What's Changed in the OWASP Top 10 2021?

What’s New? OWASP Top 10 2021 | 3 min. read

Since 2017, the OWASP Top 10 has been updated for the first time. The OWASP Top 10 lists what is perceived to be the most critical web application security risks. The list can be a great starting point for increasing your web application security.

Are you wondering what has changed? The list has been reshuffled or subsumed into overarching categories, and three new categories have been added. Read on to learn more about the changes!

RELATED COURSE
Open Source Security for your Java Application

Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit.


Reshuffled or Subsumed Items

Most items have been replaced or subsumed. ‘Cross-site Scripting’ (XSS), previously at entry A07, is now part of the ‘Injection’ category. Injection has also dropped from the top security risk to third place.

The new top risk that has taken its place is ‘Broken Access Control,’ which has moved up from A05 to A01. According to OWASP, 94% of applications had broken access control.

Cryptographic Failures’ moves up one position and is wedged between the two as the second greatest security risk, which concerns cryptography failures leading to compromise or sensitive data exposure.


Update inbound!
Documents

Another interesting change is connected to the category, ‘using components with known vulnerabilities.’ A previous OWASP top 10 entry at a09 has moved up three spots to entry a06 and has been renamed 'vulnerable and outdated components.' This risk is what software composition analysis (SCA) seeks to prevent early on in the software development lifecycle (SDLC) by identifying known vulnerable components that you are using in your application.

The Two Lists Compared

Owasp top 10

New Categories

The highest listed new risk is ‘Insecure Design’ at spotfour- which is said to be a nod to the industry to shift left by using more “threat modeling, secure design patterns and principles, and reference architectures.” A move we applaud!

Also, ‘Server-Side Request Forgery’ (SSRF) and ‘Software Data Integrity Failures’ are new categories of the list. SSRF was added in accordance with the community and what we are experiencing but “it’s not illustrated in the data at this time” and takes the space of A10.

Download our OWASP top 10 White papers
Learn more about the OWASP top 10 by downloading our two white papers:
[White paper OWASP top 10 2017]
[White paper OWASP top 10 2021]


Since 2017, the OWASP Top 10 has been updated for the first time.

 

Start the free introduction tour to determine Secure DevOps learning paths that benefit your teams