Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
The Top 10 is the most-cited list in web security, updated every few years from a meta-analysis of real-world data. It's not the canon, it's the consensus — what most teams will encounter most often. Knowing it cold means you can read a bug report and immediately know what category you're in, which past incident is similar, and what the standard mitigations are.
The 2021 list, in order: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Identification/Authn Failures, A08 Software & Data Integrity Failures, A09 Logging Failures, A10 SSRF. Each has a cluster of CWEs underneath.
Use these three in order. Each builds on the one before.
In one paragraph, explain what the OWASP Top 10 is and what it isn't.
Walk me through how the Top 10 is constructed — what data, what process, what biases.
Pick a category that moved up or down between Top 10 versions. What's the story behind the change?