OWASP Top 10
The OWASP Top 10 is a community-curated list of the most critical web application security risks, published every 3-4 years by the Open Web Application Security Project. The 2021 list leads with broken access control, cryptographic failures, and injection, each backed by examples, prevention guidance, and detection patterns.
The Top 10 has become the de-facto baseline checklist for web application security: PCI-DSS, SOC 2, and most regulatory frameworks reference it explicitly. The framing is risk-based (likelihood × impact), not exploit-popularity-based, which is why broken access control (the #1) covers a huge variety of underlying bugs. The pragmatic use: read the current Top 10 cover-to-cover during onboarding, run a Top-10-aligned audit annually, and ensure every relevant category has at least one automated check in CI. The list does not replace threat modelling for a specific application but it does cover most of the categories that get teams paged on incident day.