What does OWASP stand for?

Open Web Application Security Project. A nonprofit that publishes free, vendor-neutral guidance on application security.

Is the OWASP Top 10 a standard?

Not a formal standard, but it is the de facto reference. SOC 2, PCI-DSS, ISO 27001, and most procurement security questionnaires reference it directly.

How often is it updated?

Every three to four years. The 2021 list reordered the categories significantly; the next refresh continues to fold in API and supply-chain risks.

Is OWASP Top 10 the same as OWASP ASVS?

No. ASVS — Application Security Verification Standard — is a much more detailed checklist of security requirements. The Top 10 is the awareness document; ASVS is the verification standard.

Should our pentest cover the OWASP Top 10?

Yes. Any reputable web app pentest report should map findings to OWASP Top 10 categories, plus the broader OWASP ASVS where applicable.

Glossary · Security

What is the OWASP Top 10?

The OWASP Top 10 is the Open Web Application Security Project's community-maintained list of the ten most critical web application security risks, refreshed every few years from real-world breach data and used as a baseline by virtually every security audit, framework, and compliance regime in the industry.

Where it comes from

OWASP was founded in 2001 as a nonprofit dedicated to making application security visible. The Top 10 first appeared in 2003 and became the most-cited security document on the web because it was free, vendor-neutral, written for engineers, and refreshed often enough to stay relevant. Today it underpins how everyone from solo founders to Fortune 500 security teams describe risk.

The current categories

The 2021 list (still current at time of writing): Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery (SSRF). Broken Access Control moved to number one in that revision, which surprised no one who reviews pentest reports for a living.

OWASP beyond the Top 10

The Top 10 gets the headlines, but OWASP publishes a much deeper catalog. The Application Security Verification Standard (ASVS) is a 300-plus item checklist of security requirements split into three increasing rigor levels. The API Security Top 10 covers API-specific risks like broken object-level authorization and excessive data exposure. The Mobile Top 10 does the same for iOS and Android. Mature programs consult all of these — the headline list is a starting point, not a coverage commitment.

Why broken access control is number one

The most common real-world web app vulnerability is not exotic. It is forgetting to check, on a specific endpoint, whether the logged-in user is allowed to read or write the record they are asking about. The classic version: GET /api/invoices/123 returns the invoice even when invoice 123 belongs to a different tenant. Every multi-tenant SaaS has had at least one of these somewhere, often for months, before someone notices. The fix is not a tool — it is disciplined authorization checks on every endpoint, plus tests that verify them. The reason it climbs the rankings every revision is that most teams ship dozens of new endpoints per quarter and only a fraction get an authorization review before they reach production. Without an automated guardrail, the problem grows faster than humans can fix it.

At QUANT LAB

Every web application pentest we deliver maps findings to OWASP Top 10 categories so your compliance team can plug the report directly into their SOC 2 or PCI evidence. We also build defensively against the Top 10 on every SaaS platform and web application we ship — tenant-scoped authorization, parameterized queries, secure session management, and structured audit logging are not afterthoughts.

How the list gets compiled

OWASP collects data from dozens of contributing organizations — pentesting firms, bug bounty platforms, security vendors, academic researchers. The methodology weights frequency of occurrence in real assessments alongside exploitability and impact. A category does not appear because it sounds bad; it appears because the contributors saw it often enough in real engagements that it warrants the headline slot. That is why the list shifts every cycle — the threat landscape shifts and the data reflects it.

Long-form deep-dives that use this term

All posts

Related terms

Want a pentest against the OWASP Top 10?

We test your app against the current Top 10 and ASVS, then ship a report your auditor will accept. Book a 30-minute scoping call.

Web app pentest