The OWASP Top Ten is described by its publisher, the Open Worldwide Application Security Project, as “a standard awareness document for developers and web application security.” It represents what OWASP calls “a broad consensus about the most critical security risks to web applications,” and the project frames adopting it as “the first step towards more secure coding.”
The list is organized into ten categories of risk rather than ten individual bugs. Each category groups together a family of related weaknesses, drawn from analysis of Common Weakness Enumeration (CWE) data across large numbers of real applications. Historically these categories have covered issues such as injection (including SQL injection), broken access control, and cryptographic failures, among others.
The document is revised periodically as the threat landscape shifts. OWASP has published successive editions, including the 2017 and 2021 releases, with the most recent being the OWASP Top Ten 2025. Each edition re-ranks and sometimes re-frames the categories based on new data, so a category’s position can rise or fall between versions.
Because it is freely published and vendor-neutral, the Top Ten has become a de-facto baseline that many organizations, standards, and contracts reference when defining a minimum bar for web application security. It is awareness-oriented: a starting point for secure development and review rather than a complete checklist, which is why OWASP also maintains deeper resources such as testing guides and cheat sheets.