📄️ A00:2021 - Introduction
The OWASP Top 10 2021 is all-new, with a new graphic design and an available one-page infographic you can print or obtain from our home page.
📄️ A01:2021 - Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions.
📄️ A02:2021 – Cryptographic Failures
The first thing is to determine the protection needs of data in transit and at rest
📄️ A03:2021 – Injection
Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurrences.
📄️ A04:2021 – Insecure Design
Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design”
📄️ A05:2021 – Security Misconfiguration
Moving up from #6 in the previous edition, 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.%, and over 208k occurrences of a Common Weakness Enumeration (CWE) in this risk category. With more shifts into highly configurable software, it's not surprising to see this category move up.
📄️ A06:2021 – Vulnerable and Outdated Components
It was #2 from the Top 10 community survey but also had enough data to make the Top 10 via data.
📄️ A07:2021 – Identification and Authentication Failures
Previously known as *Broken Authentication*, this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures. Notable CWEs included are *CWE-297: Improper Validation of Certificate with Host Mismatch*, *CWE-287: Improper Authentication*, and *CWE-384: Session Fixation*.
📄️ A08:2021 – Software and Data Integrity Failures
A new category for 2021 focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data.
📄️ A09:2021 – Security Logging and Monitoring Failures
Security logging and monitoring came from the Top 10 community survey (#3), up slightly from the tenth position in the OWASP Top 10 2017. Logging and monitoring can be challenging to test, often involving interviews or asking if attacks were detected during a penetration test. There isn't much CVE/CVSS data for this category, but detecting and responding to breaches is critical. Still, it can be very impactful for accountability, visibility, incident alerting, and forensics.
📄️ A10:2021 – Server-Side Request Forgery
This category is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage and above-average Exploit and Impact potential ratings. As new entries are likely to be a single or small cluster of Common Weakness Enumerations (CWEs) for attention and awareness, the hope is that they are subject to focus and can be rolled into a larger category in a future edition.
📄️ A11:2021 – Next Steps
By design, the OWASP Top 10 is innately limited to the ten most significant risks. Every OWASP Top 10 has “on the cusp” risks considered at length for inclusion, but in the end, they didn’t make it. No matter how we tried to interpret or twist the data, the other risks were more prevalent and impactful.