Back
OWASP Top 10
https://owasp.org/Top10/
A01:2021-Broken Access Control tops the list due to widespread issues—3.81% of apps had related CWEs, totaling over 318k instances.
A02:2021-Cryptographic Failures (formerly Sensitive Data Exposure) focuses on broken cryptography, often leading to data leaks or system compromise.
A03:2021-Injection drops to third; includes SQL injection and XSS, with a 3.37% average rate across 94% of tested apps.
A04:2021-Insecure Design is new, highlighting design flaws that can’t be fixed by good implementation alone.
A05:2021-Security Misconfiguration moves up with 90% of apps affected. Includes issues like misconfigured XML parsers (formerly XXE).
A06:2021-Vulnerable and Outdated Components rises from #9. These issues lack CVE mapping, complicating risk assessment.
A07:2021-Identification and Authentication Failures (formerly Broken Authentication) drops in rank but remains critical for access control.
A08:2021-Software and Data Integrity Failures is new and covers risks from unverified updates and insecure CI/CD pipelines (includes insecure deserialization).
A09:2021-Security Logging and Monitoring Failures rises from #10, covering failures that hinder detection and forensics.
A10:2021-Server-Side Request Forgery is new, driven by community concern despite relatively low reported incidence.