🌐
OWASP
owasp.org › www-project-top-ten
OWASP Top Ten Web Application Security Risks | OWASP Foundation
German 2013: OWASP Top 10 2013 - German PDF [email protected] which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr.
🌐
Berkeley EECS
people.eecs.berkeley.edu › ~raluca › cs261-f15 › readings › owasp-top-10.pdf pdf
OWASP Top 10 - 2013
Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8. We believe · this is because CSRF has been in the OWASP Top 10 for 6 years, and organizations and framework developers have focused
Discussions

compliance - Any comments or advice on OWASP-2013 top 10 number A9 - Information Security Stack Exchange
9 Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016? More on security.stackexchange.com
🌐 security.stackexchange.com
Why OWASP Top 10 (web application) hasn't changed since 2013 but Mobile Top 10 is as recent as 2016? - Information Security Stack Exchange
Latest edition of OWASP Top 10 for web application was in 2013 and for mobile applications, it is 2016. Why is it so? Can we say that the pattern in the web application vulnerabilities is settled? ... More on security.stackexchange.com
🌐 security.stackexchange.com
July 13, 2016
Interview question: Do you know what the OWASP top 10 are?
To be blunt, OWASP Top 10 is pretty basic stuff. If you didn't know what that was and you then made an excuse for it I wouldn't hire you either. That is not something just "programmers" should know. but should I know more for the next interview? Yes. Is that enough? Not by a long shot. More on reddit.com
🌐 r/AskNetsec
101
43
October 4, 2018
The OWASP Top 10 is killing me, and killing you! The Open Web Application Security Project publishes its Top 10 web development mistakes that often lead to security vulnerabilities. Many items on the list haven't changed since the 2013 and 2010 reports. In other words, we're still screwing up.
the most common theme of secops guys is to scream and yell that we need to change this or change that or we have some vulnerability, and then offer absolutely zero fucking insight as to how it should be properly fixed. Often times dev's just end up doing enough to subvert whatever tool the sec team is using, not actually fixing the problem. More on reddit.com
🌐 r/programming
171
951
October 27, 2017
🌐
GitHub
github.com › OWASP › Top10 › blob › master › 2013 › OWASP Top 10 - 2013.pdf
Top10/2013/OWASP Top 10 - 2013.pdf at master · OWASP/Top10
Official OWASP Top 10 Document Repository. Contribute to OWASP/Top10 development by creating an account on GitHub.
Author   OWASP
🌐
ZK
zkoss.org › wiki › ZK_Developer's_Reference › Security_Tips › OWASP_Top_10_Security_Concerns_In_2013
ZK Developer's Reference/Security Tips/OWASP Top 10 Security Concerns In 2013 - Documentation
The Open Web Application Security ... The OWASP Top 10[2] is a powerful awareness document for web application security that presents a list of the 10 most critical web application security risks. The most recent edition of this document was published in 2013....
🌐
Imagescape
imagescape.com › media › filer_public › f8 › 9a › f89a84f3-67af-4813-b5e5-0a26fb9663f0 › owasp_top_10_-_2017_rc1-english_6.pdf pdf
OWASP Top 10 - 2013
Top 10 - 2004), and dropping 2013-A10: Unvalidated Redirects and Forwards, which was added to the Top 10 in 2010. The OWASP Top 10 for 2017 is based primarily on 11 large datasets from firms that specialize in application security, including 8
🌐
Infosec Institute
infosecinstitute.com › resources › application security › owasp top 10 application security risks: 2013 vs 2017
OWASP top 10 application security risks: 2013 vs 2017 | Infosec
January 7, 2026 - The OWASP Top 10 is a list of common and critical security vulnerabilities that could affect applications. The first version was released back in 2003, which was updated in 2013.
🌐
Network Intelligence
networkintelligence.ai › home › owasp top 10 – 2013 web application security risks
OWASP Top 10 – 2013 Web Application Security Risks
July 29, 2025 - Further, its position has now been promoted to (A7) from (A8) in 2010 Top 10 list. Final position: A7- Missing Function Level Access Control · d) New Additions: The new list has the following new additions: Position A6: Sensitive Data Exposure is created. This is basically the merging of 2 issues in 2010 OWASP Top 10 List namely
Find elsewhere
🌐
Holm Security
support.holmsecurity.com › knowledge › owasp-2013-vs.-owasp-2017
What is the difference between the OWASP Top 10 versions 2013 and 2017?
Two risks from the OWASP Top 10 2013 are merged · Insecure Direct Object References and Missing Function Level Access Control were merged into a single risk: Broken Access Control. Security updates · General · Product news · Release notes · Getting started ·
🌐
Beagle Security
beaglesecurity.com › blog › owasp › owasp-top-ten-2013.html
OWASP top ten 2013
OWASP Top 10 is the standard guide for developers and online application security. It provides a consensus of the most important security threats to web applications.
🌐
Scribd
scribd.com › document › 322750097 › OWASP-2013
OWASP Top 10 Vulnerabilities 2013 | PDF | Computers
The document describes an introductory workshop on the Open Web Application Security Project (OWASP) 2013 that lasts 6 hours. It covers main topics like application security risks, the top 10 critical web application vulnerabilities, and vulnerability assessment.
🌐
Detectify
blog.detectify.com › home › best practices › owasp top 10 2013: cross-site request forgery – csrf
OWASP TOP 10 2013: Cross-site Request Forgery - CSRF - Blog Detectify
May 25, 2023 - Cross-site Request Forgery (CSRF) is one of the vulnerabilities on OWASP’s Top 10 list. Its an attack used to make requests on behalf on the user. OWASP is a non-profit organization with the goal of improving the security of software and the internet.
Top answer
1 of 3
27

In a formal review of an application's security, all libraries should be vetted for security defects. However, this is not the point of OWASP-2013 A9. The core of OWASP-2013 A9 is about having a policies in place to ensure that an application isn't compromised due to negligence. OWASP states the following:

  1. Identify all components and the versions you are using, including all dependencies. (e.g., the versions plugin).
  2. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date.
  3. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.
  4. Where appropriate, consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.

Number 2 is the most important. If you are dependent on a library or platform, these components need to be updated regularly. Internally there should be a cycle to review all components and versions, and ensure that these are fully updated. A monthly cycle to review these components would be ideal.

In short number 4 is requiring strong validation of input to untrusted libraries. If a library hasn't been fully tested for security defects then data passed to this library must be validated. It is a very good security practice to do this for all input. An example of this is using an OWASP ESAPI validation routine for all input. So if it is an email address, it should match a regex for email addresses.

2 of 3
4

From an auditor's point of view, I do not expect you to go through every single line of code of used libraries IF the library is commonly used and vetted. If you are using "random code you found on the internet" for a transaction system then I expect you to have had a review on the code.

Now for the more used and vetted libraries I would simply review the version of the library and see if there are any known vulnerabilities. You should regularly update your libraries with at least every single security update.

If no security update is available for the issue, I would require you to have an action plan to:

  • monitor if exploitation has happened (sometimes a security update can be for a component which is not used)
  • mitigation of the risk (disabling the component or altering the WAV/IPS)
🌐
Detectify
blog.detectify.com › home › best practices › owasp top 10 2013: unvalidated redirects and forwards
OWASP TOP 10 2013: Unvalidated redirects and forwards - Blog Detectify
September 5, 2023 - This vulnerability is also often called Open Redirect. Unvalidated redirects and forwards were ranked as uncommon both in 2010 and 2013 when OWASP graded vulnerabilities in their top ten list.
🌐
Indusface
indusface.com › blog › owasp-top-10-vulnerabilities-2013
OWASP Top 10 Vulnerabilities in 2013
April 23, 2026 - Configuration mistakes in software stack, frameworks, platform, container, cloud or application settings that leave systems open or improperly secured. In OWASP Top 10 2025 this category has moved up to #2 (~3.00% of applications had one or more of the 16 CWEs).
🌐
Infosec Institute
infosecinstitute.com › resources › application security › owasp top ten testing and tools for 2013
OWASP top ten testing and tools for 2013 | Infosec
January 7, 2026 - In 2013 OWASP completed its most recent regular three-year revision of the OWASP Top 10 Web Application Security Risks. The Top Ten list has been an importan
🌐
OWASP
owasp.org › www-project-top-ten › 2017 › Release_Notes
OWASP Top Ten 2017 | Release Notes | OWASP Foundation
Release Notes on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
Top answer
1 of 4
10

The reason for the delay is that there has been little change in the Web T10. As stated by Dave Wichers, the Web T10 project lead, on 30 June 2015:

Historically, we've produced a new OWASP Top 10 every 3 years because this seems to balance the tempo of change in the AppSec market, all the work everyone does to map their tool/process/other thing to each version of the OWASP Top 10, and the effort required to produce it. We've been producing a new one every three years since 2004 (i.e., 2007/2010/2013), and so a new version for 2016 is due. (Definitely not happening in 2015).

However, we've been thinking about what might change in a 2016 release of the Top 10 and we don't actually think it would change much, if at all, which is kind of sad actually. I suspect some Top 10 items might move up or down based on the vulnerability prevalence statistics that we would need to gather and process, but I have my doubts that any new vulnerability types would break into the Top 10.

As such, given that we don't expect the list to actually change in any substantial way, the project has decided to defer the next update to a 2017 release.

This table from the 2013 T10 Release Notes demonstrates the small change: The changes were largely due to rethinking how to categorize the raw data, not due to significant changes in the data.

Some have postulated that the level of effort for creating the T10 was a factor for delaying it. While it is a lot of work, I do not think that was a major factor. The Web T10 is OWASP's most recognized project and always has lots of volunteers (I contributed to the 2007, 2010, and 2013 ones).

Speculating as to whether the same thing will happen for mobile applications, I do not think that is likely in the near future. Mobile technology is still in its infancy and subject to rapid change.

2 of 4
3

Please note that the OWASP Top 10 was updated in 2017.

I wrote about it at The OWASP Top 10: 2013 vs. 2017.

tldr:

Three new risks were added this year: XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring.

Two items were removed from this year’s top 10: Cross-Site Request Forgeries (CSRFs) and Unvalidated Redirects and Forwards.

Two risks from the 2013 report (Insecure Direct Object References and Missing Function Level Access Control) were merged into a single risk: Broken Access Control.