Blog | What's Changed in the OWASP Top 10 2021

What's Changed in the OWASP Top 10 2021?

  • 2 min read
  • March 15th, 2022

Since 2017, the OWASP Top 10 has been updated for the first time. The OWASP Top 10 lists what is perceived to be the most critical web application security risks. The list can be a great starting point for increasing your web application security.

Are you wondering what has changed? The list has been reshuffled or subsumed into overarching categories, and three new categories have been added. Read on to learn more about the changes!

Open Source Security for your Java Application

This course will teach you how to detect any security issues in open source libraries that your application is using.

Reshuffled or Subsumed Items

Most items have been replaced or subsumed. ‘Cross-site Scripting’ (XSS), previously at entry A07, is now part of the ‘Injection’ category. Injection has also dropped from the top security risk to third place.

The new top risk that has taken its place is ‘Broken Access Control,’ which has moved up from A05 to A01. According to OWASP, 94% of applications had broken access control.

Cryptographic Failures’ moves up one position and is wedged between the two as the second greatest security risk, which concerns cryptography failures leading to compromise or sensitive data exposure.

Update inbound!

Another interesting change is connected to the category, ‘using components with known vulnerabilities.’ A previous OWASP top 10 entry at a09 has moved up three spots to entry a06 and has been renamed 'vulnerable and outdated components.' This risk is what software composition analysis (SCA) seeks to prevent early on in the software development lifecycle (SDLC) by identifying known vulnerable components that you are using in your application.

The Two Lists Compared

Owasp top 10

New Categories

The highest listed new risk is ‘Insecure Design’ at spotfour- which is said to be a nod to the industry to shift left by using more “threat modeling, secure design patterns and principles, and reference architectures.” A move we applaud!

Also, ‘Server-Side Request Forgery’ (SSRF) and ‘Software Data Integrity Failures’ are new categories of the list. SSRF was added in accordance with the community and what we are experiencing but “it’s not illustrated in the data at this time” and takes the space of A10.

Download our OWASP top 10 White papers
Learn more about the OWASP top 10 by downloading our two white papers:
[White paper OWASP top 10 2017]
[White paper OWASP top 10 2021]

Since 2017, the OWASP Top 10 has been updated for the first time.