OWASP Top 10 (2010, 2013, 2017,2021) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Monday, October 11, 2021

OWASP Top 10 (2010, 2013, 2017,2021)

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. 
The OWASP Top 10 Web Application Security Risks was created  in 2010, 2013, 2017 and 2021 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are also easy to exploit. These 10 application risks are dangerous because they may allow attackers to plant malware, steal data, or completely take over your computers or web servers.
Meeting OWASP Compliance Standards usually is the First Step Toward Secure Code.


  1. A01:2021-Broken Access Control
  2. A02:2021-Cryptographic Failures
  3. A03:2021-Injection
  4. A04:2021-Insecure Design
  5. A05:2021-Security Misconfiguration
  6. A06:2021-Vulnerable and Outdated Components
  7. A07:2021-Identification and Authentication Failures
  8. A08:2021-Software and Data Integrity Failures
  9. A09:2021-Security Logging and Monitoring Failures
  10. A10:2021-Server-Side Request Forgery (SSRF)

                  The OWASP Top 10 Proactive Controls 
                  1. Define Security Requirements
                  2. Leverage Security Frameworks and Libraries
                  3. Secure Database Access
                  4. Encode and Escape Data
                  5. Validate All Inputs
                  6. Implement Digital Identity
                  7. Enforce Access Controls
                  8. Protect Data Everywhere
                  9. Implement Security Logging and Monitoring
                  10. Handle All Errors and Exceptions


                  OWASP Top 10 Application Security Risks - 2017

                  1. A1. Injection
                  2. A2. Broken Authentication
                  3. A3. Sensitive Data Exposure
                  4. A4. XML External Entities (NEW)
                  5. A5. Broken Access Control (MERGED)
                  6. A6. Security Misconfiguration
                  7. A7. Cross-Site Scripting
                  8. A8. Insecure Deserialization (NEW)
                  9. A9. Using Components With Known Vulnerabilities
                  10. A10. Insufficient Logging and Monitoring (NEW)

                  1. A1-Injection
                  2. A2-Broken Authentication and Session Management
                  3. A3-Cross-Site Scripting (XSS)
                  4. A4-Insecure Direct Object References
                  5. A5-Security Misconfiguration
                  6. A6-Sensitive Data Exposure
                  7. A7-Missing Function Level Access Control
                  8. A8-Cross-Site Request Forgery (CSRF)
                  9. A9-Using Components with Known Vulnerabilities
                  10. A10-Unvalidated Redirects and Forwards

                  For 2010, the OWASP Top 10 Most Critical Web Application Security Risks are:
                  1. A1: Injection
                  2. A2: Cross-Site Scripting (XSS)
                  3. A3: Broken Authentication and Session Management
                  4. A4: Insecure Direct Object References
                  5. A5: Cross-Site Request Forgery (CSRF)
                  6. A6: Security Misconfiguration
                  7. A7: Insecure Cryptographic Storage
                  8. A8: Failure to Restrict URL Access
                  9. A9: Insufficient Transport Layer Protection
                  10. A10: Unvalidated Redirects and Forwards


                  ·         OWASP Risk Rating Methodology
                  ·         ISO 31000: Risk Management Std
                  ·         ISO 27001: ISMS
                  ·         NIST Cyber Framework (US)
                  ·         ASD Strategic Mitigations (AU)
                  ·         NIST CVSS 3.0

                  1 comment: