OWASP Top 10

What this guide covers

The OWASP Top 10 is the most widely referenced list of web application security risks. Published by the Open Web Application Security Project, it ranks the ten most critical risks based on data from hundreds of organizations and thousands of applications.

The current version was published in 2021 and reflects vulnerability data from over 500,000 applications. Most organizations treat it as the baseline for what their security testing should catch.

This guide maps each OWASP Top 10 item to the application security tool categories that detect it, with specific tool recommendations from our reviews of 140+ tools across 10 categories.

Detection coverage matrix

This matrix shows which tool categories provide meaningful detection for each OWASP Top 10 risk. “Strong” means the category is built to find this class of vulnerability. “Partial” means it catches some instances but not all.

The bottom line: no single tool category covers all ten risks. You need at least SAST + DAST + SCA for broad coverage. Adding IAST gives you runtime visibility that fills several remaining gaps.

A01: Broken Access Control

Users acting outside their intended permissions: accessing other users’ data, modifying access rights, bypassing access checks. This was #5 in 2017 and moved to #1 in 2021 after data showed that 94% of tested applications had some form of broken access control.

Access control is business logic, which makes it hard to test automatically. A tool can see that an endpoint returns data, but it has no way to know whether this user should see that data without understanding the authorization model.

Which tools detect it

DAST tools are your primary automated defense. They test for insecure direct object references (IDOR) by manipulating request parameters and checking if the application returns unauthorized data.

• Burp Suite - The Autorize extension specifically tests for access control bypasses
• ZAP - Access control testing via the Access Control Testing add-on
• Invicti - Automated access control checks with proof-based scanning
• Nuclei - Community templates for common IDOR patterns

IAST tools instrument the application at runtime and can observe authorization checks (or their absence) as requests are processed.

• Contrast Security - Detects missing access control checks in real time
• Seeker IAST - Monitors authorization patterns during testing

RASP tools block unauthorized access attempts in production, acting as a safety net.

• Contrast Protect - Runtime blocking of access control violations
• Imperva RASP - Application-level access enforcement

SAST tools provide limited but useful coverage here by detecting hardcoded roles, missing authorization annotations, and absent access control checks in common frameworks.

A02: Cryptographic Failures

Failures related to cryptography that expose sensitive data: weak algorithms (MD5, SHA1 for passwords), hardcoded keys and secrets, missing encryption for data in transit or at rest, improper certificate validation. Previously called “Sensitive Data Exposure” in the 2017 list.

Which tools detect it

SAST tools are the strongest category for catching cryptographic issues in source code.

• Semgrep - Rules for weak crypto, hardcoded secrets, insecure TLS configurations
• Checkmarx - Deep analysis of cryptographic API usage across 75+ languages
• SonarQube - Built-in rules for weak hashing, insecure random number generation
• Bandit - Python-specific checks for insecure crypto usage
• Fortify - Broad crypto vulnerability detection

DAST tools catch exposed data in transit: missing HTTPS, weak TLS versions, certificate issues.

• Invicti - TLS configuration analysis, mixed content detection
• ZAP - SSL/TLS scanning, cookie security flags
• Nikto - Server-level crypto misconfiguration checks

SCA tools can also flag libraries with known cryptographic vulnerabilities.

A03: Injection

Untrusted data sent to an interpreter as part of a command or query. SQL injection, NoSQL injection, OS command injection, LDAP injection, and cross-site scripting (XSS) all fall here. Injection dropped from #1 (2017) to #3 (2021) as frameworks with built-in protections became standard.

Which tools detect it

This vulnerability class has the broadest tool coverage of any OWASP item. Nearly every scanning category can detect some form of injection.

SAST tools trace data flow from user input to dangerous sinks (database queries, system commands, HTML output).

• Checkmarx - Strong taint analysis for injection paths
• Veracode Static Analysis - Binary-level analysis catches injection in compiled code
• Semgrep - Pattern-based rules for common injection patterns
• Fortify - Data flow analysis across function boundaries
• Snyk Code - Real-time injection detection in IDEs

DAST tools actively probe running applications with injection payloads.

• Burp Suite - Active scanner with thorough injection testing
• ZAP - Active and passive injection scanning
• Invicti - Proof-based injection verification with confirmed exploitation
• Nuclei - Community templates for injection testing
• Acunetix - DeepScan technology for JavaScript-heavy applications

IAST tools observe injection in real time by watching how the application processes tainted data.

• Contrast Security - Detects injection at the point of exploitation
• Seeker IAST - Runtime injection monitoring

RASP tools block injection attempts in production.

• Contrast Protect - Blocks SQLi and XSS at runtime
• Imperva RASP - Virtual patching for injection vulnerabilities

A04: Insecure Design

New in 2021. This covers flaws in the design and architecture of an application, not implementation bugs. Missing security controls, business logic flaws, failure to think through attack scenarios.

Which tools detect it

Automated tools have almost no coverage here. This is a human problem.

Insecure design means the application was built without adequate threat modeling. No scanner can detect that a password reset flow lacks rate limiting if nobody specified rate limiting in the design. No SAST tool can flag that an e-commerce checkout allows negative quantities if the business logic was never defined.

What actually helps:

• Threat modeling during the design phase (tools like Microsoft Threat Modeling Tool, OWASP Threat Dragon)
• Security architecture reviews before implementation starts
• Abuse case testing where QA specifically tries to misuse features
• Security champions on development teams who think about threat patterns

Some ASPM tools like ArmorCode and Apiiro provide risk scoring that can flag applications lacking security controls, but this is a proxy indicator, not direct detection.

A05: Security Misconfiguration

Insecure defaults, incomplete configurations, open cloud storage, misconfigured HTTP headers, verbose error messages, unnecessary services left enabled. This was #6 in 2017 and moved to #5 in 2021.

Which tools detect it

DAST tools are well suited for finding misconfigurations in deployed applications.

• Invicti - Checks server headers, TLS configuration, error handling
• ZAP - Passive scanning for misconfigured headers, cookies, CORS
• Nikto - Server-level misconfiguration detection
• Nuclei - Thousands of templates for common misconfigurations

IaC Security tools catch misconfigurations before deployment by scanning infrastructure code.

• Checkov - Terraform, CloudFormation, Kubernetes policy checks
• Trivy - Container and IaC misconfiguration scanning
• Terrascan - Multi-cloud infrastructure policy enforcement
• KICS - Broad IaC misconfiguration detection
• Snyk IaC - IaC scanning integrated with Snyk platform

SAST tools offer partial coverage for application-level misconfigurations like debug modes, verbose logging, and insecure framework settings.

A06: Vulnerable and Outdated Components

Using libraries, frameworks, or OS packages with known vulnerabilities. Also covers components that are no longer maintained or running outdated versions.

Which tools detect it

SCA tools exist specifically for this risk. This is the one OWASP Top 10 category where a single tool category provides near-complete coverage.

• Snyk Open Source - Real-time dependency scanning with fix PRs
• Trivy - Container image and filesystem SCA (31,700 GitHub stars)
• Grype - Fast vulnerability matching against SBOM
• OWASP Dependency-Check - Mature, Java-focused SCA
• Renovate - Automated dependency updates (20,700 GitHub stars)
• Dependabot - GitHub-native dependency updates
• Mend SCA - Commercial SCA with license compliance
• Veracode SCA - SCA integrated with Veracode platform
• Sonatype Lifecycle - Policy-driven component governance

See our full SCA tools category for all 23 options.

A07: Identification and Authentication Failures

Weaknesses in authentication and session management: weak passwords, credential stuffing exposure, improper session handling, missing multi-factor authentication. Previously called “Broken Authentication” in the 2017 list.

Which tools detect it

DAST tools actively test authentication mechanisms in running applications.

• Burp Suite - Session management testing, authentication bypass checks
• ZAP - Authentication and session management scanning
• Invicti - Login flow analysis and session security testing
• Acunetix - Automated authentication testing

IAST and RASP tools monitor authentication flows at runtime.

• Contrast Security - Detects insecure session management in real time
• Imperva RASP - Runtime protection against credential attacks

SAST tools provide partial coverage by catching hardcoded credentials, weak password validation logic, and insecure session configuration in code.

A08: Software and Data Integrity Failures

New in 2021. Covers code and infrastructure that fails to protect against integrity violations: insecure CI/CD pipelines, auto-update mechanisms without integrity verification, and insecure deserialization (which had its own category in 2017).

Which tools detect it

SCA tools verify that dependencies have not been tampered with and detect dependency confusion attacks.

• Socket - Supply chain attack detection, malicious package identification
• Snyk Open Source - Dependency integrity checks
• Sonatype Lifecycle - Component authenticity verification

SAST tools detect insecure deserialization patterns in code.

• Checkmarx - Deserialization vulnerability detection
• Fortify - Insecure deserialization analysis
• Semgrep - Custom rules for deserialization patterns

IaC tools can verify CI/CD pipeline security configurations.

• Checkov - CI/CD pipeline policy checks
• KICS - GitHub Actions and pipeline configuration scanning

A09: Security Logging and Monitoring Failures

Insufficient logging, detection, monitoring, and active response. Without proper logging, breaches go undetected. Was #10 in 2017, moved up to #9 in 2021.

Which tools detect it

This category has the weakest automated tool coverage of any OWASP item. Most scanners simply do not evaluate whether an application logs security events correctly.

SAST tools provide limited detection by checking for missing logging calls around security-sensitive operations (authentication, authorization, input validation).

• Checkmarx - Rules for missing audit logging
• Fortify - Logging adequacy checks

IAST tools can observe whether the application generates appropriate log entries during security testing.

What actually helps:

• SIEM (Security Information and Event Management) solutions
• Application Performance Monitoring (APM) tools
• Log aggregation platforms (ELK Stack, Datadog, Splunk)
• Manual code reviews focused on security logging completeness

A10: Server-Side Request Forgery (SSRF)

SSRF happens when a web application fetches a remote resource without validating the user-supplied URL. Attackers use this to force the application to make requests to internal services, cloud metadata APIs, or other places it should not be talking to. New to the OWASP Top 10 in 2021, added based on the community survey.

Which tools detect it

SAST tools trace user-controlled data into URL-building and HTTP-request functions.

• Semgrep - SSRF rules for common HTTP client libraries
• Checkmarx - Data flow analysis for URL manipulation
• Snyk Code - SSRF pattern detection
• Fortify - Taint analysis for SSRF paths

DAST tools probe applications with payloads designed to trigger SSRF.

• Burp Suite - Burp Collaborator for out-of-band SSRF detection
• ZAP - SSRF scanning with OAST (Out-of-band Application Security Testing)
• Invicti - Proof-based SSRF verification
• Nuclei - SSRF templates targeting common patterns

IAST and RASP tools observe or block SSRF at runtime.

• Contrast Security - Real-time SSRF detection and blocking

Building a complete coverage strategy

Using the coverage matrix above, here is how to build layered detection across the OWASP Top 10.

Minimum viable stack (3 tool categories)

1. SAST - Covers A02, A03, A10 strongly; partial coverage for A01, A05, A07, A08, A09
2. DAST - Covers A01, A03, A05, A07, A10 strongly; partial coverage for A02
3. SCA - Covers A06, A08 strongly

This three-layer approach provides meaningful detection for 8 of 10 OWASP categories. A04 (Insecure Design) and A09 (Logging Failures) remain largely manual.

Recommended tool combinations

Free stack: Semgrep + ZAP + Trivy

Mid-market stack: Snyk Code + Snyk Open Source + StackHawk

Enterprise stack: Checkmarx One + Invicti + Contrast Security

For a deeper look at how these tool categories work together across the development lifecycle, see our Secure SDLC guide.

Frequently asked questions

Frequently Asked Questions

Written by

Suphi Cankurt

Suphi Cankurt is an application security enthusiast based in Helsinki, Finland. He reviews and compares 129 AppSec tools across 10 categories on AppSec Santa. Learn more.