Open Web Application Security Project (OWASP) is a nonprofit foundation that aims to improve software security by publishing industry standards, articles, tools, and documents. An example of the kind of tools it provides is the OWASP Risk Assessment Framework, which combines static application security testing and risk assessment tools.

Every three to four years, OWASP updates its list of top ten application security risks in light of prevailing application security dynamics and the overall threat landscape. The top ten are ranked in order of risk level.

The methodology uses a combination of data-driven analysis and industry surveys to establish a list of the ten most significant application security vulnerabilities:

• The data side of things gathers information from over 200,000 organizations about web application vulnerabilities found in various processes and uses this information to identify eight of the top ten critical security risks.

• The remaining two risks are gleaned from surveying industry professionals and asking them to rank the most important web app security risks.

The most recent OWASP Top 10 update from 2021 carries over to 2022. The 2021 update adds three new categories of risk to the previous update in 2017, along with some consolidation and re-naming. This is the OWASP top 10 vulnerabilities for 2021-2022:

• A01 Broken Access Control

• A02 Cryptographic Failures

• A03 Injection

• A04 Insecure Design

• A05 Security Misconfiguration

• A06 Vulnerable and Outdated Components

• A07 Identification and Authentication Failures

• A08 Software and Data Integrity Failures

• A09 Security Logging and Monitoring Failures

• A10 Server Side Request Forgery (SSRF)