What Is OWASP?

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. Initially known as the Open Web Application Security Project, OWASP was founded in 2001 with a mission “to be the global open community that powers secure software through education, tools, and collaboration.” As of 2024, the OWASP foundation has more than 250 local chapters around the world, including Africa, Asia, the Caribbean, Central America, Europe, North America, Oceania, and South America. 

OWASP coordinates an array of community-led, open source software projects and industry-leading educational and training conferences. The organization’s projects, tools, documents, forums, and chapters are free of charge and accessible to anyone who is interested in improving application security.

The OWASP Top 10 is a list of the most critical security risks to web applications, as determined by a broad consensus of security experts around the world. The OWASP Top 10 serves as a guide for companies, DevOps teams, regulators, and other stakeholders charged with ensuring the security of web applications and changing the culture of software development to produce more secure code.

The OWASP Top 10 list of security threats is based on the experience and expertise of an open community of contributors and consensus among the world’s security experts. The risks are ranked according to several factors, including how often each security vulnerability occurs and the severity and magnitude of its potential impact.

Download the Akamai OWASP Top 10 white paper.

1. A01:2021 Broken access control allows attackers to gain access to user accounts and act as users or administrators. It may also allow regular users to have unintended privileged functions.
2. A02:2021 Cryptographic failures happen when important or sensitive data is compromised as it is stored or transmitted.
3. A03:2021 Code injection attacks such as SQL injection happen when invalid data or malicious code is sent by an attacker into a web application to make the application do something that it’s not supposed to do.
4. A04:2021 Insecure design flaws occur when an application is developed around processes that are not secure, such as an app with inadequate authentication processes or a website that’s not designed to prevent bots.
5. A05:2021 Security misconfiguration includes improper configuring of cloud service permissions, using default admin passwords, or installing features that aren’t required.
6. A06:2021 Vulnerable and outdated components is a vulnerability caused by unsupported or outdated software or internal components.
7. A07:2021 Identification and authentication failures occur when apps can’t properly confirm and verify user identities or establish secure session management.
8. A08:2021 Software and data integrity failures happen when an application’s code and infrastructure can’t fully protect software or data integrity.
9. A09:2021 Security logging and monitoring failures are weaknesses in an application’s ability to detect and respond to security risks.
10. A10:2021 Server-side request forgery happens when a web application pulls data from a remote resource based on a user-specified URL — without validating the URL.

In addition to ranking the top 10 web application security risks, OWASP produces the API Security Top 10, a list of the most dangerous security issues and vulnerabilities for application programming interfaces (APIs). The list was originally produced in 2019 and updated in 2023.

Want to learn more? Read Akamai’s blog posts on this topic:

• What Proposed New Changes in the OWASP API Security Top 10 Mean for You

• OWASP Top 10 API Security Risks: The 2023 Edition Is Finally Here

• Akamai Defends Against the OWASP Top 10 API Security Risks

1. API1:2023 Broken Object Level Authorization occurs when there is a lack of proper access controls on API endpoints, resulting in sensitive data exposure and allowing unauthorized users to access and change sensitive data.
2. API2:2023 Broken Authentication occurs when authentication mechanisms are implemented incorrectly, enabling attackers to compromise authentication tokens or exploit implementation flaws to assume the identities of other users.
3. API3:2023 Broken Object Property Level Authorization occurs when APIs do not properly validate authorization at the object property level.
4. API4:2023 Unrestricted Resource Consumption involves requests that use large amounts of network bandwidth, CPU, memory, and storage, potentially leading to a denial of service or increased costs.
5. API5:2023 Broken Function Level Authorization is caused by authorization flaws stemming from overly complex access control policies with different hierarchies, groups, and roles, as well as an unclear separation between administrative and regular functions.
6. API6:2023 Unrestricted Access to Sensitive Business Flows happens when APIs expose a business flow without restricting it or compensating for the potential risk that the function could be used excessively in an automated manner.
7. API7:2023 Server Side Request Forgery occurs when an API fetches a remote resource without validating the user-supplied URI, allowing an attacker to coerce the application to send a crafted request to an unexpected destination.
8. API8:2023 Security Misconfiguration occurs when software and DevOps engineers fail to properly configure APIs and the systems supporting them.
9. API9:2023 Improper Inventory Management happens when IT administrators fail to properly document and update an inventory of hosts and deployed API versions.
10. API10:2023 Unsafe Consumption of APIs happens when developers extend trust to third-party APIs without vetting them, leading to a weaker security posture.

OWASP coordinates and oversees a number of high-profile projects.

• Dependency-Track is an intelligent component analysis platform that helps organizations to identify and reduce risk in the software supply chain. Dependency-Track monitors component usage across every version of an application to proactively identify risk throughout an organization.
• Juice Shop is a highly insecure web application designed for use in security training, awareness demos, CTFs (Capture the Flag competitions), and as a guinea pig for security tools. Juice Shop is written with all the vulnerabilities in the OWASP Top 10 as well as many additional security flaws frequently found in real-world applications.
• The OWASP Mobile Application Security Project is a security standard for mobile apps and a comprehensive testing guide. It covers the processes, techniques, and tools used in mobile app security testing and provides an exhaustive set of test cases that help testers produce consistent and comprehensive results.
• The OWASP ModSecurity Core Rule Set is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
• The Software Assurance Maturity Model offers an effective and measurable way to analyze and improve secure development lifecycles.
• The Web Security Testing Guide Project is the premier cybersecurity testing resource for web application developers and security professionals.

Organizations and their security teams can gain actionable information from the OWASP Top 10 lists. The lists serve as an important checklist for security teams, and as a security standard for DevOps teams. Auditors use the lists when assessing whether organizations are adhering to best practices and development standards for web application security and API protection.