Make manual regression testing faster, smarter, and more targeted. See it in Action >>
OWASP compliance is critical to maintaining secure software in today’s digital landscape. Last updated in 2021, the OWASP Top 10 list now has more curated categories covering many different kinds of security vulnerabilities for all kinds of code and web applications.
The nonprofit group Open Web Application Security Project® (OWASP) seeks to enhance software security. Development teams around the world and across industries turn to the OWASP Foundation for tools, resources, and training to protect their web applications from cyberattacks. Projects with community-driven initiatives are open for anybody to join.
Build Security Into Your DevOps Strategy
Periodically, OWASP releases a list of the most pressing problems for the development community at large. These issues affect the overall security of projects, and the list illuminates the biggest threats.
The OWASP Top 10 introduces some new issues while reframing previous entries as part of their new categories. Based on a variety of sources including developer feedback, security vendor counsel, bug bounties, and community input, OWASP created its latest Top 10 list, with #1 being the most frequent and threatening issue. Ranked based on severity and frequency, each item represents multiple common weakness enumerations (CWEs).
The OWASP Top 10 helps teams focus on the most critical and likely problems before moving on to other issues.
All of these potential vulnerabilities pose significant threats to any development team but keep in mind that this is not an exhaustive list of everything that can go wrong during development. While the Top 10 isn’t a comprehensive strategy or the only method for identifying vulnerabilities, it is an excellent way to get started.
The best way to use the Top 10 is to educate your developers so they build secure code. Additionally, use it for validation testing to verify that developers truly wrote secure code and catch when they didn’t.
With the development of APIs on the rise, OWASP also has a dedicated project focused solely on API security and its top ten concerning vulnerabilities. The OWASP API Security Top 10 was introduced in 2019 and updated in 2023.
Broken access control climbed up to the #1 spot on the list from #5 in the previous Top 10. That means it is the biggest problem for development teams when it comes to security breaches. In its findings, OWASP reported that 94% of applications tested contained this issue. The biggest CWEs related to this vulnerability are:
This security vulnerability allows access to private resources for unauthorized users. Attackers can go around any security protocols in place to access sensitive systems and information.
Broken access control has become the most common vulnerability on the OWASP 2021 Top 10 list. Weak authorization and authentication methods allow for this security risk. Broken access control can separately break down into 34 CWEs. It accounts for more issues in the OWASP survey than in any other category.
Cryptographic failures now rank in position #2—up from #3. This issue used to be called “Sensitive Data Exposure.” The new name emphasizes root causes, not just symptoms.
Cryptographic failures often lead to data breaches. Examples include missing HTTP headers, weak algorithms, transmitting data in clear text, or poor key management.
They can cause sensitive data breaches and other compromises. A notable example: the Red Cross breach of January 2022. Preventing them requires proper design, secure code, thorough testing, and integrating security into workflows.
Previously ranked #7, injection now holds #3. This includes issues like cross-site scripting.
They occur when attackers send crafted data that forces an application to run unintended commands. For example, SQL injection can extract or alter entire databases.
This was OWASP’s #1 issue for many years. In testing, 274,000 injection flaws were found. They’re highly preventable with proper input validation and safer query handling.
Examples of injection flaws:
A new category highlighting risks in design flaws. It emphasizes secure design and DevSecOps—security integrated throughout the development life cycle.
It happens when teams fail to anticipate threats. Unlike insecure implementation, it reflects broader design and architecture risks.
Insecure design makes applications vulnerable even when implementations seem secure.
Examples:
Ranked #5, this issue includes misconfigured software and systems.
Security misconfiguration happens when important security settings are missing, incorrect, or left at defaults. Example: not resetting the default password.
It’s widespread—things like outdated software, missing security hardening, and unnecessary features. A notable case: the 2023 FAA NOTAM outage, linked to misconfiguration.
Previously called “Using Components with Known Vulnerabilities,” this is now ranked #6.
Risks stem from using unsupported, outdated, or poorly maintained third-party software, libraries, or dependencies.
Attackers exploit these weaknesses often. Keeping dependencies patched and updated is critical.
Example: the Log4j zero-day vulnerability in 2021, which impacted Cloudflare, Steam, iCloud, and more.
Formerly “Broken Authentication,” this category is now #7. It was previously #2.
These failures occur when login credentials, session IDs, or permissions aren’t handled securely—for instance, storing passwords in plain text.
They are among the most exploited vulnerabilities. Techniques like “credential stuffing” use stolen passwords to break into systems. Multi-factor authentication and stronger password policies can mitigate risks.
This category, new in 2021, includes insecure deserialization and integrity risks in CI/CD pipelines or update mechanisms.
Examples include insecure software updates, unprotected CI/CD pipelines, and unvalidated auto-updates.
They open the door to attackers inserting malicious code. Notable concerns include insecure deserialization, a common path for denial-of-service and remote code execution.
Previously called “Insufficient Logging & Monitoring,” now ranked #9.
These failures occur when systems don’t properly detect or respond to threats. For example, repeated login attempts allowed due to improper logging.
Without proper monitoring, security incidents go undetected, leading to breaches. Regulations like HIPAA and PCI-DSS require proper logging. Poor monitoring can also make other vulnerabilities, like broken access control, more dangerous.
Ranked #10, but considered highly severe.
It occurs when applications fetch remote resources without validating user-supplied URLs, letting attackers trick servers into unexpected behaviors.
These attacks are simple to execute and can have major consequences, including bypassing VPNs and firewalls.
Example: attackers hosting malicious pages to control vulnerable applications.
OWASP notes the rise of SSRF is tied to:
Parasoft’s comprehensive support for OWASP helps users achieve DevSecOps by enforcing security-oriented development practices from the start of project development. With the Parasoft solution, you get:
Out-of-the-box policy/test configurations that are fully configurable.
Standards-native reporting based on OWASP or CWE ID numbers.
Guidance on how to fix vulnerabilities with supported documentation and training content.
Unique real-time feedback that gives users a continuous view of compliance with OWASP and remediation support to better identify and eliminate threat vectors.
Execution from within the IDE and via the CI/CD process to help quickly locate the vulnerability earlier in the SDLC.
Interactive reports and customizable dashboards, which include exploitability, the prevalence in the field, detectability, and the impact of failure with AI-enhanced automation to help users prioritize and minimize manual triage.
