OWASP Top 10: What It Is, What It Is Not, and How to Use It in Practice

October 3, 2024

The OWASP Top 10 is referenced in procurement requirements, compliance frameworks, penetration test scoping documents, and developer training curricula more than any other application security document. That prevalence has created a specific problem: organisations that treat OWASP Top 10 coverage as a sufficient definition of application security testing are systematically missing large parts of the attack surface. Understanding what the document actually is and was designed to do is necessary to use it well.

The OWASP Top 10 is a consensus list of the most critical web application security risk categories, updated every few years based on data submissions from security testing organisations. It identifies broad categories of risk, not specific vulnerabilities. Its purpose is awareness and prioritisation: helping organisations understand which categories of risk are most prevalent and consequential in web applications. It is not a testing methodology, a complete taxonomy of web application vulnerabilities, or a specification for what a security test should cover.

What the Top 10 Categories Cover

The current edition of the Top 10 covers categories including broken access control, cryptographic failures, injection vulnerabilities, insecure design, security misconfiguration, vulnerable and outdated components, authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery. Each category is a broad grouping: "injection" covers SQL injection, command injection, LDAP injection, and other injection classes. "Broken access control" covers horizontal privilege escalation, insecure direct object references, missing function-level access control, and related issues.

These categories represent genuine, high-prevalence risks. They are worth understanding and testing against. The issue is what they do not cover. The OWASP Top 10 does not cover business logic vulnerabilities, which are specific to an application's intended behaviour and cannot be generalised across applications. It does not cover application-specific authorisation design flaws beyond the general category. It does not cover vulnerabilities specific to particular technology stacks, communication protocols, or integration patterns. A security test that only checks for OWASP Top 10 categories will miss a significant proportion of the vulnerabilities a skilled attacker would find.

Common Misuses of the OWASP Top 10

The most damaging misuse of the OWASP Top 10 is treating it as a complete test scope in procurement documents or compliance requirements. A security test requirement that specifies "testing against the OWASP Top 10" defines a test that will check for the presence of known vulnerability patterns in broad categories. It does not define a penetration test in the meaningful sense of the term. A skilled penetration tester approaches an application by understanding its architecture, data flows, authentication model, and business functions, and then looking for vulnerabilities in the context of that understanding. OWASP coverage is a subset of what that process covers.

Another common misuse is treating OWASP Top 10 compliance as a binary state. Category coverage does not mean all instances of that category's vulnerability class have been found and remediated. SQL injection appears in a specific Top 10 category. An application may have remediated the SQL injection finding identified in the last test and still have a different SQL injection in a different endpoint that was not tested. The category being covered in a test report does not mean the application is free of vulnerabilities in that category; it means the specific test checked for them in the specific scope tested.

How to Use the OWASP Top 10 Appropriately

The OWASP Top 10 is most useful as an awareness and training tool for developers who are new to application security. It provides a structured introduction to the most prevalent and consequential risk categories and gives developers a vocabulary for discussing and identifying common vulnerability classes. As a training reference, it does exactly what it is designed to do. The categories are well-explained, examples are concrete, and the coverage of the most common findings makes it a practical starting point.

For security testing scoping, the OWASP Top 10 should be a floor rather than a ceiling. A penetration test specification should include OWASP coverage and add application-specific testing requirements based on the application's architecture, the sensitivity of the data it handles, and the threat model for the intended user population. Business logic testing, privilege escalation specific to the application's data model, integration security, and API security all warrant explicit inclusion in a test scope rather than relying on the assumption that they are covered by OWASP categories.

Building on the Top 10 in Practice

Organisations that use the OWASP Top 10 well treat it as a starting vocabulary rather than a complete framework. Developer training starts with Top 10 concepts and then extends to vulnerability classes specific to the application's technology stack. Security testing starts with Top 10 category coverage and adds application-specific testing requirements. Remediation prioritisation considers Top 10 categories as one input alongside exploitability, business impact, and data sensitivity.

If you want to understand what a meaningful application security test covers beyond OWASP category compliance, or how to build a developer training programme that addresses the vulnerability classes specific to your application, reach out to us at info@cyberlinx.com.au.

Table of Contents
Resource Type
Guides
Category
DevSecOps
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?