Skip to main content

Learn the OWASP Top 10

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify your role in protecting organizational assets.
  • Explain how the Open Web Application Security Project (OWASP) Top 10 helps you protect your organization.
  • Describe which OWASP vulnerabilities are most common.

Why Is OWASP Important to You?

OWASP stands for the Open Web Application Security Project. This open-source project spreads the word about application security vulnerabilities, best practices, and remediations. OWASP also provides free tools, libraries, and application programming interfaces (APIs) to help developers build secure and robust applications. Every few years, the project compiles a list of the 10 most common and dangerous types of web attacks, known as the OWASP Top 10. 

Why is it important for you to know about these vulnerabilities? As a developer, you and your code are prime targets for web attacks. Fluency in the most prevalent kinds of security vulnerabilities is vital for ensuring your code is secure at all times. 

This module introduces you to some of the 10 most important security vulnerabilities, but it is only an introduction. The next step is to set yourself up for success by learning more about the Secure Development Lifecycle (SDL) and implementing it when you develop your code. You can learn more in the next module, Secure Development Lifecycle.

The OWASP Top 10

The OWASP Top 10 are listed here in descending order of risk.

  1. Broken access control
  2. Cryptographic failures
  3. Injection
  4. Insecure design
  5. Security misconfiguration
  6. Vulnerable and outdated components
  7. Identification and authentication failures
  8. Software and data integrity failures
  9. Security logging and monitoring failures
  10. Server-side request forgery

Now that you’ve been introduced to these security vulnerabilities, let’s learn about the programs that security researchers and organizations use to find and disclose them.

Bug Bounty, OWASP, and You

Bug bounty programs work by offering a monetary reward, or bounty, to security researchers who responsibly disclose security issues (or bugs) they find on your systems. This helps your security and product teams secure your products and minimizes the impact of zero-day attacks, those that result from unknown vulnerabilities in an organization. One of the most comprehensive lists of bug bounty programs on the internet is maintained by the HackerOne platform

A computer bug being traded for a bounty.Bugs fall into specific categories such as the following (note that, in some instances, HackerOne uses slightly different categorizations than the OWASP Top 10 uses, such as Information Disclosure instead of Sensitive Data Exposure).

  • Cross-Site Scripting (XSS): 23%
  • Information Disclosure: 18%
  • Improper Access Control: 10%
  • Improper Authentication: 7%
  • Violation of Secure Design Principles: 6%

While bug bounty teams can report major security issues like XSS and information disclosure vulnerabilities, it is still up to you, as a developer, to prevent breaches and make it more difficult for hackers to carry out these attacks. 

To do so, you can perform a static analysis on all of your code. Companies such as Checkmarx, Snyk, and WhiteSource provide tools for software composition analysis (SCA). These scan source code and identify security vulnerabilities such as buffer overflows, SQL injection, XSS, and information disclosure vulnerabilities, as well as the rest of the OWASP Top 10, SANS 25, and other standard awareness documents used in the security industry. These analyses can help your organization continue to minimize security vulnerabilities.  

You’ve now been introduced to the OWASP Top 10 and its relevance to your security responsibilities. In the next unit, we dive deeper into two of these common vulnerabilities so that you can learn how to identify and prevent them.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the term in the left column next to the matching description on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work!

Now that we’ve learned about the OWASP top 10, let’s take a look at how we can prevent some of these common attacks.

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities