SecureCodeReviews

OWASP Security Standards

OWASP Top 10 Security Risks

Comprehensive guides to the most critical web application and AI security risks, with detailed descriptions, real-world examples, vulnerable vs. secure code, and actionable prevention strategies.

Latest — 2025 Edition

OWASP Top 10 — 2025

The newest edition covering AI-era threats, cloud-native misconfigurations, supply chain attacks, post-quantum cryptography, and modern authentication failures — with comprehensive code examples and prevention strategies.

A01 — Broken Access Control

A02 — Cryptographic Failures

A03 — Injection (+ Prompt Injection)

A04 — Insecure Design

A05 — Security Misconfiguration

A06 — Vulnerable Components

A07 — Auth Failures

A08 — Integrity Failures

A09 — Logging & Monitoring

Explore the 2025 Edition

OWASP Top 10 — 2021

The previous edition — still widely referenced. Introduced Insecure Design, Software Integrity Failures, and SSRF as new categories.

Broken Access Control

Cryptographic Failures

Insecure Design

Security Misconfiguration

View 2021 Guide

OWASP Top 10 for AI

Security risks for LLM and AI systems — Prompt Injection, Model Poisoning, Excessive Agency, and more.

Prompt Injection

Sensitive Info Disclosure

Data & Model Poisoning

Improper Output Handling

View AI/LLM Guide

Historical Versions

Explore every OWASP Top 10 edition from 2007 to 2025 and see how security risks evolved over nearly two decades.

2025 — AI & Cloud-Native Era

2021 — Modern Web Security

2017 — API & SPA Growth

2013 — Mobile & Cloud Emergence

2010 & 2007 — Early Editions

Explore Timeline

About OWASP

The Open Worldwide Application Security Project

Open Source

OWASP is a nonprofit foundation focused on improving software security. All materials, tools, and documentation are free and open source.

Industry Standard

The OWASP Top 10 is the de facto standard for web application security awareness, referenced by PCI DSS, NIST, and regulatory frameworks worldwide.

Data-Driven

Rankings are based on analysis of real vulnerability data from hundreds of organizations, covering millions of applications and thousands of CVEs.

Visit owasp.org