Knowledge Center / OWASP Top 10
OWASP · Global

OWASP Top 10

The standard awareness document for the most critical web application risks.

The OWASP Top 10 is a widely adopted awareness document representing consensus on the most critical security risks to web applications. It is referenced by many standards (including PCI DSS) as the baseline for application security. It is a starting point — not an exhaustive checklist.

The Top 10 risk categories

IDCategoryWhat it is
A01Broken Access ControlUsers act outside intended permissions (IDOR, privilege escalation)
A02Cryptographic FailuresWeak or missing encryption exposing sensitive data
A03InjectionUntrusted input interpreted as code/queries (SQLi, XSS, command injection)
A04Insecure DesignMissing or ineffective security controls by design
A05Security MisconfigurationInsecure defaults, verbose errors, unhardened components
A06Vulnerable and Outdated ComponentsUsing components with known vulnerabilities
A07Identification and Authentication FailuresWeak authentication, session or credential handling
A08Software and Data Integrity FailuresUnverified updates, insecure deserialisation, CI/CD tampering
A09Security Logging and Monitoring FailuresInability to detect and respond to attacks
A10Server-Side Request Forgery (SSRF)Server coerced into making unintended requests

How each is tested and prevented

  • Testing combines automated SAST/DAST with manual penetration testing (logic flaws like access control and design cannot be found by tools alone).
  • Prevention favours secure design patterns — deny-by-default access control, parameterised queries, output encoding, strong authentication and MFA, dependency management, and centralised logging.
  • Design-level risks (A04) are addressed with threat modelling before code is written.

The OWASP companions

ResourcePurpose
ASVS (Application Security Verification Standard)A detailed, testable set of application security requirements at three levels
WSTG (Web Security Testing Guide)A comprehensive methodology for web application penetration testing
MASVS / MASTGThe mobile equivalent for app security verification and testing
SAMM (Software Assurance Maturity Model)A model to measure and improve a secure-development programme

Building it into your SDLC

  1. Threat model designs to catch A04 (insecure design) early.
  2. Adopt secure-coding standards mapped to the Top 10 and CWE.
  3. Run SAST in CI and DAST against running builds.
  4. Manage third-party components (SCA) for A06.
  5. Perform manual penetration testing (WSTG) before major releases.
  6. Verify against ASVS at the target level for critical applications.
  7. Remediate, retest and track by category to measure improvement.

Common issues found in testing

  • Broken object-level authorisation (IDOR) in APIs.
  • Stored/reflected XSS and SQL injection in older code.
  • Missing MFA and weak session management.
  • Outdated libraries with known CVEs.
  • Verbose error messages and unhardened cloud/service configuration.
How CyberSigma helps
Our application penetration testing follows the OWASP WSTG and verifies against ASVS — combining automated and manual testing across web, API and mobile — with a detailed report, CVSS ratings and a free retest after fixes.

Frequently asked questions

Is the OWASP Top 10 a standard?
It is an awareness document, not a formal certifiable standard — but it is so widely referenced (including by PCI DSS) that it functions as a de-facto baseline for web app security.
What is OWASP ASVS?
The Application Security Verification Standard is a detailed, testable set of application security requirements — a deeper companion to the awareness-level Top 10.

Need help with OWASP Top 10?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.