The OWASP Top 10, first released in 2003, represents a broad consensus on the most critical security risks to web applications. For 20 years, the top risks remained largely unchanged—but the 2021 update makes significant changes that address application risks in three thematic areas:
Recategorization of risk to align symptoms to root causes
New risk categories encompassing modern application architectures and development
Vulnerability exploits as well as business logic abuse
““Access attacks, that is, attacks against user-facing authentication surfaces, were the single most frequent cause of breaches.”1 ”
— 2022 Application Protection Report: In Expectation of Exfiltration
The OWASP Top 10 risks map to common weakness enumerations (CWEs), which often become vulnerability exploits. But previous OWASP data collection focused on a prescribed set of 30 CWEs, and previous lists made no significant distinction between CWEs that represented root causes and more symptomatic weaknesses with a variety of potential causes. The 2021 list reflects 400 CWEs and thus enabled broader analysis.
The 2021 list better aligns symptoms to underlying root causes to help security teams focus on reducing risks at their source.
“What we want you to do is actually think about those root causes and what you can do about them, rather than trying to put band-aids over the symptoms.2 ”
—Andrew van der Stock, Executive Director, OWASP Foundation
Three new risk categories emphasize the need to address security from the start of application design and to make security part of the software lifecycle.
The recent publication of the log4j2 vulnerability spotlights the significance of open-source software exploits. Weaknesses within the log4j2 logging utility map to two OWASP Top 10 risk categories, and a CVE with real-world exploits make it a trifecta—injection, software, and data integrity failures, and vulnerable and outdated components.
“A secure design can still have implementation defects leading to vulnerabilities that may be exploited.”
—OWASP Top 10 for 2021
Application architectures have evolved, with cloud deployments, containerization, mobile apps, and a proliferation of APIs and third-party integrations. Login pages, shopping carts, and other business logic aren’t defects, but they’re inherently vulnerable to abuse. The OWASP Top 10 for 2021 offers guidance for proactive and preemptive security in this new world order.
Security must be integrated throughout the application development process, including secure CI/CD pipelines, component inventories, threat modeling, and sound risk management. The latest OWASP Top 10 offers a resource for security and AppDev/DevOps professionals working to shift security further left into fundamental design principles.
1 F5 2022 Application Protection Report.
2 Van der Stock, Andrew, OWASP Top 10 (https://www.youtube.com/watch?v=uLBCDBnMEt0), YouTube. Oct. 8, 2021.
