Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Learn the OWASP Top 10

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify your role in protecting organizational assets.
  • Explain how the Open Web Application Security Project (OWASP) Top 10 helps you protect your organization.
  • Describe which OWASP vulnerabilities are most common.

Why Is OWASP Important to You?

OWASP stands for the Open Web Application Security Project. This open-source project spreads the word about application security vulnerabilities, best practices, and remediations. OWASP also provides free tools, libraries, and application programming interfaces (APIs) to help developers build secure and robust applications. Every few years, the project compiles a list of the 10 most common and dangerous types of web attacks, known as the OWASP Top 10. 

Why is it important for you to know about these vulnerabilities? As a developer, you and your code are prime targets for web attacks. Fluency in the most prevalent kinds of security vulnerabilities is vital for ensuring your code is secure at all times. 

This module introduces you to some of the 10 most important security vulnerabilities, but it is only an introduction. The next step is to set yourself up for success by learning more about the Secure Development Lifecycle (SDL) and implementing it when you develop your code. You can learn more in the next module, Secure Development Lifecycle.

The OWASP Top 10

The OWASP Top 10 lists web application security risks in descending order of severity, with the first category, broken access control, identified as the most critical.

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

Now that you’ve been introduced to these security vulnerabilities, let’s learn about a program that security researchers and organizations use to find and disclose them.

Bug Bounty, OWASP, and You

Bug bounty programs work by offering a monetary reward, or bounty, to security researchers who responsibly discover and disclose security issues (or bugs) they find on your systems. This helps your security and product teams secure your products and minimizes the impact of zero-day attacks, those that result from unknown vulnerabilities in an organization. One well-known bug bounty program is HackerOne Bounty, a global community of skilled security researchers who collaborate with organizations to identify and resolve vulnerabilities in their software and systems. 

A computer bug being traded for a bounty.

The HackerOne bug bounty program validates the OWASP Top 10’s relevance, as many vulnerabilities discovered within participating organizations are found at a similar frequency and impact level as those identified in the OWASP list.

While bug bounty teams can report major security issues like XSS and information disclosure vulnerabilities, it is still up to you, as a developer, to prevent breaches and make it more difficult for hackers to carry out these attacks. 

To do so, you can perform a static analysis on all of your code. Companies such as Checkmarx, Snyk, and WhiteSource provide tools for software composition analysis (SCA). These scan source code and identify security vulnerabilities such as buffer overflows, SQL injection, XSS, and information disclosure vulnerabilities, as well as the rest of the OWASP Top 10, SANS 25, and other standard awareness documents used in the security industry. These analyses can help your organization continue to minimize security vulnerabilities.  

You’ve now been introduced to the OWASP Top 10 and its relevance to your security responsibilities. In the next unit, we dive deeper into two of these common vulnerabilities so that you can learn how to identify and prevent them.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the term in the left column next to the matching description on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work!

Now that we’ve learned about the OWASP top 10, let’s take a look at how we can prevent some of these common attacks.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback