Cyber Security
1
Posts
1
Users
0
Reactions
2
Views
Topic starter
The OWASP Top Ten is a standard awareness document from the Open Web Application Security Project (OWASP)that identifies the most critical security risks to web applications. It serves as a foundational guide for developers, security professionals, and organizations to understand and mitigate the most common and impactful vulnerabilities.
The latest version (OWASP Top Ten 2021) includes the following categories:
| # | Category | Description |
|---|---|---|
| A01:2021 – Broken Access Control | Failures in enforcing proper authorization can let users act outside their intended permissions — e.g., accessing other users’ data or admin functions. | |
| A02:2021 – Cryptographic Failures | Formerly “Sensitive Data Exposure.” Involves problems with encryption, data storage, and transmission (e.g., using weak or no encryption). | |
| A03:2021 – Injection | Occurs when untrusted data is sent to an interpreter as part of a command or query — e.g., SQL, NoSQL, OS, or LDAP injection. | |
| A04:2021 – Insecure Design | Involves flaws in the design phase — missing security controls, misuse of patterns, or poor threat modeling. | |
| A05:2021 – Security Misconfiguration | The most common issue — insecure default settings, open cloud storage, verbose error messages, etc. | |
| A06:2021 – Vulnerable and Outdated Components | Using software components (libraries, frameworks, etc.) with known vulnerabilities or no longer maintained. | |
| A07:2021 – Identification and Authentication Failures | Formerly “Broken Authentication.” Includes weaknesses in authentication mechanisms, session management, and credential handling. | |
| A08:2021 – Software and Data Integrity Failures | Issues with integrity checks — e.g., insecure CI/CD pipelines, unsigned code, or trust in external sources. | |
| A09:2021 – Security Logging and Monitoring Failures | Lack of logging, monitoring, or alerting allows attackers to persist undetected. | |
| A10:2021 – Server-Side Request Forgery (SSRF) | Occurs when an app fetches a remote resource based on unvalidated user input, letting attackers make requests to internal systems. |
Posted : 05/11/2025 6:59 am
