What is the OWASP top 10, and has it had its day in the sun?

The Open Worldwide Application Security Project (OWASP) top 10 is a self-described list of the most critical vulnerabilities that can be found in web applications today. It is published once every 4 years, and has a target audience consisting of software developers and web application security professionals.

Over the years it has served as a tool for helping to raise awareness and provide education to tech professionals in relation to security risks when building web application software. The OWASP top 10 list is often leveraged to form the baseline of security education programmes, and to assist in the improvement of the security culture within a business.

It is a handy reference document for people to point too when discussing web application security, but how useful is it really?

It’s not a top 10

All but one of the current OWASP top 10 is a collection of different vulnerabilities, if we were to add up all the vulnerabilities which make up the OWASP top 10 you would in fact have the OWASP top 205.

Once a simple list of distinct vulnerabilities, over the years the OWASP top 10 has tried to encompass as much as possible. The side effect of doing too much is that it is now more complicated to leverage for targeting the most critical risks.

It is no longer a simple list of specific vulnerabilities to target, but an encyclopaedia of vulnerabilities, with large categories containing multiple vulnerabilities.

The OWASP top 10 can be used to categorise the vulnerabilities we discover in our systems, but it doesn’t provide a top 10 list of vulnerabilities to focus on.

It’s not the most critical

“The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.”

Although the messaging on the OWASP top 10 website suggests it’s a list of the most critical risks, it’s not, it’s a list of the most common risks as represented by the data.

OWASP has a period before the publishing of a new top 10 list where they gather data from penetration testing and web application security companies, alongside data from the community. This data looks at what common vulnerabilities are being found in the wild, without reference to how critical each vulnerability might be and the risks that they pose.

To really be considered as a list of the most critical risks this data would need to be contextualised with something like the Common Vulnerability Scoring System (CVSS).

That being said, even if you can frame it as the most critical risks…

It’s not in order!

Usually with a top 10 list the item sitting at no.1 is the most, the least, the best, the worst, etc. In the OWASP top 10 this isn’t the case.

The current no.10 item on the list is Server-side Request Forgery (SSRF), a vulnerability which in the worst case scenario can result in the complete take over of a private network.

Compare that with Cryptographic Failures which resides at no.2 on the list, an example of which could be a “weak cipher” that in reality is so difficult to exploit that the risk is much less severe due to the computing resources required to carry out an attack. This category does cover a bunch of critical severity vulnerabilities, but not all of them are so how can it sit at no.2 as a collection?

If we’re measuring risk as the likelihood of exploitation * the impact it would have on the business, surely SSRF should be ranked above Cryptographic Failures in the OWASP top 10?

Should we still care about the OWASP top 10?

The OWASP top 10 is not without value. Although it’s not published nearly frequently enough, there is a new version coming in 2025 and it’ll be interesting to understand the commonalities from the data which help shape the new list. Will prompt injection find its way onto the list?

It’s also a valuable resource for those without knowledge of security vulnerabilities, there is a robust breakdown of each item on the list, with code examples, and advised mitigations. Whether we’re tackling the most critical web application security risks or not, building up some knowledge and fundamental security awareness makes the OWASP top 10 a valuable resource.

I personally believe it’s outgrown its top 10 moniker, and people looking for the most critical security risks impacting web applications should look elsewhere.

That being said, DevOps, Observability, Hacking, Agile, and now AI are taking on new meanings, why not top 10 🤷

Final thoughts

Security communities are difficult to maintain and grow over time. OWASP is an open community, anyone can join and contribute, but looking around their Slack it’s a bit of a graveyard. Evidence of the constraints can be seen in the OWASP top 10 for serverless, which was run by Tal Melamed for years on his own, on a shoestring budget.

The current cadence in which the OWASP top 10 list is published is not compatible with the speed in which the industry evolves, which is clearly constrained by resources. There is only so much a small community of selfless contributors can achieve, but that small group has helped improve the security culture within businesses across the globe. The plethora of resources, materials, cheat sheets, and security tools are fantastic resources we can all take advantage of, so it’s difficult to write something calling out their most popular resource.

I’m grateful for the OWASP community, but I also believe the OWASP top 10 is a bit of a relic which tries to do too much, a monolith of common security risks within web applications. I believe there is an appetite for something more definitive, where that comes from though I’m not sure. In the meantime I’ll continue to reference and point software developers looking to upskill in security in the direction of the OWASP top 10, and I’ll keep a keen eye on the new release in 2025.

Will we lose the last remaining single vulnerability on the list, SSRF?