditable events, such as logins, failed logins, and high-value transactions are not identified or logged, and that applications do not detect active attacks in real-time.  
  10. Server-side request forgery (SSRF). These vulnerabilities occur when an application does not validate or sanitize a URL input by a user before pulling data from a remote resource. Attackers can use these flaws to force applications to access malicious web destinations even if protected by a firewall or other defense. These attacks can also result if the targeted resource has trust relationships with other systems, such as a cloud metadata service or backend APIs, allowing an attacker to make requests to those trusted services and extract sensitive information or perform unauthorized actions. To  help mitigate SSRF, design systems for least privilege access and use a WAF to explicitly define the uniform resource identifier (URI) parameters in your security policy and allow/disallow hosts that can access them.

The 2021 OWASP Top 10 reflects some new categories and naming changes from the previous 2017 OWASP Top 10. These changes included the integration of the 2017 risk threat XML External Entities (XXE) into the 2021 Security Misconfiguration category and adding 2017 Cross-Site Scripting (XSS) to the 2021 Injection category. The 2017 risk Insecure Deserialization is now part of the 2021 Software and Data Integrity Failures category.    

Other OWASP Publications

OWASP currently sponsors 293 projects, including the following 16 OWASP Flagship projects that provide strategic value to OWASP and application security as a whole.

  1. OWASP Amass Project, which has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open-source information gathering and active reconnaissance techniques. 
  2. OWASP Application Security Verification Standard Project (ASVS), which provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.  
  3. OWASP Cheat Sheet Series, which was created to provide a set of simple-to-follow good practice guides for application developers and defenders. Rather than focus on detailed best practices that are impractical for many developers and applications, these are intended to provide good practices that the majority of developers will actually be able to implement.  
  4. OWASP CycloneDX, which is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber-risk reduction.   
  5. OWASP Defectdojo, which is an open-source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools. 
  6. OWASP Dependency-Check, which is a software composition analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies. It does this by determining if there is a common platform enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated common vulnerabilities and exposures (CVE) entries.   
  7. OWASP Dependency-Track, which is an intelligent component analysis platform that allows organizations to identify and reduce risk in the software supply chain.
  8. OWASP Juice Shop, which is perhaps the most modern and sophisticated insecure web application used in security trainings, awareness demos, capture-the-flag competitions, and as a guinea pig for security tools. Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications.   
  9. OWASP Mobile Application Security, which is OWASP’s flagship project for providing a security standard for mobile apps. It also includes a comprehensive testing guide that covers the processes, techniques, and tools used during mobile app security testing, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results. 
  10. OWASP ModSecurity Core Rule Set, which is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.   
  11. OWASP Project OWTF (Offensive Web Testing Framework), which is an open-source web application penetration testing framework designed to assess and test the security of web applications. The main goal of OWTF is to help security professionals and penetration testers automate the process of assessing and testing web applications for vulnerabilities, allowing them to identify and address security weaknesses more effectively.
  12. OWASP SAMM (Software Assurance Maturity Model), which provides an effective and measurable way to analyze and improve secure development lifecycle modeling. SAMM supports the complete software lifecycle and is technology and process agnostic.  
  13. OWASP Security Knowledge Framework, which is a web application that explains secure coding principles in multiple programming languages and aims to help developers build applications that are secure by design.  
  14. OWASP Security Shepherd, which is a web and mobile application security training platform designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.   
  15. OWASP Web Security Testing Guide, which is a comprehensive guide to testing the security of web applications and web services. It provides a framework of best practices used by penetration testers and organizations all over the world.
  16. OWASP ZAP, which is a web application security testing tool designed to help security professionals and developers identify and mitigate security vulnerabilities in web applications during the development and testing phases.   

The Case for Integrated Security Controls

OWASP plays a critical role in the ongoing quest to improve software security by raising awareness about web application security risks and advocating for best practices among developers, security professionals, and organizations. As a community-driven project, OWASP brings together experts and enthusiasts to collaborate on improving web application security, helping to build a security-conscious culture that promotes secure coding practices and secure development methodologies.

In addition, OWASP provides a wealth of free and open-source tools, documents, and resources that empower organizations to enhance their security posture, including the OWASP Top 10, the OWASP API Security Top 10, and the Automated Threats to Web Applications Project. Other OWASP initiatives include:

  • The OWASP Bug Logging Tool (BLT), which enables Internet users to report any issues they encounter online and help improve Internet security by promoting responsible disclosure and fostering a safer online environment. 
  • The OWASP CSRFGuard, a library that protects web applications from Cross-Site Request Forgery (CSRF) attacks.
  • A number of repositories on GitHub, including the Cheat Sheet Series, which provides a concise collection of high value information on specific application security topics. 
  • OWASP Top 10 Client-Side Security Risks, a compilation of specific vulnerabilities common to browser-side applications. 
  • OWASP Cloud-Native Application Security Top 10, a project still under development that will provide information about the most prominent security risks for cloud-native applications, the challenges involved, and how to overcome them. 

Get involved by becoming a member of OWASP or attending a local chapter meeting, which are free and open to both members and nonmembers. In addition, OWASP hosts nearly a dozen global and regional events each year, which are great opportunities to improve your career skills, build your professional network, and learn about new trends in the industry.

F5 Addresses OWASP Security Risks

F5 supports the OWASP Foundation and its dedication to improving software security and raising awareness of web application security risks and vulnerabilities. F5 Web Application Firewall solutions block and mitigate a broad spectrum of risks stemming from the OWASP Top 10.

F5 WAF solutions combine signature and behavioral protections, including threat intelligence from F5 Labs and ML-based security, to keep pace with emerging threats. It eases the burden and complexity of consistently securing applications across clouds, on-premises, and edge environments, while simplifying management via a centralized SaaS infrastructure. F5 WAFs also streamline app security by integrating protections into development frameworks and CI/CD pipelines with core security functionality, centralized orchestration, and oversight via a single dashboard with a 360-degree view of app performance and security events across distributed applications. 

F5 also addresses the risks identified in the OWASP API Security Top 10 with solutions that protect the growing attack surface and emerging threats as apps evolve and API deployments increase. F5 Web Application and API Protection (WAAP) solutions defend the entirety of the modern app attack surface with comprehensive protections that include WAF,  API Security, L3-L7 DDoS mitigation, and bot defense against automated threats and fraud. The distributed platform makes it simple to deploy consistent policies and scale security across your entire estate of apps and APIs regardless of where they’re hosted, and integrate security into the API lifecycle and broader ecosystems.

F5 also offers solutions to address the risks outlined in OWASP’s Automated Threats to Web Applications Project. F5 Distributed Cloud Bot Defense prevents fraud and abuse that can bypass existing bot management solutions and provides real-time monitoring and intelligence as well as ML-based retrospective analysis to protect organizations from automated attacks, without inserting user friction or disrupting the customer experience. Distributed Cloud Bot Defense maintains effectiveness regardless of how attackers retool, whether the attacks pivot from web apps to APIs or attempt to bypass anti-automation defenses by spoofing telemetry or using human CAPTCHA solvers.

F5 also offers multi-tiered DDoS protection for advanced online security as a managed, cloud-delivered mitigation service that detects and mitigates large-scale network, protocol, and application-targeted attacks in real time; the same protections are available as on-premises hardware, software, and hybrid solutions as well. F5 Distributed Cloud DDoS Mitigation defends against volumetric and application-specific layer 3-4 and advanced layer 7 attacks before they reach your network infrastructure and applications.