Apply Now Apply Now Apply Now
header_logo
Post thumbnail
DEVOPS

OWASP Top 10: What Every Developer Must Know

By Vishalini Devarajan

Security gets treated as someone else’s problem right up until the breach. Most data leaks and application compromises are not caused by sophisticated zero-day exploits; they are caused by the same ten categories of mistakes that have appeared on the OWASP Top 10 for years. OWASP, the Open Worldwide Application Security Project, maintains this list based on real vulnerability data from thousands of organisations.

Table of contents


  1. TL;DR Summary
  2. What is OWASP and Why Does the Top 10 Matter?
  3. The OWASP Top 10: Each Risk Explained
    • A01: Broken Access Control
    • A02: Cryptographic Failures
    • A03: Injection
    • A04: Insecure Design
    • A05: Security Misconfiguration
    • A06: Vulnerable and Outdated Components
    • A07: Identification and Authentication Failures
    • A08: Software and Data Integrity Failures
    • A09: Security Logging and Monitoring Failures
    • A10: Server-Side Request Forgery (SSRF)
  4. OWASP Top 10: Quick Reference
  5. Common Mistakes Developers Make with Security
  6. Conclusion
  7. FAQ
    •     What is the OWASP Top 10?
    •     Why should developers know the OWASP Top 10?
    •     What is the most common OWASP vulnerability?
    •     What is SQL injection and how do you prevent it?
    •     How often is the OWASP Top 10 updated?
    •     What is SSRF in the OWASP Top 10?
    • What is the difference between authentication and access control vulnerabilities?

TL;DR Summary

  • The OWASP Top 10 is the industry’s standard list of the most critical web application security risks, updated by security professionals worldwide and used by compliance frameworks like PCI-DSS and SOC
  • As a developer, these are not just theoretical threats; most of them are caused by common coding patterns you probably use every day. This blog walks through all ten, what they actually mean in code, and what you do about them.

Want to master secure software development, full-stack engineering, and build applications that hold up in the real world? Check out HCL GUVI’s Cybersecurity course designed for developers who want to build production-grade applications, not just prototypes.

What is OWASP and Why Does the Top 10 Matter?

OWASP is a nonprofit foundation that produces freely available security guidance for developers, testers, and organisations. The OWASP Top 10 is not a comprehensive list of every possible vulnerability it is a curated, prioritised list of the risks with the highest impact and widest prevalence, based on data collected from real-world applications.

Why it matters beyond just ‘good practice’: PCI-DSS (payment industry), SOC 2, ISO 27001, and HIPAA all reference OWASP in their security requirements. If your application handles payments, health data, or enterprise user data, regulators and auditors will ask whether you have addressed these ten categories.

More practically, attackers scan for exactly these vulnerabilities because they are so common.

Want to master secure software development, full-stack engineering, and build applications that hold up in the real world? Check out HCL GUVI’s Cybersecurity course designed for developers who want to build production-grade applications, not just prototypes.

Read More: How to Create an API in Python: A Complete Guide

The OWASP Top 10: Each Risk Explained

A01: Broken Access Control

The most common and highest-impact risk. Access control decides who can do what in your application and broken access control means users can do things they should not be able to. This includes accessing another user’s account data, performing admin actions without admin privileges, or accessing URLs that are not linked in the UI but are not actually protected.

In code, this usually means checking roles only in the frontend, not validating permissions on every API endpoint, or relying on sequential IDs without verifying ownership. Fix: enforce access control server-side on every request, every time.

A02: Cryptographic Failures

Previously called ‘Sensitive Data Exposure, ‘ the name change is more accurate. The risk is not just failing to encrypt data; it is using weak encryption, storing passwords in plain text or with MD5, transmitting data over HTTP, or using hardcoded encryption keys.

The rule is simple: any data that would cause harm if exposed needs encryption at rest and in transit, using current standards (AES-256, TLS 1.2+, bcrypt or Argon2 for passwords).

A03: Injection

SQL injection is the classic example, but injection covers any case where untrusted user input is interpreted as code or commands SQL, LDAP, OS commands, XML. If you are building a query by concatenating strings with user input, you are vulnerable.

# VULNERABLE — never do this
query = ‘SELECT * FROM users WHERE username = ‘ + username

# SAFE — use parameterised queries
query  = ‘SELECT * FROM users WHERE username = ?’
cursor.execute(query, (username,))

Parameterised queries and ORMs with proper usage (not raw query construction) eliminate SQL injection. Input validation and allowlists handle the rest.

MDN

A04: Insecure Design

This is the only category that cannot be fixed with a patch it means the security problem is in how the feature was designed, not just how it was implemented. Missing rate limiting on a login endpoint, no account lockout after failed attempts, or no email verification on account creation are design failures. Fix: threat-model during design, not after.

A05: Security Misconfiguration

Default credentials left unchanged, directory listing enabled, verbose error messages showing stack traces in production, unnecessary ports open, cloud storage buckets set to public misconfiguration is one of the most prevalent risks precisely because it is invisible unless you go looking. 

💡 Did You Know?

The Equifax data breach of 2017, which exposed the personal information of approximately 147 million people, was traced to an unpatched vulnerability in Apache Struts. Incidents like this are a major reason why OWASP A06: Vulnerable and Outdated Components remains one of the most critical security risks in modern applications. Even a single outdated library or framework can create an entry point for attackers, making regular patching, dependency monitoring, and software updates essential cybersecurity practices.

A06: Vulnerable and Outdated Components

Every dependency you install has its own dependencies, and any of them can carry known vulnerabilities. Running npm audit, pip-audit, or Snyk as part of your CI/CD pipeline catches known vulnerable packages before they reach production. Fix: keep dependencies updated, subscribe to security advisories for your core dependencies, and drop packages you no longer use 

A07: Identification and Authentication Failures

Weak password policies, no multi-factor authentication, session tokens that do not expire, allowing credential stuffing without rate limiting, or storing sessions in insecure cookies. Fix: use a proven auth library rather than rolling your own, implement MFA, enforce session timeouts, and rate-limit authentication endpoints.

A08: Software and Data Integrity Failures

This covers two things: deserialising untrusted data without validation (which can lead to remote code execution), and using build or update pipelines that do not verify the integrity of the code being deployed. The SolarWinds supply chain attack is the extreme example. 

Fix: verify signatures on dependencies, use Subresource Integrity for CDN-loaded scripts, and never deserialise data from untrusted sources without a schema check.

A09: Security Logging and Monitoring Failures

If your application is being attacked right now, would you know? Most teams would not — because they are not logging authentication failures, privilege escalations, or input validation errors in a way that anyone monitors. Security incidents discovered internally are caught on average 200 days after they start. 

Fix: log every authentication event, failed access control check, and input validation error, and alert on anomalies.

A10: Server-Side Request Forgery (SSRF)

When your server fetches a URL based on user-supplied input, an attacker can point that URL at internal services your cloud metadata endpoint, internal databases, or admin interfaces that are not exposed externally. SSRF attacks against AWS metadata endpoints have been behind several high-profile breaches. 

OWASP Top 10: Quick Reference

#RiskOne-Line Fix
A01Broken Access ControlEnforce permissions server-side on every request
A02Cryptographic FailuresEncrypt sensitive data at rest and in transit; use bcrypt/Argon2
A03InjectionUse parameterised queries; never concatenate user input into commands
A04Insecure DesignThreat-model during design, not after; build in rate limiting and lockouts
A05Security MisconfigurationDisable defaults; hide stack traces; audit configs automatically
A06Vulnerable and Outdated ComponentsRun dependency audits in CI; keep packages updated; remove unused deps
A07Auth and Identification FailuresUse proven auth libraries; add MFA; enforce session expiry
A08Software and Data Integrity FailuresVerify signatures; use SRI for CDN scripts; validate deserialised data
A09Security Logging and Monitoring FailuresLog auth and access events; alert on anomalies; monitor actively
A10Server-Side Request ForgeryAllowlist URLs your server fetches; block private IP ranges

Common Mistakes Developers Make with Security

1. Treating security as a post-launch task: Security findings found in design cost almost nothing to fix. The same finding found after launch, especially after a breach, can cost orders of magnitude more in remediation, regulatory fines, and reputational damage. Make security part of the definition of done, not a separate phase.

2. Rolling your own authentication: Authentication is one of the hardest things to implement correctly. Session management, password hashing, token expiry, and brute-force protection all have subtle failure modes. Use a battle-tested library or service Auth0, Firebase Auth, Django’s built-in auth and reserve your engineering time for business logic.

3. Trusting client-side validation alone: Every input validation check in your frontend required fields, email formats, max lengths can be bypassed by anyone who opens the browser console or sends a raw HTTP request. Always validate server-side. Client-side validation is a UX feature, not a security control. 

Conclusion

The OWASP Top 10 highlights the most common web application security risks, including broken access control, injection, cryptographic failures, and misconfiguration. These vulnerabilities often arise from insecure coding practices, making secure development essential for building reliable and trustworthy applications. 

FAQ

1.     What is the OWASP Top 10?

The OWASP Top 10 is a list of the ten most critical web application security risks, maintained by the Open Worldwide Application Security Project. It is compiled from real-world vulnerability data across thousands of organisations and updated periodically to reflect the current threat landscape.

2.     Why should developers know the OWASP Top 10?

Most web application breaches are caused by vulnerabilities that appear on the OWASP Top 10 not sophisticated zero-day exploits. Understanding these risks helps developers avoid common coding mistakes that lead to data breaches, and it is also referenced by compliance frameworks like PCI-DSS, SOC 2, and HIPAA.

3.     What is the most common OWASP vulnerability?

Broken Access Control (A01) has ranked as the most common risk in the latest OWASP Top 10, appearing in over 94% of tested applications. It occurs when users can access resources or perform actions they should not be authorised for, typically because permissions are only checked in the frontend or inconsistently enforced.

4.     What is SQL injection and how do you prevent it?

SQL injection is a type of injection attack where user-supplied input is inserted directly into a database query, allowing attackers to manipulate the query. Prevent it by using parameterised queries or prepared statements rather than building queries through string concatenation with user input.

5.     How often is the OWASP Top 10 updated?

OWASP updates the Top 10 periodically, approximately every three to four years based on new vulnerability data collected from participating organisations. The current version is the 2021 edition. Major updates reflect shifts in how applications are built and how attackers are targeting them.

6.     What is SSRF in the OWASP Top 10?

Server-Side Request Forgery (A10) is a vulnerability where an attacker tricks the server into making HTTP requests to unintended destinations, often internal services, cloud metadata endpoints, or admin interfaces not exposed publicly.

MDN

7. What is the difference between authentication and access control vulnerabilities?

Authentication (A07) failures are about correctly verifying who a user is: weak passwords, missing MFA, insecure session management. Access control (A01) failures are about correctly limiting what an authenticated user is allowed to do, checking permissions on every endpoint, and validating resource ownership.

Success Stories

Did you enjoy this article?

Schedule 1:1 free counselling

Similar Articles

Loading...
Get in Touch
Chat on Whatsapp
Request Callback
Share logo Copy link
Table of contents Table of contents
Table of contents Articles
Close button

  1. TL;DR Summary
  2. What is OWASP and Why Does the Top 10 Matter?
  3. The OWASP Top 10: Each Risk Explained
    • A01: Broken Access Control
    • A02: Cryptographic Failures
    • A03: Injection
    • A04: Insecure Design
    • A05: Security Misconfiguration
    • A06: Vulnerable and Outdated Components
    • A07: Identification and Authentication Failures
    • A08: Software and Data Integrity Failures
    • A09: Security Logging and Monitoring Failures
    • A10: Server-Side Request Forgery (SSRF)
  4. OWASP Top 10: Quick Reference
  5. Common Mistakes Developers Make with Security
  6. Conclusion
  7. FAQ
    •     What is the OWASP Top 10?
    •     Why should developers know the OWASP Top 10?
    •     What is the most common OWASP vulnerability?
    •     What is SQL injection and how do you prevent it?
    •     How often is the OWASP Top 10 updated?
    •     What is SSRF in the OWASP Top 10?
    • What is the difference between authentication and access control vulnerabilities?