Module 3 ยท OWASP Top 10
Module 3
OWASP Top 10
Ten risk categories, five lenses, and a practical question: where does each one show up in your product?
01 / 23 ยท Cover
Your journey ยท Program map
Your journey so far
9 modules. One toolkit. You are at Module 3.
Context
Your toolkit ยท So far
What you already have
Modules 1โ2
M1
Champion role: why it exists, how it operates
Bridge between dev team and security โ context is the asset
M2
Security requirements classified into four layers
You know where security work lives in your tracker
M2
Technical findings translated to business language
CVE โ dollar impact. Risk framed in terms that get budget
M2
Trust boundaries and STRIDE: first look
The foundation for systematic threat hunting
Context
Module 3 ยท The vocabulary of risk
The vocabulary of risk
You have a process for working in sprints. But what are you actually looking for?
The OWASP Top 10 is the industry's consensus on what goes wrong most often โ not a checklist to memorize, but ten categories that show up in every product you'll ever work on.
This module gives you two ways to see them:
1
Five lenses on the Top 10
Five angles that reveal where risks live in your architecture
2
Pattern recognition
See risks in your own product, not just in textbook examples
Context
Intro ยท How this module works
Five lenses, not ten summaries
A different way through the list
The OWASP Top 10 is publicly available โ you can read the descriptions on owasp.org in twenty minutes. This module doesn't try to compete with that.
Instead, we organize the ten risks into five lenses โ five angles that help you look at your own product and see where the risks actually live. Each lens groups risks that share a common root cause or structural pattern.
The goal: take a component you work on and map the Top 10 against it. Not because you memorized a list, but because you understand why each risk exists and where it hides in your architecture.
Your role as a Champion: when you file a security ticket, don't just describe the symptom โ name the root cause pattern. "This is an architectural gap that creates risk by default" gives your security team more to work with than "found an access control bug." You don't need to fix every risk on the Top 10 โ you need to see where they live in your product.
The Top 10 is a starting point, not a checklist. For teams that want a more granular verification framework, OWASP ASVS (Application Security Verification Standard) provides hundreds of specific requirements organized by security level. Think of the Top 10 as "where to look" and ASVS as "exactly what to check."
The next slide shows the roadmap โ which risks go where, and why we grouped them this way.
05 / 23 ยท Intro
Intro ยท The roadmap
Five lenses, ten risks
Tap any lens to see why those risks belong together
The OWASP Top 10 used to list specific vulnerabilities. Now it lists risks โ impact ร likelihood. This lens covers why that shift happened and what it changes for you. No specific A01โA10 items here; this is the foundation that makes the other four lenses work.
Comparing the 2021 and 2025 lists reveals how development itself changed: supply chain risk rose because we use hundreds of dependencies now, not dozens. Misconfiguration jumped to #2 because forgetting to configure a WAF is a vulnerability now. And vibe coding isn't on the list yet โ but only because OWASP's data collection finished before it took off.
Supply chain โMisconfig โVibe coding?
Three risks with a shared root: architectural decisions that create risk by default. Broken access control (A01) persists because distributed microservices each implement their own authorization โ and one of them will get it wrong. Misconfiguration (A02) exists because modern stacks have so many configurable layers that missing one flag is inevitable. Insecure design (A06) happens when teams under delivery pressure skip the checks they know they should do.
A01 Access controlA02 MisconfigA06 Insecure design
All three are about trusting things you didn't build. Supply chain failures (A03) โ we use third-party code we didn't audit. Cryptographic failures (A04) โ even using existing crypto correctly is hard. Integrity failures (A08) โ how do you verify that a component hasn't been tampered with at runtime? These risks grow together because we compose more and write from scratch less.
A03 Supply chainA04 CryptoA08 Integrity
Four risks unified by one theme: our attention and resources have limits. We can't sanitize every input path (A05). Password rules don't guarantee strong passwords (A07). Storing telemetry from every source is a billion-dollar problem (A09). And our tools are so complex that predicting every possible behavior is structurally impossible (A10).
A05 InjectionA07 AuthA09 LoggingA10 Edge cases
06 / 23 ยท Roadmap
Knowledge check ยท before we start
Check your instinct
Before the first lens
OWASP Top 10 is a list of the ten most common application security ___. Fill in the blank.
C โ risks. This is the distinction most engineers miss, and it's exactly where Lens 1 starts. The project was originally about vulnerabilities, then threats, and today it's organized around risks โ meaning impact ร likelihood. The shift matters because it changes what you count and how you prioritize. A single vulnerability might be critical or irrelevant depending on context. A risk forces you to consider both.
07 / 23 ยท Quiz
Lens 1 ยท Risk โ vulnerability
Lens 1
Risk โ vulnerability
The OWASP Top 10 changed its unit of measurement โ from specific weaknesses to business-level risks. Understanding why is the foundation for everything else in this module.
08 / 23 ยท Lens 1
Lens 1 ยท Why the naming changed
From vulnerabilities to risks
How the OWASP Top 10 grew up
2003โ2010
Vulnerabilities
โ
2010โ2017
Threats
โ
2017โ2025
Risks
The OWASP Top 10 has gone through three naming eras. The reason is practical: there are too many individual vulnerabilities to list. Grouping them by risk makes the Top 10 something you can actually work with.
Each of the ten items is a risk category โ not a single bug or attack technique.
Take distributed denial of service: you can execute it at the network level, at the application level, against database connection pools, against virtual resources โ the specific vulnerabilities are endless. But the risk โ that your service becomes unavailable and the business loses revenue โ is one thing, regardless of which weakness the attacker exploits.
Champion's takeaway
When you file a security ticket, name the risk category โ not the individual bug. "Broken access control in our payment service" gives your team more to act on than "found an auth issue."
09 / 23 ยท Lens 1
Lens 1 ยท Quick check
A common mistake
"We have an OWASP vulnerability."
That's like saying "we have a weather." OWASP Top 10 is a set of risk categories, not specific bugs. Saying "we have broken access control risk in our payment service" โ that's a sentence you can actually act on.
10 / 23
Lens 1 ยท Definitions that matter
Vulnerability, threat, risk
Three words, three different things
These three terms get used interchangeably in casual conversation. They mean different things, and the difference changes what you do about them.
Vulnerability / weakness
An attribute of the system that permits an attack to be realized. A misconfiguration, a missing control, or the absence of a security feature altogether.
Threat
The action or agent attempting to exploit the weakness. The attacker, the script, the insider.
Risk
Impact ร likelihood โ the business-level concern. How bad would it be, weighted by how probable it is.
A vulnerability is how the system is. A threat is what someone does. Risk is how bad it could get.
Champion's takeaway
Next time you write a Jira ticket, ask yourself: am I describing a vulnerability (system attribute), a threat (attacker action), or a risk (business impact)? The answer changes who needs to act.
11 / 23 ยท Lens 1
Lens 1 ยท Reality check
Meanwhile, in production
This is a vulnerability. Not a threat, not a risk. An attribute of the system.
default credentials check
12 / 23
Knowledge check ยท classify the situation
Knowledge check
Scenario
Your application has a login page. When a user enters a valid username but wrong password, the system responds "incorrect password." When the username doesn't exist, it responds "user not found."
What is this?
B โ a vulnerability. The system permits user enumeration. An attacker can script requests and build a list of valid usernames, then use that list for credential stuffing or phishing. The fix โ returning the same generic message for both cases โ is annoying for legitimate users. That's the trade-off, and it's a real one. Some teams accept the risk; some don't. The point is knowing it's there.
13 / 23 ยท Quiz
Lens 1 ยท The fix in code
What the fix looks like
Same login, different response
โ Leaks info
if (!user) {
return res.status(404)
.json({error: "User not found"})
}
if (!validPassword(user, pwd)) {
return res.status(401)
.json({error: "Wrong password"})
}
โ Generic response
if (!user || !validPassword(user, pwd)) {
return res.status(401)
.json({error: "Invalid credentials"})
}
โ
The decisive fix: same response for "user doesn't exist" and "wrong password." The attacker can't tell which one failed โ so enumeration doesn't work.
Yes, users will complain. That's the trade-off from the previous quiz โ and now you've seen both sides of it.
Champion's takeaway
Security vs. usability isn't a binary. The fix here is 3 lines of code โ the trade-off is a slightly vaguer error message. That's almost always worth it.
14 / 23 ยท Code
Lens 1 ยท The formula
Feel the formula
Drag the sliders
The Core Equation
Risk = Impact ร Likelihood
Impact
2
Likelihood
1
2
LOW
Acceptable risk. Monitor and revisit next review cycle.
Set Impact to 5, Likelihood to 1. Then flip them. Same score โ completely different situation.
Earlier versions listed specific types โ "cross-site scripting" or "SQL injection" as separate entries. Too many vulnerabilities, too much overlap. By grouping them into risk categories, each entry represents a cluster of related problems with shared root causes and shared mitigations.
15 / 23 ยท Lens 1
Pause
“
“
The distinction
A vulnerability is something about your system. A risk is a question your CFO can answer.
The OWASP Top 10 moved from cataloguing the first to measuring the second. That's the whole trick.
15 / 23
Knowledge check ยท spot the difference
Knowledge check
Scenario
Your team's registration form responds "this email is already taken" when a user tries to register with an existing email address.
A colleague argues this is a vulnerability. Another says it's not โ the registration form needs to tell the user what went wrong. Who's closer to the truth?
C โ both are partially right. The form does permit email enumeration โ that's a weakness. But the alternative (a generic "something went wrong with registration") makes for a terrible user experience. This is exactly the kind of trade-off a Security Champion navigates: a banking app should probably accept the UX hit, a gaming platform might not. The point isn't that there's one correct answer โ it's that you know the trade-off exists.
16 / 23 ยท Quiz
Lens 1 ยท What this changes
What this changes in practice
It's about risks โ so the question is: how likely is this for us, and how bad would it be?
If the Top 10 were still about vulnerabilities, you'd use it like a checklist: does my app have X? Yes/no. Risk thinking changes that entirely.
The shift
Broken access control (A01) shows up differently in a financial API than in a content management system. The risk category is the same. The vulnerabilities, mitigations, and trade-offs are completely different.
The OWASP Top 10 doesn't tell you what to fix. It tells you where to look. The fixing part requires knowing your own system โ and that's what the remaining four lenses are about.
Champion's takeaway
Don't treat OWASP as a checklist. Use it as a lens for your system โ same A01, different risks depending on what you build.
17 / 23 ยท Lens 1
Time to think ยท How it all connects
Vulnerabilities
exploited by threats โ
Threats
produce risks โ
Risks
โ OWASP Top 10 operates here
Vulnerabilities
Hundreds of specific weaknesses โ misconfigurations, missing controls, default credentials. Attributes of your system, not things someone does.
Threats
Attackers, scripts, insiders, bots. Many vulnerabilities share the same threats โ that's why this bar is narrower.
Risks
Impact ร likelihood. Dozens of vulnerabilities compress into a handful of risks you can prioritize. This is the level executives act on.
The bars get narrower because many weaknesses compress into fewer risks. That compression is what makes the Top 10 actionable.
Time to think and reflect
Knowledge check ยท applying the formula
Knowledge check
Scenario
Two applications both have a known SQL injection vulnerability. Application A is an internal HR tool used by 12 people behind a VPN. Application B is a payment API processing 2 million transactions per day, exposed to the internet.
Both have the same vulnerability. Do they have the same risk?
B โ the risk is different. The vulnerability is identical. But the payment API has massively higher impact (financial data, regulatory exposure, millions of users) and higher likelihood (internet-facing, publicly discoverable). The internal tool still needs fixing โ SQL injection is never acceptable โ but when you're deciding which one to fix this sprint, the formula gives you a clear answer. That's what risk-based thinking buys you: a way to prioritize when you can't fix everything at once.
19 / 23 ยท Quiz
Lens 1 ยท Summary
What Lens 1 gave you
Three things to carry forward from this lens:
1. The unit of measurement. OWASP Top 10 measures risks โ impact ร likelihood โ not individual vulnerabilities. When you see "A01: Broken Access Control," you're looking at a risk category containing dozens of specific weaknesses.
2. The working definitions. A vulnerability is an attribute of your system. A threat is the action exploiting it. A risk is the business consequence โ probability ร impact. These aren't synonyms.
3. Context changes everything. The same vulnerability produces different risks in different products. That's why the OWASP Top 10 is a framework for thinking, not a universal to-do list.
Next up: Lens 2 looks at how the Top 10 has evolved from 2021 to 2025, and what that evolution reveals about the way we build software now.
20 / 23 ยท Lens 1 summary
Bridge ยท Into Lens 2
Coming next: what changed and why
The 2021 โ 2025 OWASP evolution isn't just a reshuffling of categories. It's a mirror of how software development itself changed. Lens 2 reads that mirror.
How many dependencies does your product have? 10? 50? Hundreds? We're not writing everything from primitives anymore โ we compose. And the cost of that composition is supply chain risk.
Can you imagine your API without a WAF? Your registration form without a captcha? We're so dependent on external security controls that forgetting to configure one is itself a vulnerability now.
It's not โ yet. OWASP's data collection finished before vibe coding took off. But expect it on the next iteration. LLM-generated code without review is the supply chain risk nobody's catalogued yet.
21 / 23 ยท Bridge
Module 3 ยท Lens 1 complete
Lens 1 complete
Risk โ vulnerability
You covered the foundation: OWASP Top 10 measures risks (impact ร likelihood), not individual bugs. Vulnerability, threat, and risk are three different things โ and the difference changes how you prioritize.
Your score: calculating...
The remaining four lenses build on this. Lens 2 looks at how the Top 10 evolved from 2021 to 2025 โ and what that says about the way we build software now.
What's next
Lens 2 unpacks the 2021 โ 2025 shift โ why supply chain rose, why misconfiguration jumped to #2, and what vibe coding means for the list.
23 / 23
โธ Pause to reflect