What are OWASP Secure Coding Practices? Top 10 Web App Security Vulnerabilities 2021 vs 2025

OWASP (Open Web Application Security Project) is a non-profit organisation that has been in existence since 2001. Its mission is to educate (provide direction) webmasters and security professionals about how to create, buy, and keep secure, trusted software applications.”

In simple terms, OWASP is a group of application security companies and experts that work collectively to develop a list of the most serious security threats to web applications.

What are the Benefits of OWASP?

OWASP helps your organization stay competitive by “planning,” “developing“, “maintaining,” and “operating” online applications that can be trusted.

Apart from this, it also mitigates risk, conducts threat modeling or architectural threat analysis, protects end users’ data (by providing methods for handling private data), gives developers more confidence in their code, etc.

What are OWASP Secure Coding Practices?

OWASP Secure Coding Practices are a set of guidelines and best practices to help developers build applications that are less prone to common security vulnerabilities.

One of the best-known publications is the OWASP Secure Coding Practices Quick Reference Guide, which gives developers actionable steps and guidance throughout the software development life cycle.

They are security-focused coding standards and recommendations designed to:

• Enhance the other OWASP resources (e.g., The OWASP Top 10)
• Help to reduce exposure to the most common types of web application vulnerabilities
• Encourage a mindset of “Security by Design.”
• Provide a standardised method of secure development across teams and organisations

Top 13 OWASP Secure Coding Practices

Input Validation:

Always validate the user’s input data to prevent attacks (e.g., Cross Site Scripting, SQL Injection, Buffer Overflow, etc.) by blocking malicious and/or invalid data from being processed by your application(s).

There are many methods to perform Input Validation, some of which include:

• Ensure that only ASCII characters are used in HTTP request and response headers.
• Validate all data from the client (including HTTP headers, URLs, and any embedded code) before processing.

Output Encoding:

The user input needs to be “encoded” (that is, translated) into something that will not cause the browser to interpret it as code so that it cannot be executed. Output Encoding can help to prevent Cross-Site Scripting attacks.

Some of the suggestions made by OWASP include:

• Implement Operating System (OS) commands to “sanitise” incompatible/untrustworthy data.
• Encode everything (characters) except for those that are safe for that target interpreter.

Authentication & Password Management:

To verify user identity, securely implement an authentication method that uses encryption and salting for password storage/management.

By providing a much higher level of security, users may be protected from unauthorized access to confidential data, as well as having their personal identity theft protected by not allowing users to log in from more than one device at a time.

OWASP has outlined the following techniques:

• Require authentication to view any page/resource linked to the CIA Triad.
• Prevent users from using the same login credentials and notify them when a password has been reset.

Session Management:

To address the large number of requests sent by numerous web applications to many different devices, we must use session management techniques.

Here are a few examples of how to use session management techniques to meet this need, as suggested by OWASP:

• All active sessions and connections should automatically terminate when a user logs off. No one user should be allowed to be logged into multiple devices at the same time.
• Set an inactivity timeout period for users’ sessions based on established business and risk goals.

Access Control:

To decrease the chance that unauthorised individuals will gain access to sensitive data or systems, it is critical to enforce adequate access control. Access control can be accomplished in a variety of ways, with several techniques outlined by OWASP below:

• Terminate inactive accounts.
• Users should only have access to application data, secure URLs, web services, attributes, etc., if they have been authorised to do so.

Cryptographic Practices:

Cryptography provides encryption of the data you keep confidential and provides restricted access to the data only to a select group of people (called “authorised users”). There are a few examples of the use of cryptographic methods as listed by OWASP:

• Implement Cryptographic Key Management.
• Do Not Allow Unauthorised Access to the Master Key.

Error Handling & Logging:

You must implement a method of handling unsolicited output via your application and use logging to track system activities and application and/or software changes. An example of this is as follows:

• Utilise Error Handlers That Will Not Display Any Debugging Information for Unsolicited Output.
• Logs Should Not Contain Session or System Information.

Data Protection:

In order to maintain the integrity, availability, and confidentiality of your data, you must have processes in place to protect it from being altered, compromised, or lost. An example is to:

Hypothetically, server-side code may be shielded from unauthorized access.

Disabling auto-complete while filling out information in forms.

Communication Security:

Protect sensitive information during transmission using an SSL certificate issued by a trusted CA, along with distinct encryption variants. Some approaches mentioned by OWASP for this are:

• There is a strong likelihood that stale data will not be able to degrade back to an unsecured state after failed attempts to connect via Secure Sockets Layer (SSL).
• All connections (URLS) need to establish character sets at the beginning of each connection.

System Configuration:

Configuration management tools allow us to keep our computers, servers, and software secure by ensuring that they are properly configured. Some of the recommendations from OWASP for what has been established about configuration management include:

• Keep components and systems up-to-date with security patches, as applicable.
• The development and test environments must be separate from the production environment.

Database Security:

To reduce the risk of database-related attacks such as SQL injection, data integrity, and confidentiality breaches. Security controls that can be put in place for Database Security are as follows:

• Implement strong password management policies for each database user.
• Implement multifactor authentication for all database users as much as possible.

File Management:

Properly arrange how files are stored and retrieved to make it safe and easy to manage them. OWASP recommends several file management methods that can assist with the following:

• Create folders based on their file type.
• Create subfolders within folders.
• Check the headers of uploaded files to ensure that they do not contain any malware or viruses.
• Remove the right of permission to execute files within the directory where the uploaded file resides, therefore preventing any possibility of (malicious) execution of an uploaded file.
• Do not disclose the full path of where an item is being uploaded to the client.

Memory Management:

To help reduce vulnerabilities involving memory exploitation (like memory leak and buffer overflow vulnerabilities), which can permit unauthorised access to your code/program, employ the following strategies to reduce the risk:

• Utilising function calls such as print, strcat, strcat_s, etc. are to be avoided as they can expose your code to security vulnerabilities.
• When utilising functions that handle string manipulation (for example: copy, concatenate, and concatenate with truncation), always truncate strings before calling into the function.

Why is OWASP Useful?

OWASP curates a list of the top ten (10) most hazardous web application security vulnerabilities and the most efficient approaches to mitigate them. In addition to this, it:

• Enhances the security of applications against cyber attacks,
• Reduces the occurrence of errors and system failures,
• Improves encryption,
• Increases the likelihood of application success and
• Enhances the reputation of the software development company.

OWASP Top 10 Web App Security Vulnerabilities 2021

Broken Access Control (A01:2021)

Previously listed as number 5, broken access control has now moved up to the top spot on the list of web application security risks for 2021. Attackers use this vulnerability to acquire unauthorized access to user accounts by exploiting weaknesses (flaws) in the system’s access controls.

Resolution:

By using secure coding practices and preventive actions (locking administrative accounts, using multi-factor authentication, etc.), access control and credential management issues can be mitigated.

You can also use an interactive application security testing solution (Seeker®) to detect insecure storage of sensitive data or cross-site request forgery, pinpoint any flawed or missing logic being utilized to manage JSON Web Tokens, etc.

Cryptographic Failures (A02:2021)

Entry previously positioned at number 3 and referred to as sensitive data exposure has moved to the second spot and was renamed as cryptographic failures.

Cryptographic failures happen when vital data stored or transmitted is compromised and put at risk. It mainly occurs because of using weak cryptographic keys, outdated cryptographic algorithms, hardcoded passwords, etc. 

Resolution:

You can use the “Coverity SAST” and “Black Duck SCA” checkers to scan for inadequate encryption strength and identify risky or broken cryptographic algorithms. Adequately encrypt data at rest and in transmission to overcome this vulnerability.

Injection (A03:2021)

Injection vulnerability has moved from number one to number three. Cross-Site Scripting (XSS) is now considered a part of this category.

A code injection occurs when a malicious actor adds malicious code into the input fields of a web application to make it behave in a manner it was not expected or designed to behave. Attackers can access sensitive information and execute unauthorized commands once they have infiltrated.

Resolution:

To remove injection vulnerabilities, use remediation techniques like writing parameterized SQL queries, stripping special characters from user input, etc. Including SAST and IAST tools in your continuous integration / continuous delivery (CI/CD) pipeline is recommended to identify injection flaws at static and dynamic code levels.

Utilize AST tools to check for various injection attacks, like LDAP injections, SQL injections, template injections, NoSQL injections, command injections, etc., during various test stages.

Insecure Design (A04:2021)

Insecure design is a new category in the 2021 OWASP Top Ten that focuses on risks related to design flaws & ineffective controls.

Resolution:

As enterprises continue to “shift left,” traditional methods like secure design patterns and principles, threat modeling, etc., may not be enough to address this risk.

In addition, it is advisable to leverage Seeker IAST to enhance the security posture, identify vulnerabilities, and reveal all inbound and outbound services, API, and function calls in sophisticated cloud, web, and microservices-based apps.

Security Misconfiguration (A05:2021)

Misconfigurations in security arise from errors or inadequacies in the configuration process, such as not modifying insecure default values, granting extensive permissions, or displaying overly revealing error messages.

The 2023 Veracode SOSS report revealed that over 70% of apps that introduced a new vulnerability in the last year contained misconfiguration errors. This vulnerability has now moved from sixth to fifth position, and the external entities category is now considered a part of this category.

Resolution:

To remove the Security Misconfiguration vulnerability, organizations should routinely check and adjust how their applications and infrastructure are set up and scan all infrastructure as code components to look for ways that sensitive information might be accidentally revealed.

The Seeker IAST tool is also recommended to detect inappropriate HTTP header configurations and information disclosure during application runtime testing.

Vulnerable and Outdated Components (A06:2021)

Vulnerable and Outdated Components vulnerability has moved from the number nine to the number six position. This vulnerability pertains to risky components in software that are either already known to be unsafe (like CVEs) or have the potential to become unsafe.

Resolution:

To remove the A06:2021 vulnerability, create a Software Bill of Materials for all software distributed or deployed. To generate standardized SBoMs, use Container scanning tools and Veracode SCA and get access to all the third-party component vulnerabilities present.

Identification and Authentication Failures (A07:2021)

The “Identification and Authentication Failures” vulnerability, previously known as a broken authentication vulnerability, is now ranked as the seventh most important security concern.

The presence of this vulnerability means that – “The way your application lets people log in or confirm their identity is not strong enough.” This usually happens when the login and session management functions are not set up correctly, which puts users’ identities at risk.

Resolution: 

To mitigate A07:2021, implement multifactor authentication. Apart from this, you can also utilize static and interactive application security testing solutions to identify and address broken authentication vulnerabilities, like hardcoded credentials, missing critical steps in authentication, etc.

Software and Data Integrity Failures (A08:2021)

This vulnerability pertains to the risks associated with the tools used to build, handle, or deploy software, which attackers can exploit. This includes the threat of creating insecure deployments, injecting malicious code or libraries into a CI/CD pipeline, stealing critical data, etc.

In 2021, in this new category of vulnerability, the vulnerability of insecure deserialization, which allows remote execution of code in the system, is also included.

Resolution:

Application security tools like Protocol fuzzing, DAST, penetration testing, etc., can help detect deserialization flaws. You can also utilize Seeker IAST to detect tampering with token access algorithms, unsafe deserialization, insecure redirects, etc.

Security Logging and Monitoring Failures (A09:2021)

Security Logging and Monitoring Failures issue, previously known as ‘insufficient logging and monitoring’, has moved from the tenth to the ninth position in the list of top security risks. It is mainly about the insufficient monitoring and logging of a website, which can lead to more failures.

Resolution:

Generating data is insufficient; the organization should have ample storage and various ways to collect and respond to that data. They should also regularly check that these ways are working correctly. A tool like Veracode DAST can help with this by producing logs and alerts.

Server-Side Request Forgery (A10:2021)

A server-side request forgery (SSRF) is a new category of vulnerability added to the OWASP list of the top ten. SSRF happens when a web app brings a remote resource without validating the user-supplied URL, allowing a malicious actor to make the app transmit a crafted request to an unexpected destination.

Resolution: 

Common methods like utilizing explicit allow lists, sanitizing user input, reviewing request responses before giving them back to the clients, etc., can be used to mitigate SSRF attacks. You can also use a modern AST tool – Seeker, to detect SSRF by monitoring and tracking it without extra triaging.

Top 10 OWASP Web App Security Vulnerabilities 2025

A01:2025 – Broken Access Control

Broken Access Control is when Users perform actions that they were not intended to do, such as accessing other Users’ data, modifying resources that are not authorized for them, or performing high-level Administrative actions, without proper Authorisation.

When implementing Access Controls, it is important to have appropriate and mandatory Security Checks in place; failure to do this can create many opportunities for Attackers to gain access to Privileged parts of an Application like Exposed User Data or to perform an Attack.

Additionally, Attackers exploit these vulnerabilities in order to gain Privileges and/or Exfiltrate Sensitive Data or cause damage to Critical System Components. Therefore, preventing this risk requires consistent Authorisation Checks for all Actions performed, Role Implementation using ‘Least Privilege’, and Thorough Testing of all Access Paths.

A02:2025 – Security Misconfiguration

Security Misconfiguration refers to when Systems/Frameworks (or Applications) are Deployed with Insecure or Unnecessary Default Settings, with Unsecured (or Openly Accessible) Cloud Storage, Verbose Error Messages, Outdated Software, etc, without hardening, which creates an easy Target for Attackers to attack.

The issue arising from this is compounded by the fact that different Configurations are used across development, Testing, and Production Environments (Inconsistency of configurations across the environment).

In order to reduce this Risk, Strong Configuration Management, Consistent Patch Management, Hardened Baseline Configurations, and Consistent Configurations should be employed. Automated Configuration Scanning should also be performed in order to detect and determine what items could be Vulnerable.

A03:2025 – Software Supply Chain Failures

Software Supply Chain Failures typically occur because of security flaws that result from using third-party components (like libraries and dependency files), build tools, and installation scripts (e.g. update scripts).

Attackers can inject malware into software packages and install Trojans (or “backdoors”) in software that has been prepared with weak automation tools (i.e., Continuous Integration and Continuous Delivery [CI/CD]).

Recommended: What Is Software Supply Chain Security?

Because modern-day applications heavily rely on the use of third-party components, if one item has been breached, then potentially thousands of applications can also be breached as well.

To protect systems from software supply chain breaches, organisations should only use trusted sources for components and verify the integrity of packages by using a Software Bill of Materials (SBOM); organisations should also perform continuous monitoring on their components for signs of vulnerability.

A04:2025 – Cryptographic Failures

Cryptographic Failures occur when critical information is leaked due to weak or outdated ciphertexts. These include the usage of broken algorithms, hard-coded keys, lack of proper key storage, or even the absence of TLS and invalid certificate verification.

Recommended: Top Best Practices for Storing X.509 Private Keys

Such aspects may result in potential breaches, man-in-the-middle attacks, or even non-compliance. For example, cryptographic best practices, such as the usage of current algorithms, key management, HTTPS enforcement, or even certificate handling, are critical standards that secure data both in motion or at rest.

A05:2025 – Injection

An injection flaw occurs when untrusted data is submitted to a vulnerable interpreter (e.g., SQL, NoSQL, OS Commands, LDAP) without having been properly validated or cleaned.

Attackers exploit injection flaws by crafting specially formed commands or queries that allow access to sensitive information, deletion of records, modification of existing data, executing arbitrary code and bypassing authentication mechanisms.

Recommended: What is Code Injection? Types, Prevention & Detection Strategies

Injection flaws remain prevalent due to dynamic query building (queries being built dynamically at run-time) and insufficient input validation. Parameterised queries, input validation, escaping and utilising safe APIs that are not based on direct input from users to prevent injection attacks.

A06:2025 – Insecure Design

Insecure Design refers to the design-level flaws that exist within the underlying application architecture and business logic, which can lead to insecure systems, even when they are implemented correctly.

Insecure design may relate to the lack of threat modelling, the lack of security controls for high-risk workflow processes, and not anticipating that systems could be subject to abuse.

Unlike coding issues, insecure design is not something that can be fixed by applying security patches, as those fixes only resolve coding bug vulnerabilities.

The risks associated with insecure design must be addressed through secure-by-design principles, early threat modelling, inclusion of security requirements, and architectural review throughout the entire project application development lifecycle.

A07:2025 – Authentication Failures

When authentication systems do not properly validate user identity, they experience Authentication Failures. An attacker may therefore compromise an authenticated user account by exploiting weak password policies, credential stuffing techniques, brute-force attacks against passwords and/or insecure session management methods.

The most common cause for an authentication failure is the absence of multi-factor authentication (MFA), poor storage of passwords, easy-to-guess session IDs, and/or weak recovery mechanisms. These failures often result directly in unauthorised access to an account (also known as an account takeover) and subsequent data breach.

Robust authentication methods such as MFA, rate-limiting, secure hashing of passwords, and effective session management provides an area of defence against authentication failures.

A08:2025 Software and Data Integrity Failures

The Software and Data Integrity failure occurs when applications do not implement a mechanism to detect whether code has been altered since release, or do not verify the integrity of updates and other important data.

Examples include unsigned updates, untrusted deserialization and use of unverified data for system functionality. An attacker can exploit these weaknesses to include malicious code, manipulate the logic of an application and/or modify protected records.

Providing the prevent category with digital signatures, checksums, secure update mechanisms and strong trust boundaries will provide a way to maintain the integrity of an application through its lifecycle.

A09:2025 – Security Logging and Monitoring Failures

Failures in Security Logging and Alerting arise when there is a failure in security logging and alerting, it means the application is not providing sufficient amounts of log data and is also unable to effectively monitor its critical data in real time. Because of this, cyber attacks can go on for a very long time without being recognized as such.

Also Read: What is File Integrity Monitoring (FIM)? Importance and Best Practices

Such common issues consist of absent authentication logs, unmonitored errors, and a lack of central log analysis. Various aspects of logging, much more than continuous monitoring, including alerts, play a significant role.

A10:2025 – Mishandling of Exceptional Conditions

The mishandling of Exceptional Conditions is an issue whereby applications do not properly handle exceptions, edge cases, or unexpected conditions, thereby experiencing crashes, data leaking, or security bypassing.

This encompasses issues like data leaking through stack trace exposure, failing to close instead of failing open, improper timeout usage, as well as bypassing through validations.

This allows the hacker to gather information about how the system works or initiate a denial-of-service situation. The importance of secure error handling cannot be overstated. This involves graceful degradation and thorough testing.

OWASP Web Application Security Comparison

The following table shows the comparison between OWASP Top 10 Web Application Security Vulnerabilities in 2021 vs in 2025:

OWASP Top 10 2021	OWASP Top 10 2025	Key Change
A01: Broken Access Control	A01: Broken Access Control	Unchanged
A02: Cryptographic Failures	A02: Cryptographic Failures	Unchanged
A03: Injection	A03: Injection	Unchanged
A04: Insecure Design	A04: Insecure Design	Unchanged
A05: Security Misconfiguration	A05: Security Misconfiguration	Unchanged
A06: Vulnerable and Outdated Components	A06: Software Supply Chain Failures	Evolved/New
A07: Identification and Authentication Failures	A07: Identification and Authentication Failures	Unchanged
A08: Software and Data Integrity Failures	A08: Mishandling of Exceptional Conditions	New
A09: Security Logging and Monitoring Failures	A09: Security Logging and Monitoring Failures	Unchanged
A10: Server-Side Request Forgery (SSRF)	A10: Unsafe Direct Object Consumption	New/Replaced

Conclusion

The continued connection of people via technology creates exponentially more complex application security issues. If you want to increase your ability to secure your applications, the OWASP and OWASP-based standards provide an internationally recognized starting point for you in developing your application’s security.

This community/standard is supported by the leading security experts worldwide and has nearly two decades of real-world research to support its validity.

Search