OWASP Top 10
What is OWASP Top 10?
OWASP Top 10An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
The OWASP Top 10 is a community-driven publication of the Open Worldwide Application Security Project (OWASP) that ranks the most critical web application security risks. Each release (notably 2017, 2021, and the in-progress 2025 edition) is based on data collected from organizations and a survey of practitioners, and groups risks into categories such as Broken Access Control, Cryptographic Failures, Injection, Insecure Design, and Security Misconfiguration. It is an awareness document, not a formal standard, but it is widely referenced in regulations, PCI DSS, secure-coding curricula, AppSec tooling, and bug-bounty scoping. OWASP also publishes Top 10 variants for APIs, mobile, LLM applications, and CI/CD.
● Examples
- 01
A team mapping its threat model to the OWASP Top 10 to prioritize remediation work.
- 02
A SAST product reporting findings by OWASP Top 10 category to align with developer training.
● Frequently asked questions
What is OWASP Top 10?
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OWASP Top 10 mean?
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.
How do you defend against OWASP Top 10?
Defences for OWASP Top 10 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OWASP Top 10?
Common alternative names include: OWASP Top Ten.