OWASP TOP 10 EXPLAINED

The OWASP Top 10 is a periodically refreshed list of the ten most critical security risks affecting web applications, published by the OWASP Foundation as a public good. Each edition is derived from telemetry across many participating organisations and reviewed by the OWASP community before publication. The current edition (2021) ranges from A01 (Broken Access Control) to A10 (Server-Side Request Forgery). The Top 10 is an awareness document and prioritisation tool — it is not a comprehensive controls catalogue (that role belongs to OWASP ASVS) and not a certification standard in itself.

Yes. The Top 10 is published as a public good, freely available with no licensing fees or access barriers. Anyone — engineers, organisations, regulators, certification bodies — can use it without payment. The canonical reference is at owasp.org/Top10. What you pay for, when obtaining Guardian SecureApp™ certification, is accredited third-party evaluation against OWASP ASVS with Top 10 applied as a prioritisation lens — not access to the Top 10 itself.

OWASP Top 10 is a ranked list of ten most critical risk categories — a prioritisation and awareness tool. OWASP ASVS is a comprehensive catalogue of hundreds of testable verification requirements organised across 14 control families and 3 verification levels — a complete controls catalogue used as the basis of certification. ASVS tells you what to verify; Top 10 tells you which failures to take most seriously. They are complementary, not alternatives. Guardian uses ASVS as the technical basis of Modules A and B; Top 10 as the prioritisation lens applied across that evaluation.

Not formally. OWASP itself does not run a certification programme; the Top 10 is an awareness document, not a certification scheme. Vendors that claim ‘OWASP Top 10 compliance’ are typically self-declaring that their application addresses the categories — which is good practice but is not equivalent to accredited third-party certification. Guardian SecureApp™ provides ISO/IEC 17065-accredited certification anchored in OWASP ASVS with Top 10 used as a prioritisation lens. That is procedurally and substantively different from a self-declared Top 10 compliance claim.

Periodically — historically every three to four years, though OWASP has not committed to a fixed cadence. Major published editions to date include 2003, 2004, 2007, 2010, 2013, 2017, and 2021. Each edition refresh can introduce new categories, retire categories that have decreased in real-world prevalence, restructure existing categories, and re-rank based on the underlying telemetry. Guardian adopts new editions into GSA-PR-01 with appropriate transition guidance for certified clients. Existing certificates remain valid for their original cycle.

A01 covers failures in enforcing what users can and cannot do — privilege escalation (a user reaching admin functions they shouldn’t), IDOR (a user reaching another user’s resources), missing function-level access control, cross-tenant access in multi-tenant systems. It became the top-ranked category in the 2021 edition, displacing Injection, because access-control failures are highly prevalent, often easy to exploit, and typically high-impact. Guardian SecureApp™ engagements pay particular attention to access control across all defined roles — and at higher Levels (2 and 3), test access control through chained scenarios rather than just isolated cases.

Several significant changes. Insecure Design (A04) was added as a new category, structurally addressing risks emerging from the design phase rather than only the implementation phase. Server-Side Request Forgery (A10) was added as a new category reflecting the rise of cloud-native architectures. Injection moved from A01 to A03, reflecting maturation of secure coding practices that have reduced its prevalence faster than other categories’. Broken Access Control rose from A05 (in 2017) to A01 (in 2021). Sensitive Data Exposure was renamed to Cryptographic Failures (A02) to focus on root cause. Several categories were merged or restructured.

Not directly. Guardian’s pass criteria are based on ASVS Level requirements — at the Level chosen for the engagement, the applicable ASVS requirements must be met, with no Critical or High findings unaddressed. The OWASP Top 10 mapping informs prioritisation and severity calibration of findings but does not constitute pass criteria in itself. An application with an issue mapping to A09 (Security Logging and Monitoring) at low severity, for example, would not necessarily fail certification; the same issue at Critical severity would. Severity is the determining factor; Top 10 mapping informs how severity is calibrated.

Many regulatory frameworks reference the Top 10 — formally or by analogy — as a baseline for application security expectations. Indian financial-sector regulations, payment industry security standards (PCI-DSS), healthcare data protection frameworks, and equivalent regulations worldwide commonly reference Top 10 categories. However, regulatory acceptance of Top 10-based assurance varies and is rarely sufficient on its own — regulators typically expect more rigorous evaluation than self-declared Top 10 coverage. Guardian SecureApp™ certification, anchored in ASVS with Top 10 applied as prioritisation, produces evidence that satisfies the more rigorous expectations regulators apply.

A separate Top 10 list specifically focused on API surfaces and their distinct threat profile — different from the general Application Security Top 10 covered on this page. The current edition is the OWASP API Security Top 10 2023 (API1:2023 through API10:2023), which addresses risks specific to APIs that the general Top 10 does not cover well — Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), unrestricted resource consumption, server-side request forgery in API contexts, and so on. It is the principal technical normative document for Guardian SecureApp™ Module C. Detailed treatment is at /standards/owasp-api-top-10.

Yes. The OWASP Top 10 family includes the Mobile Top 10 (focused on native iOS and Android risks), the Top 10 for LLM Applications (focused on risks specific to large language model applications), the CI/CD Security Top 10 (focused on pipeline and supply-chain risks), and other community-led lists. These are valuable engineering references but, in the current scheme, are not formal Guardian SecureApp™ normative documents — that status applies to the Web Application Top 10 (this page) and the API Security Top 10. Where products have substantial mobile or LLM components, scoping conversations address the relevant Top 10 lists as supplementary context.

During the evaluation, every finding issued is cross-referenced both to the ASVS requirement(s) it represents a failure of, and to the OWASP Top 10 category (or categories) it maps to. Some findings map cleanly to a single category (an SQL injection vulnerability maps to A03 Injection); others span multiple categories (a privilege escalation vulnerability that depends on cryptographic key reuse may map to both A01 Broken Access Control and A02 Cryptographic Failures). The mapping is documented in the Evaluation Report and helps the certified client prioritise remediation work.

Because prioritisation matters. ASVS Level 2 contains hundreds of testable requirements; in any large application evaluation, multiple findings will emerge. The OWASP Top 10 mapping helps everyone — certified client, evaluator, decision-maker — agree on which findings to take most seriously and which to address first. Without a prioritisation framework, all findings would seem equally weighty, which they are not. Top 10 provides the empirically-grounded prioritisation that ASVS itself does not include (ASVS is structured by control family, not by risk priority).

No. Guardian SecureApp™ certificates are anchored in OWASP ASVS for Modules A and B, and in OWASP API Security Top 10 for Module C, because those are the standards that provide sufficient depth to support accredited certification. The general Top 10 is a prioritisation lens, not a certification basis. A certificate referencing only the Top 10 would be a procurement-grade weak signal — confusing rather than clarifying, given the depth of evidence procurement teams now expect.

Yes — within the Evaluation Report (which is confidential to the certified client), every finding is mapped to its OWASP Top 10 category or categories. The Evaluation Report is not public; the certificate, Public Scope Statement and directory listing are. Where the certified client wishes to share Top 10-mapped finding summaries with their customers or auditors, they may do so under the terms of the Certification Agreement; Guardian does not publish per-client Top 10 finding statistics.

Yes. The Top 10’s accessible category names — ‘Broken Access Control’, ‘Cryptographic Failures’, ‘Vulnerable Components’ — are interpretable to product managers, executives, regulators, and procurement teams without engineering background. This makes the Top 10 useful for cross-functional communication: for risk register entries, for board-level security reporting, for explaining audit findings to non-technical leadership. ASVS, by contrast, requires technical fluency to interpret directly. In your communications with non-technical stakeholders, Top 10 framing is typically more accessible; ASVS framing is appropriate for technical-audience materials.