The OWASP Top 10 got its latest refresh, and the security community is doing the usual thing: arguing about the rankings. Instead of debating methodology, here is a concrete look at what changed, why it matters, and how to adjust your testing.
Broken Access Control stays at number one
No surprise here. Broken access control has dominated real-world findings for years. IDOR vulnerabilities, missing function-level authorization checks, and JWT implementation flaws continue to appear in nearly every application we scan. The data from OWASP's contributor pool confirms what pen testers already know: developers still get authz wrong more than anything else.
If you are running SecTests, your scans already cover BOLA and BFLA checks. But review your scan configuration and ensure authenticated scanning is enabled. Unauthenticated scans miss the majority of access control issues by definition.
Injection dropped but did not disappear
Injection fell a few spots, which makes sense given the widespread adoption of parameterized queries and ORMs. But do not take this as permission to stop testing for it. We still find SQL injection in legacy code paths, stored procedures, and dynamic query builders multiple times per week. NoSQL injection and LDAP injection are growing as attack vectors.
The bigger shift is toward server-side request forgery (SSRF), which has its own category now. Cloud metadata endpoints (169.254.169.254) remain a high-value target, and many applications that proxy external resources still do not validate the destination properly.
Security misconfiguration keeps climbing
This is the category where automated scanning provides the most value. Missing security headers, default credentials, verbose error messages, unnecessary HTTP methods, and permissive CORS policies. These are all things that a scanner catches faster and more reliably than a manual tester.
Our data shows that the most commonly missed header is Content-Security-Policy. Over 60% of the applications we scan have no CSP at all, and another 20% have a CSP so permissive it provides minimal protection.
Cryptographic failures remain underestimated
Weak TLS configurations, hardcoded secrets in client-side JavaScript, use of deprecated hash algorithms, and insufficient key lengths. These findings often get classified as low severity, but they are prerequisites for more serious attacks. A weak TLS configuration enables session hijacking. A leaked API key enables full account takeover.
Check your scan results for TLS version support, certificate chain validation, and cipher suite strength. If you are still supporting TLS 1.0 or 1.1 in 2024, you have a problem that extends well beyond compliance.
Software supply chain and component risks
Vulnerable and outdated components continue to climb the list. The Log4Shell aftermath proved that most organizations lack visibility into their transitive dependency trees. SCA tools have improved, but many teams still do not scan runtime containers or production-deployed artifacts.
SecTests now integrates SCA data into scan results when you connect your source repositories. This gives you a single view of both application-level vulnerabilities and dependency risks.
What to do about it
The OWASP Top 10 is a prioritization framework, not a complete testing checklist. Use it to guide where you focus, but do not stop there. The vulnerabilities that actually compromise organizations are often the ones that fall between OWASP categories: business logic flaws, race conditions, and chained low-severity findings that combine into critical impact.
- Enable authenticated scanning for every target
- Add your API specs to catch BOLA and mass assignment
- Review your CSP headers — not just whether they exist, but whether they actually restrict anything
- Connect your repositories for supply chain visibility
- Run scans on staging before code reaches production
The OWASP list changes. The fundamentals of good security testing do not.