The OWASP Top 10 for 2021:
A New Wave of Risk

  • Share to Facebook
  • Share to Twitter
  • Share to Linkedin
  • Share via AddThis

INTRODUCTION

Opportunities for attackers have exploded in today’s digital economy, which relies on modern apps and architectures, multi-cloud deployments, and third-party integrations, including software supply chains and CI/CD pipelines. The OWASP Top 10 for 2021 addresses a new wave of risks as must-read guidance for improving security in application design and implementation.

Most Significant Update in 20 Years

The OWASP Top 10, first released in 2003, represents a broad consensus on the most critical security risks to web applications. For 20 years, the top risks remained largely unchanged—but the 2021 update makes significant changes that address application risks in three thematic areas:

Recategorization of risk to align symptoms to root causes

New risk categories encompassing modern application architectures and development

Vulnerability exploits as well as business logic abuse

password skull

What is the #1 cause of breaches?

Access attacks


“Access attacks, that is, attacks against user-facing authentication surfaces, were the single most frequent cause of breaches.”1

— 2022 Application Protection Report: In Expectation of Exfiltration

What's New for 2021

Here are the key factors that influenced the OWASP Top 10 update:

2017

Focus on traditional web applications

Small data set (prescribed subset of 30 CWEs)

Variety of risk factors, technical/business impacts

Injection as the top risk for over 20 years

2021

Shift to modern architectures

Data-driven process with 400 CWEs

Recategorized around symptoms and root causes

A new wave of risk: insecure design and implementation

The 2021 OWASP Top 10 Security Risks

A01

Broken Access Control

A02

Cryptographic Failures

A03

Injection

A04

Insecure Design

A05

Security Misconfiguration

A6

Vulnerable and Outdated Components

A7

Identification and Authentication Failures

A8

Software and Data Integrity Failures

A9

Security Logging and Monitoring Failures

A10

Server-Side Request Forgery (SSRF)

THEME #1

Symptoms Aligned to Root Causes

Security OWASP Device Access

What's Changed?

The OWASP Top 10 risks map to common weakness enumerations (CWEs), which often become vulnerability exploits. But previous OWASP data collection focused on a prescribed set of 30 CWEs, and previous lists made no significant distinction between CWEs that represented root causes and more symptomatic weaknesses with a variety of potential causes. The 2021 list reflects 400 CWEs and thus enabled broader analysis.

2017: Symptom

A3:2017
Sensitive Data Exposure

A7:2017
Cross-Site Scripting (XSS)

A4:2017
XML External Entities (XXE)

A9:2017
Using Components with Known Vulnerabilities

A8:2017
Insecure Deserialization

A10:2017
Insufficient Logging & Monitoring

2021: Root Cause

A02:2021
Cryptographic Failures

A03:2021
Injection

A05:2021
Security Misconfiguration

A06:2021
Vulnerable and Outdated Components

A08:2021
Software and Data Integrity Failures

A09:2021
Security Logging and Monitoring Failures

Why Does it Matter?

The 2021 list better aligns symptoms to underlying root causes to help security teams focus on reducing risks at their source.

password skull

What is the #1 cause of cloud breaches?

Security misconfiguration


“What we want you to do is actually think about those root causes and what you can do about them, rather than trying to put band-aids over the symptoms.”2

—Andrew van der Stock, Executive Director, OWASP Foundation

THEME #2

New Risk Categories

Security OWASP Device Hacker

What's Changed?

Three new risk categories emphasize the need to address security from the start of application design and to make security part of the software lifecycle.

A04: 2021
Insecure Design

A08: 2021
Software and Data Integrity Failures

A10: 2021
Server-Side Request Forgery

Why Does it Matter?

The recent publication of the log4j2 vulnerability spotlights the significance of open-source software exploits. Weaknesses within the log4j2 logging utility map to two OWASP Top 10 risk categories, and a CVE with real-world exploits make it a trifecta—injection, software, and data integrity failures, and vulnerable and outdated components.

OWASP Short Infographic

Figure 1: The Log4Shell exploit in the open-source Apache Log4j2 logging utility is an example of at attack that spans multiple risk categories. It allows the execution of arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

“A secure design can still have implementation defects leading to vulnerabilities that may be exploited.”

—OWASP Top 10 for 2021

THEME #3

Protection for Modern Apps and Architectures

Security OWASP User Datacenter Tablet

What's Changed?

Application architectures have evolved, with cloud deployments, containerization, mobile apps, and a proliferation of APIs and third-party integrations. Login pages, shopping carts, and other business logic aren’t defects, but they’re inherently vulnerable to abuse. The OWASP Top 10 for 2021 offers guidance for proactive and preemptive security in this new world order.

OWASP Short Infographic

Figure 2: Yesterday’s best practices aren’t enough for today’s distributed modern applications and architectures.

Why Does it Matter?

Security must be integrated throughout the application development process, including secure CI/CD pipelines, component inventories, threat modeling, and sound risk management. The latest OWASP Top 10 offers a resource for security and AppDev/DevOps professionals working to shift security further left into fundamental design principles.

1 F5 2022 Application Protection Report.

2 Van der Stock, Andrew, OWASP Top 10, YouTube. Oct. 8, 2021. 

Discover More

Report

REPORT

F5 Labs 2022 Application Protection Report

Understand how threats have evolved in the past year and how security defenses can be tuned to defeat the latest attacks.

Get the report ›

eBook

EBOOK

The 2021 OWASP Top 10: The New Wave of Risk

Learn how to use the OWASP Top 10 as a foundation for more secure development and better application security.

Get the eBook ›

Webinar

WEBINAR

The OWASP Top 10 2021: The New Risk Order

See what’s changed in the OWASP Top 10 and how solutions like F5 Distributed Cloud WAAP mitigates those risks.

Watch now ›

Solution Simulator

Solution Simulator

F5 Distributed Cloud Web App and API Protection (WAAP)

Explore an interactive demo of holistic as-a-Service protection for applications—wherever they run.

See how it works ›

Videos

VIDEO

2021 OWASP Top 10 Lightboard Lesson Video Series

Get a detailed breakdown of the new OWASP Top 10 web application security risks.

Watch now ›