The OWASP Foundation has just published the 2021 edition of the Top 10, and if you’ve been paying attention to the security incidents of the past few years, the reshuffling won’t surprise you. But if you’ve been coasting on the 2017 list as your security checklist — and let’s be honest, many teams have — it’s time for a serious reassessment.
I’ve been building web applications since before SQL injection had a catchy name, and every time OWASP updates this list, it forces a useful conversation about where we’re actually failing as an industry.
The Big Movers#
The most notable change is that Broken Access Control has jumped from fifth place all the way to number one. This shouldn’t shock anyone who’s done a penetration test in the last two years. We’ve gotten reasonably good at parameterized queries and output encoding, but authorization logic? That’s still a mess in most codebases I review.
The problem is structural. Authentication is a solved problem — you pick an identity provider, implement OAuth 2.0 or OIDC, and you’re done. But authorization is deeply tied to business logic. There’s no generic middleware that can tell you whether user A should be able to edit resource B in context C. Every application reinvents this wheel, and most do it poorly.
Cryptographic Failures (formerly “Sensitive Data Exposure”) moved up to second place. The rename is telling — OWASP is shifting from describing symptoms to describing root causes. It’s not just about data being exposed; it’s about the cryptographic decisions (or non-decisions) that led there. I still encounter applications using MD5 for password hashing or storing API keys in plaintext config files. In 2021.
Injection dropping to third might seem surprising given its decade-long reign at number one, but it reflects genuine progress. ORMs, parameterized queries, and frameworks that escape output by default have made classic injection harder to introduce accidentally. We haven’t eliminated it — we’ve just raised the floor.
Three New Categories Worth Your Attention#
The 2021 list introduces three entirely new categories, and each one tells a story about how software development has changed.
Insecure Design (A04) is perhaps the most important addition. This isn’t about implementation bugs — it’s about architectural flaws that no amount of perfect coding can fix. Think of an e-commerce site that lets you enumerate valid discount codes by checking the response time, or an API that returns different error messages for “user not found” vs “wrong password.” These are design-level decisions that create vulnerabilities before a single line of code is written.
I’ve been advocating for threat modeling in the design phase for years, and it’s gratifying to see OWASP formally recognize that security isn’t just a code review activity. If your team doesn’t do threat modeling during architecture reviews, this should be your wake-up call.
Software and Data Integrity Failures (A08) covers the increasingly critical area of supply chain security. After SolarWinds, Codecov, and the steady drumbeat of npm package compromises, this category feels overdue. It encompasses everything from unsigned updates to CI/CD pipeline integrity to deserializing untrusted data. The common thread: are you verifying the integrity of the software and data flowing through your systems?
Server-Side Request Forgery (A10) rounds out the new entries. SSRF has been a darling of bug bounty programs for years, particularly as cloud metadata endpoints (like AWS’s 169.254.169.254) became lucrative targets. With everything moving to microservices architectures where services routinely make HTTP requests to internal endpoints, SSRF is a natural fit for the list.
What This Means for Your Development Process#
If you’re treating OWASP Top 10 as a checklist — which, to be clear, OWASP explicitly says you shouldn’t — then at minimum you need to update your security training and code review guidelines. But I’d encourage teams to go further.
The shift toward design-level and supply chain concerns means security needs to move earlier in your development lifecycle. Here’s what I’d prioritize:
Threat modeling workshops during design sprints. You don’t need a formal methodology — even a 30-minute “what could go wrong” session with your team will catch design-level issues.
Dependency auditing as a first-class CI/CD concern. Run
npm audit,pip-audit, or your language’s equivalent on every build. Pin your dependencies. Verify checksums.Authorization testing as part of your integration test suite. For every API endpoint, test that users can only access what they should. Automate it — manual testing doesn’t scale.
SSRF protections at the infrastructure level. Restrict outbound requests from your application servers. Use allowlists for internal service communication. Block access to cloud metadata endpoints unless explicitly needed.
My Take#
What I appreciate most about the 2021 update is its maturity. The list has evolved from “here are the bugs you’re writing” to “here are the systemic failures in how you build software.” Broken access control, insecure design, and integrity failures aren’t problems you solve with a WAF rule or a static analysis tool. They require engineering discipline, architectural thinking, and organizational commitment.
The cynical view is that we keep publishing lists like this because nothing actually improves. But I’ve watched injection drop from perennial champion to third place over a decade. Progress is possible — it’s just slow and requires the right tooling and education.
If you haven’t already, carve out an afternoon with your team to review the new list against your current applications. You might be surprised what you find — or more accurately, what’s been hiding in plain sight.
This is part of an ongoing series examining security practices in real-world development. The OWASP Top 10 remains one of the most influential documents in application security, and this update deserves your attention.