OWASP Top 10 Web Application Security Risks 2021

OWASP Top 10 Web Application Security Risks - 2021

Epistemic status: Confident that these are the attacks that OWASP lists. Reasonably confident in their methodology to identify the attacks though I haven't done more than read their Methodology Overview
Epistemic effort: Multiple rounds of awareness training, thinking about each attack and how it might apply to software I work on. Currently working on gathering language-specific resources for each issue.

The OWASP Top 10 are a set of attacks believed to be the most common across a wide range of software. Addressing and preventing these attacks are now broadly considered table stakes for an Application Security program.

Every few years, OWASP surveys their community to ask about applications and the CWEs found in testing those applications. In the most recent 2021 process, the group looked at almost 400 different CWEs. In analyzing these CWEs, they grouped them and focused on the root causes of the issues wherever they could. Each issue category in the 2021 Top 10 averaged 19.6 CWEs grouped to it, with the real range going from 1 (for A10:2021 - Server Side Request Forgery) to 40 (for A04:2021 - Insecure Design).

After grouping the CWEs, the OWASP team extracted CVSS scores for both exploitability and impact for CVEs that mapped to a CWE. They had approximately 125000 CVE records they extracted. They then averaged these values for each category and used that to determine the ordering.

The field of Application Security is evolving rapidly, however, and because it takes time to analyze results, CVE data can be a trailing indicator. To account for more up-to-the-minute results, the statistical data described above was used only to pick 8 of the 10 top categories. The other 2 are from a community survey of active practitioners who were asked to give the highest risks they perceived at the time of the survey.

Top 10 Issues