# owasp/top10 **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/owasp-top10).** 5,273 stars · 1,026 forks · HTML · other ## Links - GitHub: https://github.com/OWASP/Top10 - awesome-repositories: https://awesome-repositories.com/repository/owasp-top10.md ## Description This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in depth across the entire software lifecycle. The project covers a broad surface of security capabilities, including identity and access management, API security hardening, and software supply chain security. It also provides guidance on secure software development, security compliance auditing, and the integration of threat modeling and code reviews into the development process. ## Tags ### Scientific & Mathematical Computing - [Security Risk Assessments](https://awesome-repositories.com/f/scientific-mathematical-computing/risk-assessment-metrics/risk-assessment/risk-management-frameworks/security-risk-assessments.md) — Provides a standardized framework for identifying and prioritizing critical security risks based on impact and likelihood. ([source](https://cdn.jsdelivr.net/gh/owasp/top10@master/README.md)) ### Security & Cryptography - [Security Best Practices](https://awesome-repositories.com/f/security-cryptography/security-best-practices.md) — Serves as a comprehensive set of guidelines and patterns for building secure software and mitigating common risks. ([source](https://owasp.org/Top10/2025/0x01_2025-About_OWASP/)) - [Web Application Security](https://awesome-repositories.com/f/security-cryptography/web-application-security.md) — Provides a comprehensive framework for identifying and mitigating the most critical security risks in web applications. - [API Access Security](https://awesome-repositories.com/f/security-cryptography/api-access-security.md) — Implements access controls, rate limiting, and input validation specifically to protect API endpoints from abuse. - [API Security Hardening](https://awesome-repositories.com/f/security-cryptography/api-security-hardening.md) — Provides standards for restricting API methods using access controls and rate limits to block automated attacks. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) - [Application Security Standards](https://awesome-repositories.com/f/security-cryptography/application-security-standards.md) — Establishes a comprehensive list of critical web security risks and technical guidance for their mitigation. - [Security Requirement Frameworks](https://awesome-repositories.com/f/security-cryptography/application-security-standards/compliance-mapping-tools/security-requirement-frameworks.md) — Defines structured frameworks for collecting technical protection requirements for confidentiality and integrity. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Identity and Access Management](https://awesome-repositories.com/f/security-cryptography/identity-and-access-management.md) — Defines secure authentication and authorization workflows including session management and multi-factor authentication. - [Identity Authentication](https://awesome-repositories.com/f/security-cryptography/identity-authentication.md) — Provides guidance on implementing multi-factor authentication and breached-password checks to secure user identities. ([source](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)) - [Injection Prevention](https://awesome-repositories.com/f/security-cryptography/injection-prevention.md) — Provides technical patterns for blocking malicious commands using parameterized interfaces and context-aware escaping. ([source](https://owasp.org/Top10/2025/A05_2025-Injection/)) - [Input Validation Strategies](https://awesome-repositories.com/f/security-cryptography/input-validation-strategies.md) — Defines parameterized interfaces and escaping mechanisms to block malicious data from executing as system commands. - [Policy-Based Access Control](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control.md) — Implements server-side permission checks and authorization policies to prevent unauthorized data disclosure. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) - [Security and Access Control](https://awesome-repositories.com/f/security-cryptography/security-and-access-control.md) — Establishes a standardized framework for implementing trusted application and API security controls. ([source](https://owasp.org/Top10/2025/0x01_2025-About_OWASP/)) - [Software Supply Chain Security](https://awesome-repositories.com/f/security-cryptography/software-supply-chain-security.md) — Provides guidance on monitoring software supply chain vulnerabilities through bulletins and dependency databases. ([source](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)) - [Threat Modeling](https://awesome-repositories.com/f/security-cryptography/threat-modeling.md) — Provides a structured methodology for evaluating attack vectors and data flows to identify architectural vulnerabilities. ([source](https://owasp.org/Top10/2025/A06_2025-Insecure_Design/)) - [Security Testing](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/security-testing.md) — Establishes assessment frameworks and test cases for verifying the security posture of applications through continuous testing. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Injection Vulnerabilities](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/security-vulnerabilities/injection-vulnerabilities.md) — Provides a comprehensive guide for identifying and mitigating SQL, NoSQL, and command injection vulnerabilities. ([source](https://owasp.org/Top10/2025/A05_2025-Injection/)) - [Vulnerability Frameworks](https://awesome-repositories.com/f/security-cryptography/web-vulnerability-mitigations/vulnerability-frameworks.md) — Offers a comprehensive, categorized framework of security threats and defensive patterns to identify and remediate common software flaws. - [Account Recovery](https://awesome-repositories.com/f/security-cryptography/account-recovery.md) — Recommends using consistent response messages during account recovery to mitigate user enumeration attacks. ([source](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)) - [Security Headers](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/web-security/security-headers.md) — Provides technical guidance on configuring HTTP security headers to enforce secure browser behavior. ([source](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)) - [Application Data Security](https://awesome-repositories.com/f/security-cryptography/application-data-security.md) — Sets standards for encrypting network traffic using strong protocols and forward secrecy to prevent interception. ([source](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)) - [Audit Logging](https://awesome-repositories.com/f/security-cryptography/audit-logging.md) — Specifies the recording of auditable events and validation errors to enable forensic analysis. ([source](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)) - [Short-Lived Credential Authentications](https://awesome-repositories.com/f/security-cryptography/authentication-clients/credential-authentication/short-lived-credential-authentications.md) — Recommends replacing static secrets with short-lived credentials issued by trusted identity providers. - [Configuration Hardening](https://awesome-repositories.com/f/security-cryptography/configuration-hardening.md) — Offers technical guidance on locking down environments by removing unnecessary features and applying secure defaults. ([source](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)) - [Cryptographic Random Number Generators](https://awesome-repositories.com/f/security-cryptography/cryptographic-random-number-generators.md) — Directs developers to use cryptographically secure pseudo-random number generators for keys and nonces. ([source](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)) - [Denial of Service Prevention](https://awesome-repositories.com/f/security-cryptography/denial-of-service-prevention.md) — Provides strategies for rate limiting and resource quotas to prevent system exhaustion and denial of service. ([source](https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/)) - [Dependency Vulnerability Scanners](https://awesome-repositories.com/f/security-cryptography/dependency-vulnerability-scanners.md) — Provides guidance on using software bills of materials to detect known vulnerabilities in third-party dependencies. - [Developer Security](https://awesome-repositories.com/f/security-cryptography/developer-security.md) — Recommends the integration of static analysis and secret scanning tools into the developer workflow. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Error Handling Security](https://awesome-repositories.com/f/security-cryptography/error-handling-security.md) — Provides guidance on filtering system error messages to prevent the leakage of sensitive technical details. ([source](https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/)) - [Audit and Compliance](https://awesome-repositories.com/f/security-cryptography/governance-policy-frameworks/compliance-governance/audit-and-compliance.md) — Defines processes to measure application security performance against industry standards to prioritize mitigation. - [Insecure Direct Object Reference Prevention](https://awesome-repositories.com/f/security-cryptography/insecure-direct-object-reference-prevention.md) — Provides methods to verify user ownership of records to prevent insecure direct object references. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) - [Issuer and Audience Validators](https://awesome-repositories.com/f/security-cryptography/jwt-claim-validation/issuer-and-audience-validators.md) — Guidance on verifying token audience and issuer claims to ensure credentials serve their intended purpose. ([source](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)) - [Network Zone Segregation](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/network-security/network-zone-segregation.md) — Recommends isolating network layers and tenant data to limit the blast radius of potential security compromises. ([source](https://owasp.org/Top10/2025/A06_2025-Insecure_Design/)) - [Transit and At-Rest Encryption](https://awesome-repositories.com/f/security-cryptography/privacy-data-protection/data-encryption/end-to-end-encryption/transit-and-at-rest-encryption.md) — Details technical requirements for encrypting stored information and managing keys to protect data at rest. ([source](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)) - [Release Signature Verifiers](https://awesome-repositories.com/f/security-cryptography/release-signature-verifiers.md) — Guidance on using digital signatures to verify that software releases and serialized data originate from trusted sources. ([source](https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/)) - [Security Baselines](https://awesome-repositories.com/f/security-cryptography/security-configurations/security-baselines.md) — Defines minimum essential security configurations and controls to ensure consistency across development teams. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Security Performance Metrics](https://awesome-repositories.com/f/security-cryptography/security-performance-metrics.md) — Offers a methodology for tracking vulnerability density and practice adherence to guide security improvements. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Secure Storage Patterns](https://awesome-repositories.com/f/security-cryptography/security/cryptography-and-secrets/cryptographic-primitives-management/password-hashing-utilities/password-hash-generators/secure-storage-patterns.md) — Specifies the use of salted functions with a work factor to protect passwords against cracking attacks. ([source](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)) - [Secrets and Credential Management](https://awesome-repositories.com/f/security-cryptography/security/cryptography-and-secrets/secrets-credential-management.md) — Provides strategies for the secure storage, retrieval, and rotation of sensitive credentials and tokens. ([source](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)) - [Web Server Hardening](https://awesome-repositories.com/f/security-cryptography/security/infrastructure-and-hardware/infrastructure-system-hardening/web-server-hardening.md) — Defines configuration rules to disable directory listing and remove metadata from web servers. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) - [Data Sensitivity Classifications](https://awesome-repositories.com/f/security-cryptography/sensitive-data-access-controls/data-sensitivity-classifications.md) — Provides a methodology for labeling sensitive data based on privacy laws to apply correct security policies. ([source](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)) - [Session Management Standards](https://awesome-repositories.com/f/security-cryptography/session-management-standards.md) — Defines requirements for random session identifiers and timeout enforcement to prevent unauthorized account access. ([source](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)) - [Session Token Issuance](https://awesome-repositories.com/f/security-cryptography/token-based-authentication/session-token-issuance.md) — Defines standards for managing the issuance and lifecycle of access and refresh tokens. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) - [User Access Monitoring](https://awesome-repositories.com/f/security-cryptography/user-access-management/user-access-monitoring.md) — Includes guidance on logging unsuccessful access attempts and auditing user interactions to detect potential breaches. ([source](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)) ### DevOps & Infrastructure - [Supply Chain Security](https://awesome-repositories.com/f/devops-infrastructure/supply-chain-security.md) — Defines practices for auditing repository modifications and build settings to maintain software supply chain integrity. ([source](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)) - [Deployment Access Controls](https://awesome-repositories.com/f/devops-infrastructure/deployment-access-controls.md) — Provides guidelines for applying segregation and access controls to the deployment process to prevent unauthorized modifications. ([source](https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/)) - [Pipeline Security](https://awesome-repositories.com/f/devops-infrastructure/pipeline-security.md) — Provides a framework for hardening infrastructure and enforcing separation of duties within the build pipeline. ([source](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)) - [Artifact Integrity Validation](https://awesome-repositories.com/f/devops-infrastructure/software-packaging/artifact-uploaders/artifact-integrity-validation.md) — Recommends using digital signing and provenance tracking to ensure the authenticity of software packages. ([source](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)) ### Education & Learning Resources - [Secure Coding Guides](https://awesome-repositories.com/f/education-learning-resources/secure-coding-guides.md) — Offers technical recommendations and architectural patterns for developers to implement defense in depth. - [Security Education](https://awesome-repositories.com/f/education-learning-resources/security-education.md) — Recommends establishing security champion programs and training materials to improve developer security culture. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) ### Software Engineering & Architecture - [Vulnerability Prioritization](https://awesome-repositories.com/f/software-engineering-architecture/project-planning/risk-mitigation/vulnerability-prioritization.md) — Provides a standardized methodology for ranking security flaws based on impact and frequency to prioritize mitigation. - [Secure Design Principles](https://awesome-repositories.com/f/software-engineering-architecture/secure-design-principles.md) — Provides architectural patterns and countermeasures to integrate security directly into the design phase. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) - [Secure Development Lifecycles](https://awesome-repositories.com/f/software-engineering-architecture/secure-development-lifecycles.md) — Provides a methodology for embedding threat modeling and penetration testing into every stage of the software development lifecycle. - [Software Bill of Materials Generators](https://awesome-repositories.com/f/software-engineering-architecture/software-bill-of-materials-generators.md) — Provides a framework for using Software Bills of Materials to inventory and identify vulnerable libraries. ([source](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)) - [Security Control Mappings](https://awesome-repositories.com/f/software-engineering-architecture/architectural-pattern-mappings/security-control-mappings.md) — Links abstract security objectives to concrete technical controls for consistent implementation across environments. - [Exception Handling Pipelines](https://awesome-repositories.com/f/software-engineering-architecture/exception-handling-pipelines.md) — Implements centralized pipelines to intercept and sanitize exception data, preventing sensitive technical leaks. - [Global Exception Handlers](https://awesome-repositories.com/f/software-engineering-architecture/global-exception-handlers.md) — Recommends using global exception handlers to manage unpredictable software states and prevent security vulnerabilities. ([source](https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/)) - [Resilience Patterns](https://awesome-repositories.com/f/software-engineering-architecture/resilience-patterns.md) — Recommends architectural resilience patterns and resource limits to prevent system crashes during adverse events. ([source](https://owasp.org/Top10/2025/X01_2025-Next_Steps/)) ### Part of an Awesome List - [Incident Response And Playbooks](https://awesome-repositories.com/f/awesome-lists/security/incident-response-and-playbooks.md) — Provides methodologies and playbooks for managing and coordinating responses to security incidents and breaches. ([source](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)) - [Layered Defense Strategies](https://awesome-repositories.com/f/awesome-lists/security/kernel-hardening/layered-defense-strategies.md) — Defines architectural patterns for multi-stage validation and system isolation to limit the impact of security failures. - [Security Operations and Management](https://awesome-repositories.com/f/awesome-lists/security/security-operations-and-management.md) — Offers guidance on security operations, including patch management and regular configuration hardening. ([source](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)) ### Data & Databases - [Permissions Management](https://awesome-repositories.com/f/data-databases/cloud-data-access/permissions-management.md) — Offers guidance on restricting access to cloud storage and services to prevent sensitive data exposure. ([source](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)) ### Development Tools & Productivity - [Memory Safety Protections](https://awesome-repositories.com/f/development-tools-productivity/memory-buffering-utilities/memory-safety-protections.md) — Recommends the use of memory-safe languages and bounds checking to prevent buffer overflows and unauthorized access. ([source](https://owasp.org/Top10/2025/X01_2025-Next_Steps/)) ### System Administration & Monitoring - [Security Alert Monitors](https://awesome-repositories.com/f/system-administration-monitoring/alert-aggregators/security-alert-monitors.md) — Provides guidance on establishing security alert monitors to detect suspicious behavior and honeytoken access. ([source](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)) - [Log Stream Protections](https://awesome-repositories.com/f/system-administration-monitoring/log-stream-protections.md) — Provides strategies for securing log data against tampering through encoding and append-only storage controls. ([source](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)) ### Testing & Quality Assurance - [Threat-Based Design Validations](https://awesome-repositories.com/f/testing-quality-assurance/assumption-validations/threat-based-design-validations.md) — Guides the use of plausibility checks and misuse-case testing to verify that critical application flows resist threats. ([source](https://owasp.org/Top10/2025/A06_2025-Insecure_Design/))