The Open Worldwide Application Security Project (OWASP) is a non-profit foundation dedicated to improving software security through community-led open source projects, educational resources, tools, and methodologies.
Founded in 2001, OWASP has become one of, if not the most influential organisation in application security by bringing together security professionals, developers, and researchers to share knowledge, develop best practices, and create freely available tools to help organisations build and maintain secure applications.
The organisation operates local chapters worldwide and through online collaboration to produce documentation and resources that have become global industry standards that are referenced by compliance frameworks, security policies, and development guidelines.
OWASP’s influence extends across the entire software development lifecycle through projects like the OWASP Top 10 (the most recognised standard for web application security risks), the OWASP Application Security Verification Standard (ASVS) providing security requirements for applications, the OWASP Testing Guide detailing comprehensive security testing methodologies, and the OWASP Software Assurance Maturity Model (SAMM) for improving software security programmes.
For organisations implementing security testing programmes, OWASP resources provide authoritative, practical guidance on identifying and mitigating security vulnerabilities.
OWASP Top 10
The OWASP Top 10 is a published list of the most critical security risks to web applications, which is typically updated every three to four years to reflect the latest security risk landscape.
Each category represents not a single vulnerability but rather a class of related security weaknesses that have detailed documentation explaining the risk, common attack scenarios, example vulnerable code, and remediation guidance. As of the latest release in 2025 this list contains the following:
- A01:2025 – Broken Access Control
- A02:2025 – Security Misconfiguration
- A03:2025 – Software Supply Chain Failures
- A04:2025 – Cryptographic Failures
- A05:2025 – Injection
- A06:2025 – Insecure Design
- A07:2025 – Authentication Failures
- A08:2025 – Software or Data Integrity Failures
- A09:2025 – Security Logging and Alerting Failures
- A10:2025 – Mishandling of Exceptional Conditions
Security testing programmes commonly use the OWASP Top 10 as a baseline to ensure that these well-known, prevalent vulnerabilities are tested for and remediated. However, organisations should recognise that comprehensive security requires addressing vulnerabilities beyond just the Top 10, as the list represents the most common risks rather than an exhaustive security checklist.