OWASP Top 10 Explained for Australian Businesses

The OWASP Top 10 is the definitive list of the most critical security risks to web applications — here's what each one means for your business

The Open Web Application Security Project (OWASP) maintains the Top 10, a regularly updated list of the most dangerous vulnerabilities affecting web applications. These aren't theoretical risks — OWASP Top 10 vulnerabilities are found in over 90% of web applications tested. If your business has a website, customer portal, or web application, these risks apply to you.

The current OWASP Top 10

A01:2021 — Broken Access Control

Users can access data or perform actions they shouldn't be able to. Examples: a customer viewing another customer's order, a standard user accessing admin functions, or an unauthenticated user modifying account details through a direct API call.

Business impact: Data breaches, unauthorised transactions, compliance violations. Found in 94% of applications tested.

Fix: Implement proper role-based access control, deny by default, validate permissions on every request server-side.

A02:2021 — Cryptographic Failures

Sensitive data transmitted or stored without proper encryption. Examples: passwords stored in plain text, credit card numbers sent over HTTP, or using outdated encryption algorithms (MD5, SHA1).

Business impact: Data theft, Privacy Act violations, NDB scheme notification requirements.

Fix: HTTPS everywhere, TLS 1.2+, encrypt data at rest, hash passwords with bcrypt or Argon2.

A03:2021 — Injection

Untrusted data sent to an interpreter as part of a command or query. The most common type is SQL injection, where an attacker can read, modify, or delete your entire database through a form field.

Business impact: Complete data breach, data destruction, system takeover.

Fix: Parameterised queries for all database access, input validation with allowlists, never concatenate user input into queries.

A04:2021 — Insecure Design

Security flaws built into the application's architecture rather than introduced through coding errors. Examples: no rate limiting on login attempts, no account lockout, password reset flows that leak information.

Business impact: Fundamental security weaknesses that can't be fixed with patches — require architectural changes.

Fix: Threat modelling during design phase, security requirements in user stories, secure design patterns.

A05:2021 — Security Misconfiguration

Default configurations, unnecessary features enabled, overly permissive settings, or missing security headers. Examples: default admin passwords, directory listing enabled, verbose error messages showing stack traces.

Business impact: Information disclosure, unauthorised access. The most common vulnerability category in Australian SMB websites.

Fix: Harden all configurations, disable unnecessary features, implement security headers, remove default credentials.

A06:2021 — Vulnerable and Outdated Components

Using libraries, frameworks, or plugins with known vulnerabilities. WordPress plugins are the most common example — 52% of all WordPress vulnerabilities come from plugins.

Business impact: Exploitation using publicly available exploit code. Attackers scan for known vulnerable versions automatically.

Fix: Regular updates, dependency scanning, remove unused components, subscribe to vulnerability alerts.

A07:2021 — Identification and Authentication Failures

Weak authentication mechanisms. Examples: permitting weak passwords, no MFA, session IDs in URLs, not invalidating sessions after logout.

Business impact: Account takeover, identity theft, unauthorised access to customer data.

Fix: MFA on all accounts, strong password policies, secure session management, rate limiting on login attempts.

A08:2021 — Software and Data Integrity Failures

Code and infrastructure that doesn't verify integrity. Examples: auto-updating plugins without verification, CI/CD pipelines without integrity checks, deserialisation of untrusted data.

Business impact: Supply chain attacks, code injection, data manipulation.

Fix: Verify digital signatures, use integrity checks on updates, secure CI/CD pipeline configuration.

A09:2021 — Security Logging and Monitoring Failures

Insufficient logging and monitoring means attacks go undetected. The average time to detect a breach in Australia is 204 days — largely because organisations aren't monitoring for intrusions.

Business impact: Extended breach duration, increased data loss, inability to perform forensic investigation.

Fix: Log all authentication events, access control failures, and input validation failures. Set up alerts for anomalies.

A10:2021 — Server-Side Request Forgery (SSRF)

The application fetches remote resources without validating the URL provided by the user. An attacker can make your server send requests to internal systems, cloud metadata endpoints, or other services it shouldn't access.

Business impact: Internal network scanning, cloud credential theft, access to internal services.

Fix: Validate and sanitise all URLs, use allowlists for permitted destinations, segment network access.

How VAPT addresses the OWASP Top 10

A thorough penetration test (VAPT) systematically tests for all OWASP Top 10 categories — plus additional business logic and application-specific vulnerabilities that scanners miss. The OWASP Top 10 is the minimum testing scope; a quality VAPT goes beyond it to test your specific application context.