The OWASP Top 10 represents the most commonly discovered security defects. Therefore, the inclusion of a vulnerability in the list depends on the tools in use to discover vulnerabilities. If certain types of vulnerabilities exist in the code but aren’t discovered by the tools, they won’t be represented in the list—regardless of their risk level.
In other words, the list identifies most commonly identified, critical risks threatening Web application security. It isn’t a comprehensive list of all software problems. All in all, the Top 10 offers a sneak peek into the problems plaguing Web application security. However, the awareness document doesn’t frame the big picture when it comes to security. Even if you’ve eradicated all ten items within your software, if the Top 10 are all you’re identifying and mitigating, there’s a great chance that your software is still highly vulnerable. The creators of the list themselves tell the same story.
It’s a good practice to conduct a threat model or an architecture risk analysis of the application before it is coded. Another good practice is to review the application as it is being built using secure code analysis techniques. Once the application is built, an in-depth Web application penetration test is another way to follow up the OWASP Top 10. Manual penetration tests allow for a more thorough investigation of the Web application to find vulnerabilities that may not be present in the list.
The Agile Security Manifesto