OWASP Top 10
The OWASP Top 10 is a community-curated list of the most critical web application security risks, published every 3-4 years by the Open Web Application Security Project. The 2021 list leads with broken access control, cryptographic failures, and injection — each backed by examples, prevention guidance, and detection patterns.
The Top 10 has become the de-facto baseline checklist for web application security: PCI-DSS, SOC 2, and most regulatory frameworks reference it explicitly. The framing is risk-based (likelihood × impact), not exploit-popularity-based, which is why broken access control (the #1) covers a huge variety of underlying bugs. The pragmatic use: read the current Top 10 cover-to-cover during onboarding, run a Top-10-aligned audit annually, and ensure every relevant category has at least one automated check in CI. The list does not replace threat modelling for a specific application but it does cover most of the categories that get teams paged on incident day.
Related terms
- Shift-left security
Shift-left security moves security activities — threat modelling, static analysis, dependency scanning, secret detection — earlier in the development lifecycle, ideally into the developer's IDE and PR workflow.
- Defense in depth
Defense in depth is the security principle of layering multiple independent controls so that a failure in any one doesn't expose the system — input validation plus parameterised queries plus least-privilege database access plus output encoding plus a WAF.
- Principle of least privilege
The principle of least privilege is the security rule that every user, process, and system should have only the minimum permissions needed to do its job — no extra access 'just in case'.