This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Top 10-2017 Release Notes
What Changed From 2010 to 2013?
The threat landscape for applications and APIs constantly changes. Key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, we periodically update the OWASP Top 10. In this 2017 release, we made the following changes:
NOTE: The T10 is organized around major risk areas, and they are not intended to be airtight, non-overlapping, or a strict taxonomy. Some of them are organized around the attacker, some the vulnerability, some the defense, and some the asset. Organizations should consider establishing initiatives to stamp out these issues. |
OWASP Top 10 - 2013 (Previous Version) | OWASP Top 10 - 2017 (Current Version) |
---|---|
A1-Injection | A1-Injection |
A2-Broken Authentication and Session Management | A2-Broken Authentication |
A3-Cross-Site Scripting (XSS) | A3-Sensitive Data Exposure |
A4-Insecure Direct Object References - Merged with A7 | A4-XML External Entities (XXE) (Original category in 2003/2004) |
A5-Security Misconfiguration | A5-Broken Access Control |
A6-Sensitive Data Exposure | A6-Security Misconfiguration |
A7-Missing Function Level Access Control - Merged with A4 | A7-Cross-Site Scripting (XSS) (NEW) |
A8-Cross-Site Request Forgery (CSRF) | A8-Insecure Deserialization |
A9-Using Components with Known Vulnerabilities | A9-Using Components with Known Vulnerabilities |
A10-Unvalidated Redirects and Forwards (Dropped) | A10-Insufficient Logging&Monitoring (NEW) |