1. Introduction
The OWASP Top 10 is the single most widely referenced application security awareness document in the world. Published by the Open Worldwide Application Security Project (OWASP), a non-profit foundation dedicated to improving the security of software, it distils the most critical web application security risks into a consensus-driven, ranked list. For any organisation building, buying, or operating web applications and APIs, the OWASP Top 10 has become the de facto baseline against which secure development, penetration testing, and application security assurance programmes are measured.
This guide is written from the perspective of a CERT-In empanelled auditor and PCI Qualified Security Assessor (QSA). It is intended to help engineering leaders, application security teams, compliance officers, and internal audit functions understand not merely what the OWASP Top 10 lists, but how to operationalise it: how to scope an assessment, what evidence to demand, how to map findings to a maturity model, and how the Top 10 interlocks with binding regulatory frameworks such as PCI DSS, the DPDP Act, ISO/IEC 27001, and the CERT-In directions. Throughout, we treat the OWASP Top 10 not as a checklist to be ticked once, but as a living control set to be embedded across the secure software development lifecycle (SSDLC).
2. What is the OWASP Top 10
The OWASP Top 10 is a periodically updated, ranked list of the ten most critical security risks facing web applications. It is not a formal standard, a certification scheme, or a prescriptive control catalogue in the manner of ISO 27001 or PCI DSS. Instead, it is an awareness and prioritisation document: a shared vocabulary that lets developers, testers, and executives agree on which classes of vulnerability warrant the most urgent attention.
Each entry describes a category of risk rather than a single vulnerability. For example, the category A03:2021 - Injection encompasses SQL injection, NoSQL injection, OS command injection, LDAP injection, expression-language injection, and cross-site scripting (which OWASP folded into Injection in 2021). Categories are ranked using a blend of empirical data (contributed by dozens of security firms covering hundreds of thousands of applications) and an industry survey that captures emerging risks for which hard data may lag.
OWASP maintains parallel Top 10 lists for different technology domains, and it is important not to confuse them. The flagship list is the OWASP Top 10 for web applications. Sibling projects include the OWASP API Security Top 10, the OWASP Mobile Top 10, the OWASP Top 10 for Large Language Model Applications, the OWASP Top 10 CI/CD Security Risks, and the OWASP Top 10 Proactive Controls. Unless otherwise qualified, references in this guide are to the web application Top 10:2021 edition.
Crucially, the OWASP Top 10 is a floor, not a ceiling. Being free of Top 10 issues does not make an application secure; it means the most common and impactful risk classes have been addressed. Mature programmes pair the Top 10 with the broader OWASP Application Security Verification Standard (ASVS), the OWASP Testing Guide, and threat modelling to achieve defensible assurance.
3. Who must comply
Compliance with the OWASP Top 10 is rarely a direct legal mandate; rather, it is embedded by reference into contracts, regulatory guidance, and industry standards. In practice, any organisation that develops or operates internet-facing software is expected to demonstrate that its applications are free of Top 10-class defects. The following table identifies the principal audiences and the mechanism through which the Top 10 becomes binding on them.
| Who | Why the OWASP Top 10 applies to them |
|---|---|
| Software product and SaaS companies | Customer security questionnaires, procurement due diligence, and SOC 2 / ISO 27001 audits routinely require evidence that the SDLC tests for OWASP Top 10 risks. |
| Payment and fintech firms | PCI DSS Requirement 6.2.4 explicitly requires bespoke software to address common attacks including injection, broken access control, and insecure cryptographic storage - the OWASP Top 10 categories. |
| Banks and regulated financial entities (India) | RBI cyber-security frameworks and SEBI CSCRF expect secure application development and VAPT aligned to recognised standards such as OWASP. |
| Government and public-sector suppliers | CERT-In empanelled audits and government tenders frequently mandate OWASP-based application security testing before go-live. |
| Healthcare and data-heavy platforms | DPDP Act reasonable security safeguards and HIPAA security rule expectations are commonly evidenced through OWASP-aligned testing. |
| E-commerce and consumer web platforms | Card-scheme rules, cyber-insurance underwriting, and bug-bounty programmes all reference the Top 10 as a baseline. |
| Development and DevOps teams | Engineering standards and definition-of-done criteria increasingly require Top 10 coverage in code review and CI pipelines. |
| Third-party and outsourced vendors | Client master service agreements often warrant that delivered software is free of OWASP Top 10 vulnerabilities. |
4. Structure of the OWASP Top 10
The OWASP Top 10:2021 comprises ten ranked risk categories, each identified by an Axx code (A01 through A10). Every category aggregates one or more Common Weakness Enumeration (CWE) entries and carries data on incidence rate, exploitability, and impact. The table below enumerates the full 2021 list with its constituent themes and representative CWE mappings. Three categories were new or substantially restructured in 2021: A04 Insecure Design, A08 Software and Data Integrity Failures, and A10 Server-Side Request Forgery.
| Code | Category | Scope and representative CWEs |
|---|---|---|
| A01:2021 | Broken Access Control | Failures to enforce authorisation: privilege escalation, IDOR, path traversal, missing function-level access control. CWE-200, CWE-201, CWE-352, CWE-639. Moved to number one in 2021. |
| A02:2021 | Cryptographic Failures | Weak or missing encryption of data in transit and at rest, poor key management, weak algorithms, exposed secrets. Formerly Sensitive Data Exposure. CWE-259, CWE-327, CWE-331. |
| A03:2021 | Injection | SQL, NoSQL, OS command, LDAP, ORM, and expression-language injection, plus cross-site scripting (XSS). CWE-79, CWE-89, CWE-73. |
| A04:2021 | Insecure Design | Missing or ineffective security controls by design; absence of threat modelling and secure design patterns. New in 2021. CWE-209, CWE-256, CWE-501, CWE-522. |
| A05:2021 | Security Misconfiguration | Insecure defaults, verbose errors, open cloud storage, unnecessary features, missing hardening. Now includes XXE. CWE-16, CWE-611. |
| A06:2021 | Vulnerable and Outdated Components | Use of libraries, frameworks, and modules with known vulnerabilities or that are unsupported. CWE-1104, CWE-937. |
| A07:2021 | Identification and Authentication Failures | Weak authentication, credential stuffing, session fixation, missing MFA. Formerly Broken Authentication. CWE-287, CWE-384. |
| A08:2021 | Software and Data Integrity Failures | Insecure deserialisation, unsigned updates, compromised CI/CD pipelines, untrusted dependencies. New in 2021. CWE-502, CWE-829. |
| A09:2021 | Security Logging and Monitoring Failures | Insufficient logging, missing alerting, inability to detect and respond to breaches. CWE-778, CWE-117. |
| A10:2021 | Server-Side Request Forgery (SSRF) | Application fetches a remote resource without validating the user-supplied URL. New in 2021, survey-driven. CWE-918. |
5. Master assessment checklist
This is the operational heart of the guide. For each of the ten categories we provide the concrete items an auditor should verify and the typical evidence that substantiates them. The intent is exhaustive coverage: every category is addressed with a dedicated table so that no risk class is skipped during an assessment. Verification items are drawn from the OWASP prevention guidance, the ASVS, and field audit practice.
A01 - Broken Access Control
| What to verify | Typical evidence |
|---|---|
| Deny-by-default authorisation is enforced server-side for every resource and function | Access-control design document, code review of authorisation middleware, sample denied-request logs |
| Object-level authorisation prevents insecure direct object references (IDOR) | Penetration test showing a user cannot access another user's record by changing an identifier |
| Function-level and role-based access control is applied consistently, not only in the UI | RBAC matrix, negative test cases attempting privileged actions as a low-privilege user |
| Rate limiting and anti-automation protect against forced browsing and enumeration | WAF or gateway rate-limit configuration, throttling logs |
| CORS policy is restrictive and does not use wildcard origins for authenticated endpoints | CORS configuration files, HTTP response header captures |
| JWTs and session tokens are validated for signature, expiry, and scope on every request | Token validation code, tests forging or tampering with claims |
| Access-control failures are logged and alerted to administrators | Sample authorisation-denied log entries and SIEM alert rules |
A02 - Cryptographic Failures
| What to verify | Typical evidence |
|---|---|
| Sensitive data at rest is classified and encrypted with strong, current algorithms | Data classification register, encryption configuration, algorithm inventory (AES-256, RSA-2048+) |
| All data in transit uses TLS 1.2+ with strong cipher suites and HSTS | SSL Labs / testssl.sh report, load-balancer TLS configuration |
| No use of deprecated algorithms (MD5, SHA-1, DES, RC4) or hard-coded keys | SAST secret-scan output, cryptographic inventory review |
| Passwords are stored using adaptive salted hashing (bcrypt, scrypt, Argon2, PBKDF2) | Code review of password storage, database schema showing hash format |
| Cryptographic keys are managed in a KMS or HSM with rotation and access control | KMS/HSM configuration, key-rotation policy and logs |
| Secrets are not committed to source control or logged | Git secret-scan results, log-sanitisation review |
| Randomness for tokens uses a cryptographically secure PRNG | Code review of token generation routines |
A03 - Injection
| What to verify | Typical evidence |
|---|---|
| All database access uses parameterised queries or an ORM with safe bindings | Code review confirming no string-concatenated queries, DAST injection test results |
| Cross-site scripting (XSS) is prevented via context-aware output encoding and CSP | Rendered output review, Content-Security-Policy header, XSS test payload results |
| OS command, LDAP, and expression-language inputs are validated or avoided entirely | Code review of shell/command execution paths, test cases with metacharacters |
| Input validation applies positive (allow-list) server-side validation | Validation schema definitions, negative test evidence |
| ORM/query layers escape special characters and use least-privilege DB accounts | Database grant configuration, ORM configuration review |
| Automated SAST and DAST tooling covers injection classes in the pipeline | CI scan reports flagging injection rules |
| Stored procedures and dynamic SQL are reviewed for safe parameterisation | Stored-procedure code review notes |
A04 - Insecure Design
| What to verify | Typical evidence |
|---|---|
| Threat modelling is performed for new features and significant changes | Threat model artefacts (STRIDE/attack trees) linked to design tickets |
| Security requirements are defined and traced from design to test | Security requirements register, requirement-to-test traceability matrix |
| Secure design patterns and reference architectures are used and reused | Documented secure design patterns, architecture review board minutes |
| Business-logic abuse cases are identified and tested (e.g. abuse of workflows) | Abuse-case catalogue, business-logic penetration test findings |
| Segregation of tenants and trust boundaries is designed explicitly | Data-flow diagrams showing trust boundaries and segmentation |
| Resource and rate limits are designed into critical flows | Design docs specifying limits, load/abuse test evidence |
| Security is a gated criterion in the design and architecture review | Design gate checklist and sign-off records |
A05 - Security Misconfiguration
| What to verify | Typical evidence |
|---|---|
| Hardening baselines are defined and applied to all environments | CIS Benchmark or equivalent hardening standard and compliance scan results |
| Default accounts, sample apps, and unused features are removed or disabled | Configuration audit, port and service inventory |
| Error handling does not leak stack traces or internal details to users | Error-response captures, generic error-page configuration |
| Security headers (CSP, X-Content-Type-Options, X-Frame-Options, HSTS) are set | HTTP response header scan output |
| Cloud storage buckets and services are not publicly exposed unintentionally | Cloud Security Posture Management (CSPM) report, bucket ACL review |
| XML parsers are configured to disable external entity resolution (prevent XXE) | Parser configuration review, XXE test results |
| Configuration is version-controlled and drift is detected automatically | IaC repository, configuration-drift alerts |
A06 - Vulnerable and Outdated Components
| What to verify | Typical evidence |
|---|---|
| A complete inventory (SBOM) of components and versions is maintained | Software Bill of Materials, dependency manifest |
| Software Composition Analysis (SCA) runs in the pipeline and blocks critical CVEs | SCA scan reports, CI gate configuration |
| A patch and upgrade policy defines SLAs by severity | Patch-management policy, remediation ticket ageing report |
| Unsupported or end-of-life components are identified and remediated | EOL component register and migration plan |
| Only trusted, signed sources and repositories are used for dependencies | Package-registry configuration, dependency-pinning and lock files |
| Client-side libraries (JS/CSS) are inventoried and updated | Front-end dependency scan, subresource integrity (SRI) usage |
| Component vulnerability monitoring feeds into alerting | Continuous monitoring alerts and triage records |
A07 - Identification and Authentication Failures
| What to verify | Typical evidence |
|---|---|
| Multi-factor authentication is enforced for sensitive and administrative access | MFA policy and configuration, enrolment reports |
| Protections against credential stuffing and brute force are in place | Account-lockout and rate-limit configuration, failed-login monitoring |
| Weak and breached passwords are rejected using a deny-list | Password policy, breached-password check integration evidence |
| Session identifiers are random, rotated on login, and invalidated on logout | Session-management code review, session-fixation test results |
| Session timeout and re-authentication for sensitive operations are enforced | Timeout configuration, step-up authentication evidence |
| Credential recovery flows do not reveal account existence or use weak secrets | Password-reset flow review and test results |
| Default and shared credentials are prohibited | Access-review records, identity provider configuration |
A08 - Software and Data Integrity Failures
| What to verify | Typical evidence |
|---|---|
| Deserialisation of untrusted data is avoided or safely constrained | Code review of deserialisation, tests for insecure object deserialisation |
| CI/CD pipelines enforce access control and integrity of build artefacts | Pipeline access controls, artefact-signing configuration |
| Software updates, plugins, and libraries are verified via signatures or hashes | Signature/checksum verification evidence, SRI for client assets |
| Dependency sources are validated and internal registries protected | Registry configuration, dependency-confusion mitigation evidence |
| Unsigned or unverified code cannot be deployed to production | Deployment gate configuration, provenance/SLSA attestation |
| Serialised objects crossing trust boundaries include integrity checks | Design review of data-integrity controls |
| Build reproducibility and provenance are maintained | Build logs, provenance attestations |
A09 - Security Logging and Monitoring Failures
| What to verify | Typical evidence |
|---|---|
| Security-relevant events (logins, access-control failures, high-value transactions) are logged | Logging standard, sample log records with required fields |
| Logs contain sufficient context and use a consistent, parseable format | Log schema, sample structured log entries |
| Logs are centralised, tamper-resistant, and retained per policy | SIEM ingestion configuration, log-retention policy |
| Alerting and correlation rules detect suspicious activity in near real time | SIEM alert rules, sample generated alerts |
| An incident response plan is defined, tested, and linked to monitoring | IR plan, tabletop exercise records |
| Logs avoid recording sensitive data such as passwords or full card numbers | Log-sanitisation review evidence |
| Monitoring coverage is validated against known attack scenarios | Detection-coverage assessment (e.g. MITRE ATT&CK mapping) |
A10 - Server-Side Request Forgery (SSRF)
| What to verify | Typical evidence |
|---|---|
| User-supplied URLs used for server-side fetches are validated against an allow-list | Code review of fetch logic, SSRF test results |
| Requests to internal, link-local, and cloud-metadata addresses are blocked | Network egress rules, tests against 169.254.169.254 and RFC1918 ranges |
| Network segmentation limits what the application server can reach | Firewall/egress configuration, network diagram |
| URL schemes are restricted (e.g. only http/https) and redirects are controlled | Scheme allow-list configuration, redirect-following test evidence |
| Responses from fetched resources are not returned raw to the client | Response-handling code review |
| DNS rebinding and time-of-check-to-time-of-use risks are mitigated | Design review, resolved-IP pinning evidence |
| SSRF attempts are logged and alerted | Egress-denied log samples and alert rules |
6. Scoping
Effective scoping determines whether an OWASP Top 10 assessment produces defensible assurance or a false sense of security. Because the Top 10 is application-centric, scope should be expressed in terms of applications, APIs, and the environments in which they run, not merely IP ranges. Before testing begins, agree the boundary in writing.
- Enumerate every in-scope application, micro-service, and API, including internal and partner-facing interfaces.
- Identify the environments to be tested (production, staging, or a production-parity test environment) and confirm data handling rules.
- Decide which Top 10 edition and companion standards apply (web Top 10:2021, API Security Top 10, ASVS level).
- Determine test perspectives: unauthenticated, authenticated per role, and multi-tenant cross-account testing.
- Confirm authentication material, test accounts, and API keys required for authenticated coverage.
- Clarify exclusions (third-party SaaS, DoS testing, social engineering) and rules of engagement, including test windows.
- Include supporting infrastructure and configuration only insofar as it affects application risk (TLS, WAF, cloud storage).
- Define the definition-of-done for remediation and retesting before the engagement starts.
7. Implementation approach
Embedding the OWASP Top 10 into an organisation is a programme, not a project. The following phased approach moves from baseline awareness to continuous, automated assurance across the SSDLC. Each phase lists indicative activities and the deliverables that evidence its completion.
Phase 1 - Baseline and awareness
- Activities: Establish a secure-coding standard mapped to the Top 10; deliver developer awareness training; perform a gap assessment of current applications against each category.
- Deliverables: Secure-coding standard, training completion records, baseline gap-assessment report and risk register.
Phase 2 - Tooling and pipeline integration
- Activities: Integrate SAST, DAST, SCA, and secret scanning into CI/CD; define quality gates by severity; produce an SBOM for each build.
- Deliverables: Pipeline configuration with security gates, tool coverage matrix, SBOM artefacts, initial scan baselines.
Phase 3 - Secure design and threat modelling
- Activities: Introduce threat modelling for new features; establish an architecture review gate; build a library of reusable secure design patterns (addressing A04).
- Deliverables: Threat-model templates and completed models, design review checklist, secure design pattern catalogue.
Phase 4 - Verification and penetration testing
- Activities: Conduct manual penetration testing aligned to the OWASP Testing Guide and ASVS; verify business-logic and access-control risks that tools miss; perform remediation and retesting.
- Deliverables: Penetration test reports, remediation tracker, retest confirmation, ASVS verification results.
Phase 5 - Continuous assurance and governance
- Activities: Operationalise logging and monitoring (A09); run continuous component monitoring; maintain metrics and executive reporting; feed findings back into standards and training.
- Deliverables: Security metrics dashboard, monitoring and alerting coverage report, periodic management review records, updated standards.
8. Maturity and capability model
To move beyond pass/fail thinking, organisations should assess the maturity of their OWASP Top 10 programme. The model below draws on the spirit of OWASP SAMM (Software Assurance Maturity Model) and provides five levels against which capability can be scored. Each application or business unit can be rated, and the aggregate reveals where investment is needed.
| Level | Maturity and characteristics |
|---|---|
| Level 0 - Absent | No secure-coding standard, no security testing, Top 10 risks addressed only reactively after incidents. |
| Level 1 - Initial | Ad hoc awareness of the Top 10; occasional manual testing; findings tracked informally with no SLAs. |
| Level 2 - Managed | Secure-coding standard adopted; automated SAST/SCA in place; periodic penetration testing with a remediation tracker. |
| Level 3 - Defined | Threat modelling and design gates operate; DAST and secret scanning integrated; metrics reported to management; ASVS targets set. |
| Level 4 - Measured | Coverage and remediation SLAs are measured and enforced; monitoring detects exploitation attempts; risk-based prioritisation is data-driven. |
| Level 5 - Optimising | Continuous assurance across the SSDLC; feedback loops improve standards and training; near-zero recurring Top 10 defect classes. |
9. Assessment and audit approach
A structured audit ensures the OWASP Top 10 is genuinely embedded rather than merely claimed. The following ordered steps describe how CyberSigma conducts an OWASP-aligned application security assessment.
- Define scope, rules of engagement, and success criteria with stakeholders, and confirm the applicable Top 10 edition and ASVS level.
- Gather documentation: architecture diagrams, data-flow diagrams, threat models, secure-coding standards, and prior test reports.
- Perform reconnaissance and mapping of the application, its endpoints, roles, and trust boundaries.
- Run automated testing (SAST, DAST, SCA, secret scanning) to establish a coverage baseline and surface obvious defects.
- Conduct manual testing against each of the ten categories, prioritising access control, injection, and business-logic abuse.
- Perform authenticated and multi-role testing to expose broken access control and privilege escalation.
- Validate findings to eliminate false positives and confirm real-world exploitability and impact.
- Rate each finding by severity using CVSS and business context, and map it to the relevant Top 10 category and CWE.
- Deliver a prioritised report with reproduction steps, evidence, and remediation guidance.
- Support remediation, then retest to confirm closure and update the risk register and maturity rating.
10. Evidence request list
The following categorised evidence supports an OWASP Top 10 assessment. Requesting it in advance accelerates the engagement and demonstrates programme maturity to auditors and customers.
- Governance and policy: secure-coding standard, application security policy, SSDLC procedure, patch-management policy.
- Design artefacts: architecture and data-flow diagrams, threat models, security requirements register, design review sign-offs.
- Access control: RBAC/authorisation matrix, CORS configuration, session-management design.
- Cryptography: data classification register, TLS configuration and scan reports, key-management and rotation policy.
- Components and supply chain: SBOM, SCA scan reports, dependency lock files, EOL component register.
- Authentication: MFA policy and enrolment reports, password policy, identity-provider configuration.
- Pipeline and integrity: CI/CD configuration with security gates, artefact-signing and provenance evidence, secret-scan output.
- Configuration: hardening baselines and compliance scans, CSPM reports, security-header captures.
- Logging and monitoring: logging standard, SIEM alert rules, sample log records, incident-response plan and test records.
- Testing history: prior penetration test reports, remediation trackers, retest confirmations, vulnerability metrics.
11. Roles and responsibilities
Clear ownership prevents OWASP Top 10 controls from falling between teams. The table below assigns primary responsibilities across the typical operating model.
| Role | Responsibilities |
|---|---|
| Executive sponsor / CISO | Owns application security risk appetite, funds the programme, and reviews metrics and residual risk. |
| Application security lead | Maintains the secure-coding standard, owns tooling and testing strategy, and triages findings. |
| Development teams | Write secure code, remediate findings, participate in threat modelling, and meet definition-of-done security criteria. |
| DevOps / platform engineering | Operate secure CI/CD gates, manage SBOM and artefact integrity, and enforce configuration baselines. |
| Security operations (SOC) | Operate logging, monitoring, and alerting (A09) and respond to detected exploitation attempts. |
| Penetration testers / AppSec analysts | Perform manual verification, validate exploitability, and produce prioritised reports. |
| Product owners | Prioritise security requirements and remediation within the backlog and accept residual risk decisions. |
| Internal audit / compliance | Verify control operation, evidence adequacy, and mapping to regulatory obligations. |
12. KPIs to track
Metrics turn the OWASP Top 10 from an aspiration into a managed capability. Track the following indicators and trend them over time.
- Percentage of applications with Top 10 coverage in the CI/CD pipeline (SAST/DAST/SCA).
- Number of open findings by Top 10 category and severity.
- Mean time to remediate (MTTR) critical and high findings against SLA.
- Percentage of releases passing security gates without exception.
- Percentage of new features with a completed threat model (A04 coverage).
- Number of vulnerable or end-of-life components in production (A06).
- Percentage of sensitive endpoints protected by MFA (A07).
- Security event logging and alert coverage against target scenarios (A09).
- Recurrence rate of previously remediated defect classes.
- Penetration test findings closed and retested per cycle.
13. Readiness checklist
- A secure-coding standard mapped to the OWASP Top 10 is documented and adopted.
- SAST, DAST, SCA, and secret scanning run in the CI/CD pipeline with severity-based gates.
- An up-to-date SBOM exists for every production application.
- Deny-by-default access control is enforced server-side and tested for IDOR and privilege escalation.
- All data in transit uses TLS 1.2+ and sensitive data at rest is encrypted with current algorithms.
- Parameterised queries and context-aware output encoding are used throughout (injection and XSS).
- Threat modelling is performed for new features and significant changes.
- MFA is enforced for administrative and sensitive access, with anti-brute-force protections.
- Security-relevant events are logged, centralised, and alerted via a SIEM.
- CI/CD pipelines and dependencies are integrity-protected against supply-chain tampering.
- Server-side fetches validate URLs and block internal and cloud-metadata addresses (SSRF).
- Penetration testing aligned to the OWASP Testing Guide is performed at least annually and after major change.
14. Common gaps
Across hundreds of assessments, the same weaknesses recur. Anticipating them accelerates remediation.
- Access control enforced in the UI but not the API, leaving IDOR and forced-browsing exposures.
- Reliance on automated scanning alone, missing business-logic and multi-tenant access-control flaws.
- Sensitive data logged in plaintext or exposed via verbose error messages.
- Outdated components in production with no SBOM or patch SLA, especially transitive dependencies.
- MFA available but not enforced for all privileged accounts, and weak session-management defaults.
- Threat modelling treated as documentation theatre rather than driving design decisions (A04).
- Security headers and hardening baselines missing or inconsistent across environments.
- Insufficient logging of access-control failures, leaving breaches undetectable (A09).
- CI/CD pipelines with weak access control and unsigned artefacts, enabling supply-chain compromise.
- SSRF protections absent on features that fetch remote URLs, exposing cloud metadata endpoints.
15. OWASP Top 10 mapped to other frameworks
The Top 10 rarely operates in isolation. The table below maps each category to related obligations in PCI DSS v4.0, ISO/IEC 27001:2022 Annex A, the NIST Cybersecurity Framework, and India's DPDP Act reasonable-security expectations, helping teams demonstrate coverage across multiple audits from a single body of work.
| OWASP category | PCI DSS v4.0 | ISO 27001:2022 | NIST CSF / DPDP |
|---|---|---|---|
| A01 Broken Access Control | Req 7, Req 8.2 | A.5.15, A.8.3 | PR.AC / DPDP access-control safeguards |
| A02 Cryptographic Failures | Req 3, Req 4 | A.8.24, A.5.33 | PR.DS / DPDP encryption of personal data |
| A03 Injection | Req 6.2.4 | A.8.28 | PR.IP / secure development |
| A04 Insecure Design | Req 6.2 | A.8.25, A.8.27 | ID.RA, PR.IP / privacy by design |
| A05 Security Misconfiguration | Req 2, Req 6.4 | A.8.9 | PR.IP / hardening |
| A06 Vulnerable and Outdated Components | Req 6.3.2, Req 6.3.3 | A.8.8 | ID.RA, PR.MA / patch management |
| A07 Identification and Authentication Failures | Req 8 | A.5.17, A.8.5 | PR.AC / access safeguards |
| A08 Software and Data Integrity Failures | Req 6.5, Req 11.5 | A.8.28, A.8.32 | PR.DS, PR.IP / change control |
| A09 Security Logging and Monitoring Failures | Req 10 | A.8.15, A.8.16 | DE.CM, RS.AN / breach detection |
| A10 Server-Side Request Forgery | Req 6.2.4 | A.8.28, A.8.20 | PR.DS, DE.CM / network safeguards |
Frequently asked questions
Need help with OWASP Top 10?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
