The OWASP Top 10 is a widely adopted awareness document representing consensus on the most critical security risks to web applications. It is referenced by many standards (including PCI DSS) as the baseline for application security. It is a starting point — not an exhaustive checklist.
The Top 10 risk categories
| ID | Category | What it is |
|---|---|---|
| A01 | Broken Access Control | Users act outside intended permissions (IDOR, privilege escalation) |
| A02 | Cryptographic Failures | Weak or missing encryption exposing sensitive data |
| A03 | Injection | Untrusted input interpreted as code/queries (SQLi, XSS, command injection) |
| A04 | Insecure Design | Missing or ineffective security controls by design |
| A05 | Security Misconfiguration | Insecure defaults, verbose errors, unhardened components |
| A06 | Vulnerable and Outdated Components | Using components with known vulnerabilities |
| A07 | Identification and Authentication Failures | Weak authentication, session or credential handling |
| A08 | Software and Data Integrity Failures | Unverified updates, insecure deserialisation, CI/CD tampering |
| A09 | Security Logging and Monitoring Failures | Inability to detect and respond to attacks |
| A10 | Server-Side Request Forgery (SSRF) | Server coerced into making unintended requests |
How each is tested and prevented
- Testing combines automated SAST/DAST with manual penetration testing (logic flaws like access control and design cannot be found by tools alone).
- Prevention favours secure design patterns — deny-by-default access control, parameterised queries, output encoding, strong authentication and MFA, dependency management, and centralised logging.
- Design-level risks (A04) are addressed with threat modelling before code is written.
The OWASP companions
| Resource | Purpose |
|---|---|
| ASVS (Application Security Verification Standard) | A detailed, testable set of application security requirements at three levels |
| WSTG (Web Security Testing Guide) | A comprehensive methodology for web application penetration testing |
| MASVS / MASTG | The mobile equivalent for app security verification and testing |
| SAMM (Software Assurance Maturity Model) | A model to measure and improve a secure-development programme |
Building it into your SDLC
- Threat model designs to catch A04 (insecure design) early.
- Adopt secure-coding standards mapped to the Top 10 and CWE.
- Run SAST in CI and DAST against running builds.
- Manage third-party components (SCA) for A06.
- Perform manual penetration testing (WSTG) before major releases.
- Verify against ASVS at the target level for critical applications.
- Remediate, retest and track by category to measure improvement.
Common issues found in testing
- Broken object-level authorisation (IDOR) in APIs.
- Stored/reflected XSS and SQL injection in older code.
- Missing MFA and weak session management.
- Outdated libraries with known CVEs.
- Verbose error messages and unhardened cloud/service configuration.
How CyberSigma helps
Our application penetration testing follows the OWASP WSTG and verifies against ASVS — combining automated and manual testing across web, API and mobile — with a detailed report, CVSS ratings and a free retest after fixes.
Frequently asked questions
Is the OWASP Top 10 a standard?
It is an awareness document, not a formal certifiable standard — but it is so widely referenced (including by PCI DSS) that it functions as a de-facto baseline for web app security.
What is OWASP ASVS?
The Application Security Verification Standard is a detailed, testable set of application security requirements — a deeper companion to the awareness-level Top 10.
Official documents
CyberSigma resources
Need help with OWASP Top 10?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
