What is the OWASP Top 10?
The OWASP Top 10 is an awareness document for Web application security. The list represents a consensus among leading security experts regarding the greatest software risks for Web applications. These risks are based on the frequency of discovered security defects, the severity of the vulnerabilities, and the magnitude of their potential business impact. OWASP also has a variety of remediation guidelines encouraging developers to mitigate vulnerabilities and code defensively.
OWASP has maintained the Top 10, as it is also known, since 2003. It was originally created to help organizations establish a starting point, determining if their security infrastructure is prepared to stand up against the top threats. The list continues to serve as a key checklist and internal Web application development standard for many of the world’s largest organizations.
The list is updated every two or three years to balance the tempo of changes taking place in the AppSec market. The most recent version was released in 2013. While an update was expected in 2016, it will most likely come out in 2017.
This widely accepted set of Web application vulnerabilities is complemented by a set of secure coding and testing guidelines. Mapping application security to the OWASP Top 10 is also a widely accepted best practice. Many entities including the PCI Security Standards Council, National Institute of Standards and Technology (NIST), and the Federal Trade Commission (FTC) regularly reference the OWASP as an integral guide for mitigating Web application vulnerabilities and meeting compliance initiatives.