OWASP top 10

OWASP Top 10 is the consensus list of web app security risks, refreshed every few years. The current edition is 2021. Memorize the categories, not the order.

1. A01 Broken Access Control. Most common bug, biggest impact. User accesses data they should not. IDOR (changing ?id=123 to ?id=124), missing authorization on admin endpoints, JWT alg confusion.
2. A02 Cryptographic Failures. Was "Sensitive Data Exposure." Weak ciphers, no encryption at rest, plaintext passwords, hardcoded keys.
3. A03 Injection. SQL injection still top three after 20 years. Also command injection, LDAP injection, NoSQL injection. Fix: parameterized queries.
4. A04 Insecure Design. New category. The architecture itself is insecure even if implementation is correct. Missing rate limits, missing CAPTCHA on registration, no MFA option.
5. A05 Security Misconfiguration. Default credentials, exposed admin panels, verbose errors, missing security headers, S3 buckets public by default.
6. A06 Vulnerable and Outdated Components. log4shell, Equifax (Struts). Run npm audit, pip-audit, Dependabot, Snyk.
7. A07 Identification and Authentication Failures. Was "Broken Authentication." Credential stuffing, session fixation, weak password reset flows.
8. A08 Software and Data Integrity Failures. New. Trusting unsigned packages, autoupdate without verification, deserialization bugs, CI/CD pipeline compromise.
9. A09 Security Logging and Monitoring Failures. You cannot respond to what you do not see. Log auth failures, sensitive operations, admin actions. Ship to SIEM.
10. A10 Server-Side Request Forgery. New, promoted because of Capital One. Server fetches attacker-controlled URLs.

How to actually use this list.

• New code review: walk top 10 categories against the diff.
• Threat model for a new feature: which categories does it touch?
• Pen test scope: ask for explicit coverage of the top 10.
• Interview answers: when asked about web security, frame your answer around these categories.

There is also an API Security Top 10 (last updated 2023) for APIs specifically, and a Mobile Top 10, and an LLM Top 10 (2023, big in 2026 with the AI boom). Same idea, different surface.