OWASP top 10

What is the OWASP top 10?

OWASP stands for Open Web Application Security Project. This non-profit foundation works to improve software security. They have published a top 10 list that acts as an awareness document for developers. It represents a broad consensus about the most critical security risks.

Our goal at Snyk Learn is to educate developers and one way we do that is by covering the OWASP top 10 list. By completing the modules below, you will have taken steps toward creating more secure applications and having a better understanding of security risks!

Save your learning progress.

  • Track your learning progress
  • Keep up to date with the latest vulnerabilities
  • Scan your application code to stay secure
Sign up for free

Broken Access Control

Broken Access Control had more occurrences in applications than in any other category. We want to ensure users are acting within their intended purposes.

Cryptographic failures

This is a broad topic that can lead to sensitive data exposure or system compromise. We want to make sure we are always protecting data and storing it securely.

Injection

This is a large topic that includes SQL injection, XSS, prototype pollution and more.

Insecure Design

Insecure design represents different weaknesses, expressed as “missing or ineffective.

Security Misconfiguration

As software becomes more configurable, there is more that needs to be done to ensure it is configured properly and securely.

Vulnerable and outdated components

By the time you finish reading this, a new vulnerability has been found! We need to make sure we are keeping up-to-date with our components.

Identification and Authentication Failures

Are you who you say you are? We need to always confirm the users’ identity, authentication, and session management.

Software and Data Integrity Failures

Let’s not rely on plugins, libraries, or modules from untrusted sources! This includes repositories and content delivery networks (CDNs).

Security Logging and Monitoring Failures

How are we supposed to detect a breach when we have no logs? Logging and monitoring are crucial for our applications.

Server-Side Request Forgery

SSRF flaws occur whenever we fetch a remote resource without validating the URL supplied by the user.