lubeengineering

OWASP Top 10 (2021)

OWASP Top 10 (2021): Web Application Security Risks

A practical developer guide to OWASP Top 10 (2021), with risk summaries, why each risk matters, and concrete prevention steps.

Last updated: 2026-03-10

Why This Matters

This page summarizes the OWASP Top 10 (2021) for teams building production web applications. It focuses on implementation-level guidance rather than high-level definitions.

Use this checklist during design reviews, threat modeling, and release hardening. Pair these risks with your secure coding standards, dependency governance, and incident response process.

Top 10 Categories

  1. A01 Broken Access Control
  2. A02 Cryptographic Failures
  3. A03 Injection
  4. A04 Insecure Design
  5. A05 Security Misconfiguration
  6. A06 Vulnerable And Outdated Components
  7. A07 Identification And Authentication Failures
  8. A08 Software And Data Integrity Failures
  9. A09 Security Logging And Monitoring Failures
  10. A10 Server-Side Request Forgery (SSRF)

A01

Broken Access Control

Access checks fail or are missing, allowing unauthorized actions.

Attackers can read, modify, or delete data across tenants and privileged boundaries.

Prevention Checklist

  • Deny by default and enforce authorization on every request.
  • Apply resource ownership checks for every read/write path.
  • Add server-side tests for vertical and horizontal privilege escalation.

A02

Cryptographic Failures

Sensitive data is exposed due to weak or misused cryptography.

Data leaks, credential compromise, and regulatory exposure follow quickly when encryption is weak.

Prevention Checklist

  • Use modern vetted crypto primitives and rotate keys safely.
  • Encrypt data in transit and at rest with strong defaults.
  • Never store secrets or passwords in plaintext.

A03

Injection

Untrusted input is executed as code or query logic.

Injection can lead to data exfiltration, account takeover, and remote command execution.

Prevention Checklist

  • Use parameterized queries and strict input validation.
  • Avoid dynamic command construction with user-controlled text.
  • Add allowlist validation and output encoding at trust boundaries.

A04

Insecure Design

Security controls were not designed into core workflows.

Design gaps are expensive to patch and often enable multi-step breach chains.

Prevention Checklist

  • Perform threat modeling before implementation milestones.
  • Define abuse cases and required controls in technical specs.
  • Use secure architecture patterns and security acceptance criteria.

A05

Security Misconfiguration

Default or weak configuration leaves attack surface exposed.

Misconfigurations are low-effort attack paths and frequently exploited in real incidents.

Prevention Checklist

  • Harden runtime configs and disable unnecessary features.
  • Automate secure headers and baseline configuration checks.
  • Run regular config audits in all environments.

A06

Vulnerable And Outdated Components

Dependencies contain known vulnerabilities or unsupported versions.

Attackers weaponize public CVEs quickly against lagging dependency trees.

Prevention Checklist

  • Track software bill of materials and dependency ownership.
  • Patch high and critical vulnerabilities quickly with SLAs.
  • Remove unused dependencies and archive abandoned packages.

A07

Identification And Authentication Failures

Authentication flows and identity controls are weak.

Account takeover undermines every downstream authorization control.

Prevention Checklist

  • Require MFA for privileged users and sensitive workflows.
  • Protect session tokens, reset flows, and credential storage.
  • Throttle brute-force attempts and monitor suspicious auth behavior.

A08

Software And Data Integrity Failures

Code or data updates are not verified for integrity and trust.

Supply-chain compromise can silently introduce backdoors across environments.

Prevention Checklist

  • Sign artifacts and verify integrity before deployment.
  • Restrict CI/CD privileges and enforce protected branches.
  • Validate update sources and enforce dependency provenance.

A09

Security Logging And Monitoring Failures

Security events are not logged, monitored, or actionable.

Detection and response delay increases impact and recovery cost.

Prevention Checklist

  • Log auth, authorization, and sensitive state transitions.
  • Set alerting thresholds tied to incident response playbooks.
  • Retain tamper-resistant logs with clear ownership.

A10

Server-Side Request Forgery (SSRF)

The server fetches attacker-controlled URLs without strict controls.

Attackers pivot into internal networks and metadata services through trusted infrastructure.

Prevention Checklist

  • Block private address ranges and enforce destination allowlists.
  • Disable unnecessary outbound network access from app containers.
  • Use strict URL parsing and protocol restrictions.

FAQ

Is OWASP Top 10 a complete security standard?

No. It is a high-value risk baseline. You should combine it with secure SDLC controls, cloud hardening, and domain-specific threat models.

How often should we review these risks?

At minimum each quarter and before major releases. Also review after architecture changes, dependency shifts, or incidents.

How should we prioritize fixes?

Prioritize by exploitability, blast radius, and exposure of sensitive assets. High-impact auth and access-control issues should be treated as urgent.

References

Try Related Tools

Regex TesterJWT/JWS/JWK ToolkitAPI Signature ToolBack To Directory