Let’s look at the history of the OWASP Top 10. It set the standard (more on this in a bit) for web security in the early 2000s. It normalized how we

Moving on from the OWASP Top 10

submited by
Style Pass
2024-12-23 19:30:08

Let’s look at the history of the OWASP Top 10. It set the standard (more on this in a bit) for web security in the early 2000s. It normalized how we talked about vulns and raised awareness about how web apps were being compromised.

And 20 years later it’s mostly the same. As a means to an end – a world of more secure apps – that doesn’t feel like success.

If you love the list, carry on and use it to educate other appsec folks. As an awareness tool for appsec, it’s useful. But that’s also its limitation. In practice, its audience is essentially appsec.

The list originated in 2003 as the web’s parallel to the SANS Top 10 for Windows and Unix vulns, which collected the most popular ways those operating systems were compromised. It positioned itself as a means to raise awareness about impactful vulns. It even noted that many of the vulns

…have been well understood for decades. Yet for some reason, major software development projects are still making these mistakes…

Leave a Comment