What is OWASP Top 10?
OWASP's periodically-updated list of the ten most critical web application security risk categories. The 2021 edition is the current canonical reference (next major update expected 2026-2027). Used as a baseline coverage requirement for application security tooling.
Full explanation
The OWASP Top 10 is published by the Open Worldwide Application Security Project as a community-curated ranking of the most-impactful web application risks. The 2021 edition: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Server-Side Request Forgery. The list shifts every 3-4 years based on incident data.
Example
A SOC 2 audit's vulnerability-management control typically requires the application to be scanned for OWASP Top 10 categories on every code change. Securie's Day-1 specialists cover A01 (BOLA / BFLA / IDOR), A02 (crypto-hygiene specialist), A03 (SQL injection / XSS / template injection / SSRF specialists), A07 (auth/authz specialist), A10 (SSRF specialist) directly. Other categories (A04 Insecure Design, A09 Logging) are partially covered through framework-specific specialists.
FAQ
Is OWASP Top 10 sufficient as a security baseline?
It is the baseline, not the ceiling. Coverage of all 10 categories is necessary; it is not sufficient for AI-built apps which face additional risk surfaces (prompt injection, AI-feature attacks, MCP scope abuse) that the 2021 edition does not specifically enumerate. The 2027-ish refresh is expected to incorporate AI/ML risks more centrally.
How does OWASP Top 10 relate to OWASP API Security Top 10?
Different lists for different surfaces. Top 10 is web applications generally; API Security Top 10 is specifically for API endpoints. Both are maintained by OWASP. AI-built apps with API surfaces are subject to both — coverage of API Security Top 10 categories like API1 (BOLA), API3 (Excessive Data Exposure), API4 (Lack of Resources) is the relevant standard for the API layer.