IT Central Station is now PeerSpot: Here's why

What are the OWASP Top 10 in 2021?

Hi peers,

What are the OWASP Top 10 this year? 

What single web app security tool (or a minimum set of tools) would you recommend for overall web app protection (from the most critical security risks covered by these Top 10)?

PeerSpot user
49 Answers

Andrew Van Der Stock - PeerSpot reviewer
Top 20Real User

We are due to release the OWASP Top 10 2021 on September 24, 2021. We will be transitioning to GitHub from our private work area soon. There will be three new categories, and some surprising coalescing for many of you who have been using the OWASP Top 10 since 2003. This means it is changing, and we've made an impact in our previous releases.

Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
Top 5Vendor

The history of the OWASP Top 10 through the years:

Curtis Yanko - PeerSpot reviewer
Top 5Vendor

I’m not sure the top 10 is changing this year but if it is it will be to squeeze more stuff in ;-). 

To effectively detect these in a web app you need a status analyzer with deep data flow analysis. I joined ShiftLeft because I felt they had the best tool to change the way we think about SAST scans and it can do reachability analysis for OSS components to better understand the risk associated with vulnerable libraries and frameworks.

Evgeny Belenky - PeerSpot reviewerEvgeny Belenky
Community Manager

@Curtis Yanko thanks for your response! 

However, as we know SAST alone isn't enough, right? 

We still will need tools to perform DAST and IAST.
In addition, I believe not every SAST tool will fit every web app stack. Am I wrong?

Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
Top 5Vendor

@Evgeny Belenky You are correct, 

But DAST is more about proving SAST findings to remove any doubt. I prefer to use a 'directed' DAST approach to keep it fast and in-band to the pipeline. 

By 'Directed' I mean, we have a map of endpoints and associated vulns from our SAST and I use that to focus the DAST on specific issues on each endpoint with as much other info as it may need (DB?). 

I'm not a fan of IAST right now but then I haven't really used it. 
DAST is the proof point on why data flow analysis is key when you consider that DAST is really about abusing user-controlled inputs. So an understanding of user-controlled data flows in your software is so important to identify OWASP Top 10 issues, most of which are injection-related in one way or another.

Andrew Van Der Stock - PeerSpot reviewerAndrew Van Der Stock
Top 20Real User

@Curtis Yanko It is changing this year. We are due to release on September 24, 2021.

Curtis Yanko - PeerSpot reviewerCurtis Yanko (Shiftleft)
Top 5Vendor

@Andrew Van Der Stock thanks, I’ll be sure to look for it.

reviewer1572348 - PeerSpot reviewer
Top 5LeaderboardReal User

Believe no single tool will address all OWASP Top 10 issues. One will need a combination of tools and approaches as was also mentioned in the recent OWASP anniversary webinars.

A01-2021: Broken Access Control has moved to number 1 on the list this year compared to number 5 in 2017.

There are 3 new entries - Insecure design being at number 4. This is to me is a great addition and something which is complex to assess and fix easily.

Evgeny Belenky - PeerSpot reviewer
Community Manager

Hi @Nagaraj Sheshachalam, @Kashif-Jamil, @Cuneyt KALPAKOGLU Phd., @Letsogile-Baloi , @VishalDhamke, @Enayat Galsulkar, @Etienne WEHRLE and @Vipin Garg

Based on your experience it seems you will be able to assist. Can you please chime in?

Buyer's Guide
Application Security
May 2022
Find out what your peers are saying about SonarSource, Veracode, Snyk and others in Application Security. Updated: May 2022.
599,220 professionals have used our research since 2012.