A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities.
Given these three points, many organizations continue to download the OWASP Top 10 and try to use it to guide their software security efforts. Since this often doesn’t achieve the desired result, why not instead use it as inspiration to create your own evidence-based, customized list?