* [Blog](https://www.paloaltonetworks.com/blog) * [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/) * [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/) * OWASP Top 10:2021 -- What'... # OWASP Top 10:2021 -- What's New [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-102021-whats-new%2F) [](https://twitter.com/share?text=OWASP+Top+10%3A2021+%E2%80%93+What%E2%80%99s+New&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-102021-whats-new%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fowasp-top-102021-whats-new%2F&title=OWASP+Top+10%3A2021+%E2%80%93+What%E2%80%99s+New&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/owasp-top-102021-whats-new/&ts=markdown) \[\](mailto:?subject=OWASP Top 10:2021 – What’s New) Link copied By [Theo Despoudis](https://www.paloaltonetworks.com/blog/author/theo-despoudis/?ts=markdown "Posts by Theo Despoudis") Nov 04, 2021 7 minutes [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown) [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown) [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown) [Application](https://www.paloaltonetworks.com/blog/tag/application/?ts=markdown) [OWASP](https://www.paloaltonetworks.com/blog/tag/owasp/?ts=markdown) [Risks](https://www.paloaltonetworks.com/blog/tag/risks/?ts=markdown) [security](https://www.paloaltonetworks.com/blog/tag/security/?ts=markdown) The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to promoting best practices, methodologies, and tools for developing secure and reliable applications. In early 2003, they began publishing a list of the top 10 most common application vulnerabilities based on real incidents and community evaluation. According to the 2021 version of the list, risks like insecure design, [Cross-Site Server Forgery (CSSF)](https://www.paloaltonetworks.com/cyberpedia/csrf-cross-site-request-forgery?ts=markdown), and software and data integrity failures are on the rise. These issues can seriously compromise application security. Keep reading for a comprehensive explanation of what's new in the OWASP Top 10 for 2021, along with an introduction to some mitigation techniques you can use to protect against these vulnerabilities. ## **What Is the OWASP Top 10 and Why Is It Valuable to Security Teams?** Simply put, the OWASP Top 10 is a list of the top ten security risks that web applications face. It's updated regularly to reflect the current status of web application security and related fields. Crucially, OWASP sources most of their recommendations from factual events and CVEs which they [reference on their website](https://owasp.org/Top10/A01_2021-Broken_Access_Control/#list-of-mapped-cwes). The list is critical for security teams, as it enables them to correlate real security events with their own security policies. For example, they can research past incidents and compile a checklist that they can use to assess how prepared they are to guard against those risks. Let's take a look at the new categories of risks that are part of the OWASP Top 10:2021. ## **What Are the New Categories in the OWASP Top 10 for 2021?** According to the official [OWASP Top 10:2021](https://owasp.org/Top10/), a few issues have changed in rank and three new categories have been added, as you can see below: ![Source: https://owasp.org/](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/11/diagram-description-automatically-generated.png) Source: https://owasp.org/ **A04:2021 -- Insecure Design** This is a new category that simply stresses the fact that failing to integrate secure software design early in the development cycle often results in insecure applications. Common mitigation techniques rely on [shift-left security](https://www.paloaltonetworks.com/resources/techbriefs/shift-left-and-enable-devsecops?ts=markdown) as well as ensuring that security considerations are baked into the software from the start. Development teams should start thinking about potential threat actors as early as possible, and they might also want to integrate [threat modeling](https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/threat-prevention?ts=markdown) into their processes so that they can be better prepared for any scenario. This means that the development and security teams should brainstorm about how the system could be exploited before attackers are able to exploit the rules of the application and cause real production issues. That way, they can integrate security controls and fallbacks in case those incidents occur. Notable CVEs related to this category include [CWE-183: Permissive List of Allowed Inputs](https://cwe.mitre.org/data/definitions/183.html) and [CWE-209: Generation of Error Message Containing Sensitive Information](https://cwe.mitre.org/data/definitions/209.html). ### **A08:2021 -- Software and Data Integrity Failures** This is another new category for 2021, and it ranks 8^th^ on the list. This category includes security risks related to consuming fake or vulnerable dependencies listed in remote registries or in untrusted locations. (For example, many NPM packages are exploited this way.) This may cause your application to stop downloading and run unsafe dependencies from public repositories because their initial source was modified. One obvious solution is to ensure that you include integrity checks when you download dependencies. You could also use private registries as a way to ensure that you only download from trusted sources. Scanning dependencies as part of your [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) can help expose security issues early by notifying the code owners of security risks before the final deployment. ### **A10:2021 -- Server-Side Request Forgery** This is a new category that occupies the 10^th^ spot on the list. This risk includes attacks that force the server to issue HTTP requests on its behalf -- hence the name server-side forgery. It's no surprise that this kind of attack surfaces when you supply requests that trigger server hooks or events that can perform some sort of exfiltration or data manipulation. For example, an attacker might send a carefully crafted POST request that triggers an event to send emails to a particular address or a request to a particular server that is not in the application server's known server list. This increases the risk of exposing sensitive information or performing unintended actions. To prevent this kind of attack, you should always have a list of allowed domains with strict verification (possibly with SSL pinning or outbound firewall rules) and disallow any deviations from these patterns. ## **How Have Other Categories Evolved Since 2017?** The ranking of risks on the OWASP Top 10 has changed since 2017, possibly due to the fact that attackers have found new ways to exploit applications, and also because organizations have become more aware of these risks. Lets take a look at a few of them. ### **A01:2021 -- Broken Access Control** This moved from number 5 to number 1, and it now represents the most common risk factor for web applications. It's primarily related to attacks that allow an attacker to examine and exfiltrate sensitive information with relative ease or to access private resources by path manipulation. Although this risk is very concerning, you can find a great deal of documentation that will tell you how to protect against it. From what I understand, the risk has risen due to a failure to set security baselines (by prohibiting access to resources by default), incorrect configurations (for example, leaking secrets in version control systems or exposing private S3 buckets), or failing to perform security audits before releases (which would include issues like vulnerable dependencies and missing test cases). Hopefully, this list will help security professionals understand the risks of improper authorization and access control as well as help them prepare to mitigate them. ### **A03:2021 -- Injection** This category slid from number 1 to number 3 on the list. It includes events related to [Cross-Site Scripting (XSS)](https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting?ts=markdown) and SQL injection. Injection attacks are a constant threat to web applications because they can penetrate defenses quite easily and cause critical damage. Using web frameworks that sanitize parameters and protect against SQL attacks will go a long way toward preventing those kinds of issues. This is not a bulletproof strategy, however, since a lack of sufficient technical knowledge or a failure to thoroughly test flows with unusual inputs can cause issues. My recommendation here is to try to incorporate some sort of [runtime host protection](https://www.paloaltonetworks.com/blog/prisma-cloud/runtime-protection-prisma-cloud/?ts=markdown) that will catch and prevent unusual inputs before they get processed. ### **A07:2021** --**Identification and Authentication Failures** This slid from the second to the seventh position, and it represents risks related to improper authentication and identification of resources. You can interpret this as relatively good news, since identification and authentication are hard to secure properly. However, you can see that the industry is moving toward modern authentication solutions like external authentication using vendors such as OKTA or AUTH0, [passwordless auth](https://blog.saaspass.com/how-to-add-passwordless-login-to-palo-alto-networks-e5c85dce493a?gi=5f6911f1c585), or multi-factor auth (with the caveat that [SMS multi-auth is prone to social engineering attacks](https://www.cnet.com/tech/services-and-software/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/)). ### **A06:2021** -- **Vulnerable and Outdated Components** This category has moved up two places since the last time the OWASP list was updated, and it represents risks related to outdated components. Most of the time, outdated components are time dependencies that applications need as part of their deployment or the runtime binary distribution. If you are working on large-scale projects, you might find that dependencies are updated frequently, and you have to manually upgrade them in your applications. If you use open-source projects, you can check the \_.lock files (package.lock, Gemfile.lock, and so on) to see what kind of nested dependencies your project relies on. Automated repository bots like [Dependabot](https://dependabot.com/) can help you automate this process by outlining the risks of each update. However, you should still periodically review the code to clean up any unused dependencies and be aware of the security implications of using outdated or deprecated components. ## **How to Get OWASP Top 10:2021 Protection** Understanding the risks outlined in the OWASP Top 10 is an excellent starting point, but you still need to understand how to put that information into practice to protect your applications. Developing secure applications is a complex task that requires you to bake effective design and security protections into your product from the very beginning of the development cycle. [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) gives you out-of-the-box API and workload protection, complete with customizable support for the OWASP Top 10. It can also facilitate additional security controls like vulnerability management, compliance, and runtime defense, which gives you a complete, in-depth defense platform that enables you to expose your applications to the internet with confidence. *** ** * ** *** ## Related Blogs ### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown) [#### Managing Vulnerabilities in Unstable Releases and Cutting-Edge Packages With Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/securing-unstable-releases/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Prisma Cloud at Ignite '21: What to Know](https://www.paloaltonetworks.com/blog/cloud-security/prisma-cloud-ignite-21/) ### [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### Prisma Cloud 2.0 Just Launched: Why a Comprehensive CNSP is Essential](https://www.paloaltonetworks.com/blog/2020/10/cloud-comprehensive-cnsp-essential/) ### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown) [#### Prisma Cloud 2.0: The Industry's Most Comprehensive CNSP](https://www.paloaltonetworks.com/blog/2020/10/cloud-evolution-comprehensive-cnsp/) ### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### 3 Simple Techniques to Add Security Into the CI/CD Pipeline](https://www.paloaltonetworks.com/blog/2020/10/cloud-add-security-cicd-pipeline/) ### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown) [#### Cloud Native Zero Trust: Securing Applications](https://www.paloaltonetworks.com/blog/2020/09/cloud-native-zero-trust/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language