We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / OWASP Top 10
OWASP · Global

OWASP Top 10

The standard awareness document for the most critical web application risks.

1. Introduction

The OWASP Top 10 is the single most widely referenced application security awareness document in the world. Published by the Open Worldwide Application Security Project (OWASP), a non-profit foundation dedicated to improving the security of software, it distils the most critical web application security risks into a consensus-driven, ranked list. For any organisation building, buying, or operating web applications and APIs, the OWASP Top 10 has become the de facto baseline against which secure development, penetration testing, and application security assurance programmes are measured.

This guide is written from the perspective of a CERT-In empanelled auditor and PCI Qualified Security Assessor (QSA). It is intended to help engineering leaders, application security teams, compliance officers, and internal audit functions understand not merely what the OWASP Top 10 lists, but how to operationalise it: how to scope an assessment, what evidence to demand, how to map findings to a maturity model, and how the Top 10 interlocks with binding regulatory frameworks such as PCI DSS, the DPDP Act, ISO/IEC 27001, and the CERT-In directions. Throughout, we treat the OWASP Top 10 not as a checklist to be ticked once, but as a living control set to be embedded across the secure software development lifecycle (SSDLC).

Licensing and copyright note
The OWASP Top 10 is published by the OWASP Foundation under the Creative Commons Attribution-ShareAlike (CC BY-SA) licence, which permits reuse and adaptation with attribution. This guide is original CyberSigma content that summarises, interprets, and operationalises the publicly available OWASP framework in our own words. It does not reproduce OWASP's copyrighted text verbatim. Category names, ranks, and CWE mappings are cited as factual references to the OWASP Top 10:2021 edition. Always consult owasp.org for the authoritative and most current release.

2. What is the OWASP Top 10

The OWASP Top 10 is a periodically updated, ranked list of the ten most critical security risks facing web applications. It is not a formal standard, a certification scheme, or a prescriptive control catalogue in the manner of ISO 27001 or PCI DSS. Instead, it is an awareness and prioritisation document: a shared vocabulary that lets developers, testers, and executives agree on which classes of vulnerability warrant the most urgent attention.

Each entry describes a category of risk rather than a single vulnerability. For example, the category A03:2021 - Injection encompasses SQL injection, NoSQL injection, OS command injection, LDAP injection, expression-language injection, and cross-site scripting (which OWASP folded into Injection in 2021). Categories are ranked using a blend of empirical data (contributed by dozens of security firms covering hundreds of thousands of applications) and an industry survey that captures emerging risks for which hard data may lag.

OWASP maintains parallel Top 10 lists for different technology domains, and it is important not to confuse them. The flagship list is the OWASP Top 10 for web applications. Sibling projects include the OWASP API Security Top 10, the OWASP Mobile Top 10, the OWASP Top 10 for Large Language Model Applications, the OWASP Top 10 CI/CD Security Risks, and the OWASP Top 10 Proactive Controls. Unless otherwise qualified, references in this guide are to the web application Top 10:2021 edition.

Crucially, the OWASP Top 10 is a floor, not a ceiling. Being free of Top 10 issues does not make an application secure; it means the most common and impactful risk classes have been addressed. Mature programmes pair the Top 10 with the broader OWASP Application Security Verification Standard (ASVS), the OWASP Testing Guide, and threat modelling to achieve defensible assurance.

3. Who must comply

Compliance with the OWASP Top 10 is rarely a direct legal mandate; rather, it is embedded by reference into contracts, regulatory guidance, and industry standards. In practice, any organisation that develops or operates internet-facing software is expected to demonstrate that its applications are free of Top 10-class defects. The following table identifies the principal audiences and the mechanism through which the Top 10 becomes binding on them.

WhoWhy the OWASP Top 10 applies to them
Software product and SaaS companiesCustomer security questionnaires, procurement due diligence, and SOC 2 / ISO 27001 audits routinely require evidence that the SDLC tests for OWASP Top 10 risks.
Payment and fintech firmsPCI DSS Requirement 6.2.4 explicitly requires bespoke software to address common attacks including injection, broken access control, and insecure cryptographic storage - the OWASP Top 10 categories.
Banks and regulated financial entities (India)RBI cyber-security frameworks and SEBI CSCRF expect secure application development and VAPT aligned to recognised standards such as OWASP.
Government and public-sector suppliersCERT-In empanelled audits and government tenders frequently mandate OWASP-based application security testing before go-live.
Healthcare and data-heavy platformsDPDP Act reasonable security safeguards and HIPAA security rule expectations are commonly evidenced through OWASP-aligned testing.
E-commerce and consumer web platformsCard-scheme rules, cyber-insurance underwriting, and bug-bounty programmes all reference the Top 10 as a baseline.
Development and DevOps teamsEngineering standards and definition-of-done criteria increasingly require Top 10 coverage in code review and CI pipelines.
Third-party and outsourced vendorsClient master service agreements often warrant that delivered software is free of OWASP Top 10 vulnerabilities.

4. Structure of the OWASP Top 10

The OWASP Top 10:2021 comprises ten ranked risk categories, each identified by an Axx code (A01 through A10). Every category aggregates one or more Common Weakness Enumeration (CWE) entries and carries data on incidence rate, exploitability, and impact. The table below enumerates the full 2021 list with its constituent themes and representative CWE mappings. Three categories were new or substantially restructured in 2021: A04 Insecure Design, A08 Software and Data Integrity Failures, and A10 Server-Side Request Forgery.

CodeCategoryScope and representative CWEs
A01:2021Broken Access ControlFailures to enforce authorisation: privilege escalation, IDOR, path traversal, missing function-level access control. CWE-200, CWE-201, CWE-352, CWE-639. Moved to number one in 2021.
A02:2021Cryptographic FailuresWeak or missing encryption of data in transit and at rest, poor key management, weak algorithms, exposed secrets. Formerly Sensitive Data Exposure. CWE-259, CWE-327, CWE-331.
A03:2021InjectionSQL, NoSQL, OS command, LDAP, ORM, and expression-language injection, plus cross-site scripting (XSS). CWE-79, CWE-89, CWE-73.
A04:2021Insecure DesignMissing or ineffective security controls by design; absence of threat modelling and secure design patterns. New in 2021. CWE-209, CWE-256, CWE-501, CWE-522.
A05:2021Security MisconfigurationInsecure defaults, verbose errors, open cloud storage, unnecessary features, missing hardening. Now includes XXE. CWE-16, CWE-611.
A06:2021Vulnerable and Outdated ComponentsUse of libraries, frameworks, and modules with known vulnerabilities or that are unsupported. CWE-1104, CWE-937.
A07:2021Identification and Authentication FailuresWeak authentication, credential stuffing, session fixation, missing MFA. Formerly Broken Authentication. CWE-287, CWE-384.
A08:2021Software and Data Integrity FailuresInsecure deserialisation, unsigned updates, compromised CI/CD pipelines, untrusted dependencies. New in 2021. CWE-502, CWE-829.
A09:2021Security Logging and Monitoring FailuresInsufficient logging, missing alerting, inability to detect and respond to breaches. CWE-778, CWE-117.
A10:2021Server-Side Request Forgery (SSRF)Application fetches a remote resource without validating the user-supplied URL. New in 2021, survey-driven. CWE-918.

5. Master assessment checklist

This is the operational heart of the guide. For each of the ten categories we provide the concrete items an auditor should verify and the typical evidence that substantiates them. The intent is exhaustive coverage: every category is addressed with a dedicated table so that no risk class is skipped during an assessment. Verification items are drawn from the OWASP prevention guidance, the ASVS, and field audit practice.

A01 - Broken Access Control

What to verifyTypical evidence
Deny-by-default authorisation is enforced server-side for every resource and functionAccess-control design document, code review of authorisation middleware, sample denied-request logs
Object-level authorisation prevents insecure direct object references (IDOR)Penetration test showing a user cannot access another user's record by changing an identifier
Function-level and role-based access control is applied consistently, not only in the UIRBAC matrix, negative test cases attempting privileged actions as a low-privilege user
Rate limiting and anti-automation protect against forced browsing and enumerationWAF or gateway rate-limit configuration, throttling logs
CORS policy is restrictive and does not use wildcard origins for authenticated endpointsCORS configuration files, HTTP response header captures
JWTs and session tokens are validated for signature, expiry, and scope on every requestToken validation code, tests forging or tampering with claims
Access-control failures are logged and alerted to administratorsSample authorisation-denied log entries and SIEM alert rules

A02 - Cryptographic Failures

What to verifyTypical evidence
Sensitive data at rest is classified and encrypted with strong, current algorithmsData classification register, encryption configuration, algorithm inventory (AES-256, RSA-2048+)
All data in transit uses TLS 1.2+ with strong cipher suites and HSTSSSL Labs / testssl.sh report, load-balancer TLS configuration
No use of deprecated algorithms (MD5, SHA-1, DES, RC4) or hard-coded keysSAST secret-scan output, cryptographic inventory review
Passwords are stored using adaptive salted hashing (bcrypt, scrypt, Argon2, PBKDF2)Code review of password storage, database schema showing hash format
Cryptographic keys are managed in a KMS or HSM with rotation and access controlKMS/HSM configuration, key-rotation policy and logs
Secrets are not committed to source control or loggedGit secret-scan results, log-sanitisation review
Randomness for tokens uses a cryptographically secure PRNGCode review of token generation routines

A03 - Injection

What to verifyTypical evidence
All database access uses parameterised queries or an ORM with safe bindingsCode review confirming no string-concatenated queries, DAST injection test results
Cross-site scripting (XSS) is prevented via context-aware output encoding and CSPRendered output review, Content-Security-Policy header, XSS test payload results
OS command, LDAP, and expression-language inputs are validated or avoided entirelyCode review of shell/command execution paths, test cases with metacharacters
Input validation applies positive (allow-list) server-side validationValidation schema definitions, negative test evidence
ORM/query layers escape special characters and use least-privilege DB accountsDatabase grant configuration, ORM configuration review
Automated SAST and DAST tooling covers injection classes in the pipelineCI scan reports flagging injection rules
Stored procedures and dynamic SQL are reviewed for safe parameterisationStored-procedure code review notes

A04 - Insecure Design

What to verifyTypical evidence
Threat modelling is performed for new features and significant changesThreat model artefacts (STRIDE/attack trees) linked to design tickets
Security requirements are defined and traced from design to testSecurity requirements register, requirement-to-test traceability matrix
Secure design patterns and reference architectures are used and reusedDocumented secure design patterns, architecture review board minutes
Business-logic abuse cases are identified and tested (e.g. abuse of workflows)Abuse-case catalogue, business-logic penetration test findings
Segregation of tenants and trust boundaries is designed explicitlyData-flow diagrams showing trust boundaries and segmentation
Resource and rate limits are designed into critical flowsDesign docs specifying limits, load/abuse test evidence
Security is a gated criterion in the design and architecture reviewDesign gate checklist and sign-off records

A05 - Security Misconfiguration

What to verifyTypical evidence
Hardening baselines are defined and applied to all environmentsCIS Benchmark or equivalent hardening standard and compliance scan results
Default accounts, sample apps, and unused features are removed or disabledConfiguration audit, port and service inventory
Error handling does not leak stack traces or internal details to usersError-response captures, generic error-page configuration
Security headers (CSP, X-Content-Type-Options, X-Frame-Options, HSTS) are setHTTP response header scan output
Cloud storage buckets and services are not publicly exposed unintentionallyCloud Security Posture Management (CSPM) report, bucket ACL review
XML parsers are configured to disable external entity resolution (prevent XXE)Parser configuration review, XXE test results
Configuration is version-controlled and drift is detected automaticallyIaC repository, configuration-drift alerts

A06 - Vulnerable and Outdated Components

What to verifyTypical evidence
A complete inventory (SBOM) of components and versions is maintainedSoftware Bill of Materials, dependency manifest
Software Composition Analysis (SCA) runs in the pipeline and blocks critical CVEsSCA scan reports, CI gate configuration
A patch and upgrade policy defines SLAs by severityPatch-management policy, remediation ticket ageing report
Unsupported or end-of-life components are identified and remediatedEOL component register and migration plan
Only trusted, signed sources and repositories are used for dependenciesPackage-registry configuration, dependency-pinning and lock files
Client-side libraries (JS/CSS) are inventoried and updatedFront-end dependency scan, subresource integrity (SRI) usage
Component vulnerability monitoring feeds into alertingContinuous monitoring alerts and triage records

A07 - Identification and Authentication Failures

What to verifyTypical evidence
Multi-factor authentication is enforced for sensitive and administrative accessMFA policy and configuration, enrolment reports
Protections against credential stuffing and brute force are in placeAccount-lockout and rate-limit configuration, failed-login monitoring
Weak and breached passwords are rejected using a deny-listPassword policy, breached-password check integration evidence
Session identifiers are random, rotated on login, and invalidated on logoutSession-management code review, session-fixation test results
Session timeout and re-authentication for sensitive operations are enforcedTimeout configuration, step-up authentication evidence
Credential recovery flows do not reveal account existence or use weak secretsPassword-reset flow review and test results
Default and shared credentials are prohibitedAccess-review records, identity provider configuration

A08 - Software and Data Integrity Failures

What to verifyTypical evidence
Deserialisation of untrusted data is avoided or safely constrainedCode review of deserialisation, tests for insecure object deserialisation
CI/CD pipelines enforce access control and integrity of build artefactsPipeline access controls, artefact-signing configuration
Software updates, plugins, and libraries are verified via signatures or hashesSignature/checksum verification evidence, SRI for client assets
Dependency sources are validated and internal registries protectedRegistry configuration, dependency-confusion mitigation evidence
Unsigned or unverified code cannot be deployed to productionDeployment gate configuration, provenance/SLSA attestation
Serialised objects crossing trust boundaries include integrity checksDesign review of data-integrity controls
Build reproducibility and provenance are maintainedBuild logs, provenance attestations

A09 - Security Logging and Monitoring Failures

What to verifyTypical evidence
Security-relevant events (logins, access-control failures, high-value transactions) are loggedLogging standard, sample log records with required fields
Logs contain sufficient context and use a consistent, parseable formatLog schema, sample structured log entries
Logs are centralised, tamper-resistant, and retained per policySIEM ingestion configuration, log-retention policy
Alerting and correlation rules detect suspicious activity in near real timeSIEM alert rules, sample generated alerts
An incident response plan is defined, tested, and linked to monitoringIR plan, tabletop exercise records
Logs avoid recording sensitive data such as passwords or full card numbersLog-sanitisation review evidence
Monitoring coverage is validated against known attack scenariosDetection-coverage assessment (e.g. MITRE ATT&CK mapping)

A10 - Server-Side Request Forgery (SSRF)

What to verifyTypical evidence
User-supplied URLs used for server-side fetches are validated against an allow-listCode review of fetch logic, SSRF test results
Requests to internal, link-local, and cloud-metadata addresses are blockedNetwork egress rules, tests against 169.254.169.254 and RFC1918 ranges
Network segmentation limits what the application server can reachFirewall/egress configuration, network diagram
URL schemes are restricted (e.g. only http/https) and redirects are controlledScheme allow-list configuration, redirect-following test evidence
Responses from fetched resources are not returned raw to the clientResponse-handling code review
DNS rebinding and time-of-check-to-time-of-use risks are mitigatedDesign review, resolved-IP pinning evidence
SSRF attempts are logged and alertedEgress-denied log samples and alert rules

6. Scoping

Effective scoping determines whether an OWASP Top 10 assessment produces defensible assurance or a false sense of security. Because the Top 10 is application-centric, scope should be expressed in terms of applications, APIs, and the environments in which they run, not merely IP ranges. Before testing begins, agree the boundary in writing.

  • Enumerate every in-scope application, micro-service, and API, including internal and partner-facing interfaces.
  • Identify the environments to be tested (production, staging, or a production-parity test environment) and confirm data handling rules.
  • Decide which Top 10 edition and companion standards apply (web Top 10:2021, API Security Top 10, ASVS level).
  • Determine test perspectives: unauthenticated, authenticated per role, and multi-tenant cross-account testing.
  • Confirm authentication material, test accounts, and API keys required for authenticated coverage.
  • Clarify exclusions (third-party SaaS, DoS testing, social engineering) and rules of engagement, including test windows.
  • Include supporting infrastructure and configuration only insofar as it affects application risk (TLS, WAF, cloud storage).
  • Define the definition-of-done for remediation and retesting before the engagement starts.

7. Implementation approach

Embedding the OWASP Top 10 into an organisation is a programme, not a project. The following phased approach moves from baseline awareness to continuous, automated assurance across the SSDLC. Each phase lists indicative activities and the deliverables that evidence its completion.

Phase 1 - Baseline and awareness

  • Activities: Establish a secure-coding standard mapped to the Top 10; deliver developer awareness training; perform a gap assessment of current applications against each category.
  • Deliverables: Secure-coding standard, training completion records, baseline gap-assessment report and risk register.

Phase 2 - Tooling and pipeline integration

  • Activities: Integrate SAST, DAST, SCA, and secret scanning into CI/CD; define quality gates by severity; produce an SBOM for each build.
  • Deliverables: Pipeline configuration with security gates, tool coverage matrix, SBOM artefacts, initial scan baselines.

Phase 3 - Secure design and threat modelling

  • Activities: Introduce threat modelling for new features; establish an architecture review gate; build a library of reusable secure design patterns (addressing A04).
  • Deliverables: Threat-model templates and completed models, design review checklist, secure design pattern catalogue.

Phase 4 - Verification and penetration testing

  • Activities: Conduct manual penetration testing aligned to the OWASP Testing Guide and ASVS; verify business-logic and access-control risks that tools miss; perform remediation and retesting.
  • Deliverables: Penetration test reports, remediation tracker, retest confirmation, ASVS verification results.

Phase 5 - Continuous assurance and governance

  • Activities: Operationalise logging and monitoring (A09); run continuous component monitoring; maintain metrics and executive reporting; feed findings back into standards and training.
  • Deliverables: Security metrics dashboard, monitoring and alerting coverage report, periodic management review records, updated standards.

8. Maturity and capability model

To move beyond pass/fail thinking, organisations should assess the maturity of their OWASP Top 10 programme. The model below draws on the spirit of OWASP SAMM (Software Assurance Maturity Model) and provides five levels against which capability can be scored. Each application or business unit can be rated, and the aggregate reveals where investment is needed.

LevelMaturity and characteristics
Level 0 - AbsentNo secure-coding standard, no security testing, Top 10 risks addressed only reactively after incidents.
Level 1 - InitialAd hoc awareness of the Top 10; occasional manual testing; findings tracked informally with no SLAs.
Level 2 - ManagedSecure-coding standard adopted; automated SAST/SCA in place; periodic penetration testing with a remediation tracker.
Level 3 - DefinedThreat modelling and design gates operate; DAST and secret scanning integrated; metrics reported to management; ASVS targets set.
Level 4 - MeasuredCoverage and remediation SLAs are measured and enforced; monitoring detects exploitation attempts; risk-based prioritisation is data-driven.
Level 5 - OptimisingContinuous assurance across the SSDLC; feedback loops improve standards and training; near-zero recurring Top 10 defect classes.

9. Assessment and audit approach

A structured audit ensures the OWASP Top 10 is genuinely embedded rather than merely claimed. The following ordered steps describe how CyberSigma conducts an OWASP-aligned application security assessment.

  1. Define scope, rules of engagement, and success criteria with stakeholders, and confirm the applicable Top 10 edition and ASVS level.
  2. Gather documentation: architecture diagrams, data-flow diagrams, threat models, secure-coding standards, and prior test reports.
  3. Perform reconnaissance and mapping of the application, its endpoints, roles, and trust boundaries.
  4. Run automated testing (SAST, DAST, SCA, secret scanning) to establish a coverage baseline and surface obvious defects.
  5. Conduct manual testing against each of the ten categories, prioritising access control, injection, and business-logic abuse.
  6. Perform authenticated and multi-role testing to expose broken access control and privilege escalation.
  7. Validate findings to eliminate false positives and confirm real-world exploitability and impact.
  8. Rate each finding by severity using CVSS and business context, and map it to the relevant Top 10 category and CWE.
  9. Deliver a prioritised report with reproduction steps, evidence, and remediation guidance.
  10. Support remediation, then retest to confirm closure and update the risk register and maturity rating.

10. Evidence request list

The following categorised evidence supports an OWASP Top 10 assessment. Requesting it in advance accelerates the engagement and demonstrates programme maturity to auditors and customers.

  • Governance and policy: secure-coding standard, application security policy, SSDLC procedure, patch-management policy.
  • Design artefacts: architecture and data-flow diagrams, threat models, security requirements register, design review sign-offs.
  • Access control: RBAC/authorisation matrix, CORS configuration, session-management design.
  • Cryptography: data classification register, TLS configuration and scan reports, key-management and rotation policy.
  • Components and supply chain: SBOM, SCA scan reports, dependency lock files, EOL component register.
  • Authentication: MFA policy and enrolment reports, password policy, identity-provider configuration.
  • Pipeline and integrity: CI/CD configuration with security gates, artefact-signing and provenance evidence, secret-scan output.
  • Configuration: hardening baselines and compliance scans, CSPM reports, security-header captures.
  • Logging and monitoring: logging standard, SIEM alert rules, sample log records, incident-response plan and test records.
  • Testing history: prior penetration test reports, remediation trackers, retest confirmations, vulnerability metrics.

11. Roles and responsibilities

Clear ownership prevents OWASP Top 10 controls from falling between teams. The table below assigns primary responsibilities across the typical operating model.

RoleResponsibilities
Executive sponsor / CISOOwns application security risk appetite, funds the programme, and reviews metrics and residual risk.
Application security leadMaintains the secure-coding standard, owns tooling and testing strategy, and triages findings.
Development teamsWrite secure code, remediate findings, participate in threat modelling, and meet definition-of-done security criteria.
DevOps / platform engineeringOperate secure CI/CD gates, manage SBOM and artefact integrity, and enforce configuration baselines.
Security operations (SOC)Operate logging, monitoring, and alerting (A09) and respond to detected exploitation attempts.
Penetration testers / AppSec analystsPerform manual verification, validate exploitability, and produce prioritised reports.
Product ownersPrioritise security requirements and remediation within the backlog and accept residual risk decisions.
Internal audit / complianceVerify control operation, evidence adequacy, and mapping to regulatory obligations.

12. KPIs to track

Metrics turn the OWASP Top 10 from an aspiration into a managed capability. Track the following indicators and trend them over time.

  • Percentage of applications with Top 10 coverage in the CI/CD pipeline (SAST/DAST/SCA).
  • Number of open findings by Top 10 category and severity.
  • Mean time to remediate (MTTR) critical and high findings against SLA.
  • Percentage of releases passing security gates without exception.
  • Percentage of new features with a completed threat model (A04 coverage).
  • Number of vulnerable or end-of-life components in production (A06).
  • Percentage of sensitive endpoints protected by MFA (A07).
  • Security event logging and alert coverage against target scenarios (A09).
  • Recurrence rate of previously remediated defect classes.
  • Penetration test findings closed and retested per cycle.

13. Readiness checklist

  • A secure-coding standard mapped to the OWASP Top 10 is documented and adopted.
  • SAST, DAST, SCA, and secret scanning run in the CI/CD pipeline with severity-based gates.
  • An up-to-date SBOM exists for every production application.
  • Deny-by-default access control is enforced server-side and tested for IDOR and privilege escalation.
  • All data in transit uses TLS 1.2+ and sensitive data at rest is encrypted with current algorithms.
  • Parameterised queries and context-aware output encoding are used throughout (injection and XSS).
  • Threat modelling is performed for new features and significant changes.
  • MFA is enforced for administrative and sensitive access, with anti-brute-force protections.
  • Security-relevant events are logged, centralised, and alerted via a SIEM.
  • CI/CD pipelines and dependencies are integrity-protected against supply-chain tampering.
  • Server-side fetches validate URLs and block internal and cloud-metadata addresses (SSRF).
  • Penetration testing aligned to the OWASP Testing Guide is performed at least annually and after major change.

14. Common gaps

Across hundreds of assessments, the same weaknesses recur. Anticipating them accelerates remediation.

  • Access control enforced in the UI but not the API, leaving IDOR and forced-browsing exposures.
  • Reliance on automated scanning alone, missing business-logic and multi-tenant access-control flaws.
  • Sensitive data logged in plaintext or exposed via verbose error messages.
  • Outdated components in production with no SBOM or patch SLA, especially transitive dependencies.
  • MFA available but not enforced for all privileged accounts, and weak session-management defaults.
  • Threat modelling treated as documentation theatre rather than driving design decisions (A04).
  • Security headers and hardening baselines missing or inconsistent across environments.
  • Insufficient logging of access-control failures, leaving breaches undetectable (A09).
  • CI/CD pipelines with weak access control and unsigned artefacts, enabling supply-chain compromise.
  • SSRF protections absent on features that fetch remote URLs, exposing cloud metadata endpoints.

15. OWASP Top 10 mapped to other frameworks

The Top 10 rarely operates in isolation. The table below maps each category to related obligations in PCI DSS v4.0, ISO/IEC 27001:2022 Annex A, the NIST Cybersecurity Framework, and India's DPDP Act reasonable-security expectations, helping teams demonstrate coverage across multiple audits from a single body of work.

OWASP categoryPCI DSS v4.0ISO 27001:2022NIST CSF / DPDP
A01 Broken Access ControlReq 7, Req 8.2A.5.15, A.8.3PR.AC / DPDP access-control safeguards
A02 Cryptographic FailuresReq 3, Req 4A.8.24, A.5.33PR.DS / DPDP encryption of personal data
A03 InjectionReq 6.2.4A.8.28PR.IP / secure development
A04 Insecure DesignReq 6.2A.8.25, A.8.27ID.RA, PR.IP / privacy by design
A05 Security MisconfigurationReq 2, Req 6.4A.8.9PR.IP / hardening
A06 Vulnerable and Outdated ComponentsReq 6.3.2, Req 6.3.3A.8.8ID.RA, PR.MA / patch management
A07 Identification and Authentication FailuresReq 8A.5.17, A.8.5PR.AC / access safeguards
A08 Software and Data Integrity FailuresReq 6.5, Req 11.5A.8.28, A.8.32PR.DS, PR.IP / change control
A09 Security Logging and Monitoring FailuresReq 10A.8.15, A.8.16DE.CM, RS.AN / breach detection
A10 Server-Side Request ForgeryReq 6.2.4A.8.28, A.8.20PR.DS, DE.CM / network safeguards
16. How CyberSigma helps
CyberSigma is a CERT-In empanelled and PCI QSA-led security partner that operationalises the OWASP Top 10 end to end. We assess your applications and APIs against every Top 10 category using manual penetration testing aligned to the OWASP Testing Guide and ASVS, integrate SAST, DAST, SCA, and secret scanning into your CI/CD pipeline, and stand up threat modelling and secure design gates. Our deliverables map findings to PCI DSS, ISO 27001, the DPDP Act, and CERT-In requirements so a single engagement satisfies multiple audits. From baseline gap assessment through continuous assurance and executive reporting, we help you move up the maturity model and demonstrate defensible, evidence-backed application security. Contact CyberSigma to scope an OWASP Top 10 assessment for your web and API estate.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

Is the OWASP Top 10 a standard?
It is an awareness document, not a formal certifiable standard — but it is so widely referenced (including by PCI DSS) that it functions as a de-facto baseline for web app security.
What is OWASP ASVS?
The Application Security Verification Standard is a detailed, testable set of application security requirements — a deeper companion to the awareness-level Top 10.

Need help with OWASP Top 10?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.