What is the OWASP Top 10 and what is it used for?
An awareness document ranking the ten most critical web-application security risks, refreshed every few years from real-world breach data — used as a teaching tool and a baseline checklist, not a complete security standard.
* The ten OWASP Top 10 2021 risk categories — a ranked awareness list of the most critical web risks. *
It's deliberately a "top 10," not "everything": by focusing teams on the risks that actually cause the most damage in the wild, it gives developers and managers a shared, prioritized starting point. Each entry pairs a vulnerability class with prevention guidance.
Uses:
- Education — onboarding developers to the most common ways apps get hacked.
- Checklist — a minimum bar to review against during development and threat modeling.
- Common language — when a report says "this is an A01," everyone knows what that means.
Important caveat: it's awareness-level, not exhaustive. Passing "no Top 10 issues" does not mean an app is secure; deeper standards like the OWASP ASVS exist for thorough verification.
Updated periodically (2017 → 2021 → 2025) based on real-world data and industry surveys.