OWASP Top 10 (2021)

OWASP Top 10. Mapped to Deva detection.

The OWASP Top 10 is the standard awareness document for web application security. Each category below links to the underlying CWE detection guides Deva ships, real-world breaches that fell into the category, and the compliance frameworks that explicitly require coverage. The 2021 edition is the current authoritative version; the 2025 draft is in public review.

OWASP official siteRead: OWASP Top 10 2025 draft analysisCWE index
A01Critical

Broken Access Control

Authorization that fails to enforce who can do what.

What it is

Broken access control is the most prevalent category in the OWASP Top 10 (2021), affecting 94% of applications tested in the OWASP Foundation's data set. It covers any path by which a user performs an action they should not be authorized to perform: bypassing access checks via URL manipulation, modifying request metadata, accessing another user's resources via Insecure Direct Object Reference (IDOR), elevating privileges, or performing state changes that should require additional confirmation. Modern web frameworks ship with secure-by-default access patterns, but mis-applied or skipped checks remain the dominant root cause of disclosed breaches.

Common patterns

  • IDOR: fetching a resource by a request-supplied ID without verifying the authenticated user owns or has rights to it.
  • Skipping authorization on backend APIs because the UI does not surface a link to the action.
  • CSRF: state-changing operations that lack a token, SameSite cookie attribute, or origin check.
  • Privilege escalation through parameter tampering (role=admin in a request body).
  • Path traversal allowing read or write of files outside the intended directory.
  • CORS misconfiguration that allows credentialed requests from any origin.

CWE guides Deva ships for A01

CWE-22Path Traversal
CWE-352Cross-Site Request Forgery (CSRF)
CWE-862Missing Authorization
CWE-863Incorrect Authorization (IDOR)

What Deva detects

Deva detects API handlers that accept resource IDs from the request without enforcing an ownership predicate in the database query. The scanner identifies routes lacking authentication middleware on sensitive paths, missing CSRF token validation on state-changing endpoints, and path operations that do not canonicalize against a permitted root. Findings include the upstream request source, the sink, and the missing check.

Real-world breaches in this category

2019

Capital One (100M records)

A WAF misconfiguration combined with SSRF and broken access control allowed exfiltration of credit application data for over 100 million Americans. The compromised IAM role had access to S3 buckets that should have been outside its authorization scope.

2022

Optus (10M records)

An exposed API endpoint without authorization checks allowed enumeration of customer records by incrementing an identifier. The endpoint was not internet-facing in design but had been published on a misconfigured subdomain.

2018

USPS Informed Visibility API

A REST API allowed any logged-in usps.com user to query mailing data for any user account by changing a parameter, exposing data for roughly 60 million users until disclosure.

Compliance impact

  • ·NIST 800-53 AC-3 Access Enforcement, AC-6 Least Privilege
  • ·PCI-DSS v4.0 Req 7.2 Access control system
  • ·HIPAA 164.312(a)(1) Access Control
  • ·CMMC 2.0 AC.L2-3.1.1, AC.L2-3.1.2
  • ·GDPR Article 32 Security of processing
A02High

Cryptographic Failures

Sensitive data exposed because cryptography is missing, weak, or misused.

What it is

Cryptographic failures (renamed from Sensitive Data Exposure in 2021) cover any path by which sensitive data is exposed because of inadequate cryptographic protection. Manifestations include missing encryption in transit or at rest, weak algorithms (DES, MD5, SHA-1 for passwords), hardcoded credentials, weak or predictable random number generation, and improper key management. The category sits high in the OWASP Top 10 because the consequences of disclosure are immediate and often unrecoverable: leaked passwords cannot be unleaked.

Common patterns

  • Hashing passwords with fast algorithms (MD5, SHA-256) instead of bcrypt, argon2, or scrypt.
  • AES with ECB mode (visible patterns) or CBC without HMAC (padding oracle vulnerabilities).
  • Hardcoded API keys, database passwords, or signing secrets in source code.
  • Math.random or other non-cryptographic PRNGs used for tokens, session IDs, or salts.
  • HTTP endpoints transmitting credentials, tokens, or PII without TLS.
  • Stack traces, debug pages, or error responses that include sensitive system or user data.

CWE guides Deva ships for A02

CWE-200Sensitive Data Exposure
CWE-327Broken Cryptography
CWE-798Hardcoded Credentials

What Deva detects

Deva matches algorithm and mode constructors across language ecosystems and flags use of broken or unsuitable primitives in security contexts. The scanner runs high-confidence regex detectors for AWS keys, Stripe tokens, GitHub PATs, OpenAI and Anthropic keys, and other credential formats. Error-handling rules flag handlers that return stack traces, debug objects, or full request bodies to clients.

Real-world breaches in this category

2017

Equifax (147M records)

Sensitive consumer data was exfiltrated in part because of unencrypted internal traffic and credentials stored in plaintext on internal systems. Initial access was via an unpatched Apache Struts vulnerability (CWE-1352), but the impact was amplified by cryptographic failures downstream.

2022

LastPass (encrypted vault leak)

Encrypted password vaults were exfiltrated from a backup. Vault contents were protected by user master passwords. Master passwords with weak entropy and old (pre-2018) hashing iterations remained crackable offline.

Compliance impact

  • ·NIST 800-53 SC-13 Cryptographic Protection, IA-5 Authenticator Management
  • ·PCI-DSS v4.0 Req 3.6 Cryptographic key management, Req 8.3.2 Strong cryptography
  • ·HIPAA 164.312(a)(2)(iv) Encryption and Decryption, 164.312(e)(2)(ii) Encryption in transit
  • ·FedRAMP SC-13 Cryptographic Protection
  • ·GDPR Article 32 (pseudonymization, encryption)
A03Critical

Injection

Untrusted input interpreted as code or commands by a downstream interpreter.

What it is

Injection covers any vulnerability in which an attacker supplies data that the application then passes to an interpreter (SQL, shell, OS, expression engine, template, LDAP, XPath) without proper validation or parameterization. The interpreter executes the injected content, often granting the attacker the privileges of the application's identity in that subsystem. SQL injection in particular has appeared in every published OWASP Top 10 since the document's inception, and the broader injection category remains in the top tier despite three decades of industry awareness.

Common patterns

  • SQL queries built by string concatenation or template-string interpolation of user input.
  • Shell commands constructed from request parameters (filename, URL, hostname).
  • eval, new Function, or exec called with user-controlled strings.
  • NoSQL injection through MongoDB query operators accepted from request bodies ($where, $regex).
  • LDAP injection in directory queries built from user input.
  • XSS: HTML or JavaScript injected into pages via unsanitized output.

CWE guides Deva ships for A03

CWE-78OS Command Injection
CWE-79Cross-Site Scripting (XSS)
CWE-89SQL Injection
CWE-94Code Injection (eval, Function)

What Deva detects

Deva tracks data flow from request inputs through query builders, shell invocations, dynamic code paths, and template engines to identify cases where untrusted data reaches a sensitive sink without parameterization or sanitization. The rule pack covers language-specific patterns for Sequelize, Knex, Prisma raw, sqlx, pg, mysql2, psycopg2, SQLAlchemy text(), Django raw(), Active Record connection.execute(), JDBC PreparedStatement misuse, child_process variants in Node, subprocess in Python, Runtime.exec in Java, and JavaScript and Python eval surfaces.

Real-world breaches in this category

2008

Heartland Payment Systems (130M records)

SQL injection in a public-facing web form gave attackers a foothold that they expanded into the payment processing network. At the time it was the largest disclosed payment-card breach in US history.

2017

Apache Struts CVE-2017-5638 (multiple victims)

An expression-language injection vulnerability in Apache Struts allowed remote code execution. Equifax, Canadian government agencies, and others were compromised through the same flaw before patches were applied.

Compliance impact

  • ·NIST 800-53 SI-10 Information Input Validation
  • ·PCI-DSS v4.0 Req 6.2.4 Software engineering techniques
  • ·HIPAA 164.312(c)(1) Integrity controls
  • ·CMMC 2.0 SI.L2-3.14.1 Flaw remediation
A04High

Insecure Design

Architectural decisions that create vulnerabilities no amount of clean implementation can fix.

What it is

Insecure Design is the OWASP Top 10's recognition that some vulnerabilities are baked into the system before any line of code is written. It covers business logic flaws (rate limits that are not enforced, password reset flows that allow account takeover by design, file upload features that cannot be safely implemented), missing threat modeling, and reliance on user-supplied trust labels (privileged operations gated on a cookie value the client controls). Unlike injection or auth bugs, insecure design issues persist through code-level fixes because the design itself is the vulnerability.

Common patterns

  • File upload features without a viable threat model (allowed types, storage location, serving behavior).
  • Password reset flows that confirm reset based on knowledge of public information.
  • Rate limits enforced client-side, or applied per IP rather than per identity, or absent entirely.
  • Multi-tenant architectures that scope by request parameter rather than by the authenticated identity.
  • Privileged operations that rely on the absence of a UI link to remain undiscovered ('security by obscurity').
  • Workflows that assume an out-of-band step has occurred when it has not been verified.

CWE guides Deva ships for A04

CWE-434Unrestricted File Upload
CWE-502Insecure Deserialization (data integrity overlap)

What Deva detects

Insecure design is partly architectural and not fully detectable by code-level static analysis. Deva surfaces structural smells (file uploads without extension allowlists, missing rate limits on auth endpoints, absent CSRF tokens on state-changing routes) but cannot replace threat modeling. The Custom Compliance Framework Builder lets teams encode their own design rules (for example: every payment route must touch the audit log) so design intent is enforced at scan time.

Real-world breaches in this category

2019

Twitter SMS-based 2FA design

Twitter's design tied 2FA to phone numbers in a way that could be hijacked via SIM-swap attacks. The flaw was structural: any system that uses SMS as a second factor inherits SIM-swap risk. The design has since been deprecated industry-wide for high-value accounts.

2017

Equifax web portal credentials

An internal portal used 'admin' as both the username and password, an insecure-design pattern that bypassed any code-level authentication strength. Code review did not catch this because the choice was a configuration decision.

Compliance impact

  • ·NIST 800-53 SA-8 Security Engineering Principles, SA-11 Developer Security Testing
  • ·PCI-DSS v4.0 Req 6.2 Secure software development
  • ·CMMC 2.0 SA.L2-3.1.20 External system protections
A05High

Security Misconfiguration

Insecure defaults, unnecessary features, or misapplied permissions left in production.

What it is

Security misconfiguration covers any deployment state in which a system is exposed because of how it is configured, not because of how it is coded. Examples include cloud storage buckets with public-read access, debug endpoints reachable in production, default credentials never changed, XML parsers with external entities enabled, unnecessary features running on production hosts, and missing security headers (Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options). This category is broad and consistently sits in the OWASP Top 10 because configuration drift accumulates over time even on well-built systems.

Common patterns

  • S3, GCS, or Azure Blob storage with public-read or list-bucket permissions on private data.
  • XML parsers (lxml, DocumentBuilderFactory, XmlReader) instantiated without disabling external entities (XXE).
  • Verbose error pages or debug endpoints (DEBUG=True in Flask/Django, app.debug=true in Express) live in production.
  • Default credentials on databases, admin panels, or management interfaces.
  • Security headers missing or misconfigured: no HSTS, weak CSP, missing X-Frame-Options.
  • Cloud IAM policies with wildcard resources (Resource: *) on actions that should be scoped.

CWE guides Deva ships for A05

CWE-611XML External Entity (XXE)
CWE-200Sensitive Data Exposure (overlapping)

What Deva detects

Deva includes IaC scanning rules for Dockerfile, Kubernetes manifests, Terraform, and CloudFormation. The rule pack flags S3 buckets with PublicRead ACLs, IAM policies with Resource:'*', containers running as root, Kubernetes services without network policies, and missing security headers in framework configs. XML parser instantiations without secure-defaults arguments are reported per language. Debug-flag detectors flag production configs that leave verbose error handling enabled.

Real-world breaches in this category

2017

Verizon (14M records via S3)

A vendor-managed S3 bucket containing customer service call data was set to public read. The exposure was discovered during a routine third-party audit. The same pattern has been the root cause of dozens of large disclosures since 2017.

2020

Microsoft Power Apps (38M records)

Default OData API permissions on Microsoft Power Apps portals made customer data publicly queryable. The defaults were technically documented but not surfaced clearly to administrators, illustrating how misconfiguration risk shifts when the secure-by-default expectation is unmet.

Compliance impact

  • ·NIST 800-53 CM-6 Configuration Settings, CM-7 Least Functionality
  • ·PCI-DSS v4.0 Req 2.2 Secure configurations
  • ·CMMC 2.0 CM.L2-3.4.1 Baseline configuration, CM.L2-3.4.6 Least functionality
  • ·FedRAMP CM-6, CM-7
A06High

Vulnerable and Outdated Components

Open-source dependencies with known CVEs that ship to production.

What it is

Modern applications are dominated by third-party code: a typical Node.js web app depends transitively on thousands of npm packages, each of which may have published vulnerabilities. This category covers the use of components with known vulnerabilities, components that are no longer maintained, components patched downstream but not at your version, and components that should not be in the dependency graph at all (typosquatted lookalikes, malicious package supply-chain attacks). Software Composition Analysis (SCA) is the dedicated discipline.

Common patterns

  • Direct or transitive dependencies on packages with published CVEs and available patches.
  • Versions pinned to ranges (^1.2.3) that pull in compromised versions when an upstream account is hijacked.
  • Typosquatting: installing 'reactt' (typo) instead of 'react' and getting an attacker-controlled package.
  • Out-of-date container base images that ship known-vulnerable system libraries.
  • Use of packages whose maintainers have abandoned them, leaving published vulnerabilities unpatched.
  • License-non-compliant dependencies that block release on legal grounds (not strictly security, but the same scan surface).

CWE guides Deva ships for A06

CWE-1352Vulnerable and Outdated Components (composite)

What Deva detects

Deva's SCA layer maintains a 27,000+ CVE advisory catalog synced from NVD, GHSA, and OSV, cross-referenced against a 2,800+ package metadata catalog. Scans match every direct and transitive dependency against the catalog, surfacing CVE ID, severity, fix version, and reachability indicators. Container scans use the same CVE catalog applied to base image system packages. The dsc CLI runs SCA as a CI step alongside SAST.

Real-world breaches in this category

2017

Equifax (Apache Struts CVE-2017-5638)

Apache Struts had a published CVE with patches available for 60+ days when Equifax was breached through the same vulnerability. The disclosure stage was textbook A06: a known vulnerable component that was not updated.

2021

Log4Shell (CVE-2021-44228)

A remote code execution vulnerability in the ubiquitous Log4j logging library affected tens of thousands of organizations. The transitive nature of the dependency made it difficult to find: organizations did not always know they were using Log4j until they scanned for it.

2024

XZ Utils backdoor (CVE-2024-3094)

A multi-year social engineering campaign placed a backdoor in the upstream xz-utils compression library. The backdoor targeted SSH authentication on Linux systems. The supply-chain attack was caught by an unrelated performance regression before mass exploitation.

Compliance impact

  • ·NIST 800-53 RA-5 Vulnerability Monitoring, SI-2 Flaw Remediation
  • ·PCI-DSS v4.0 Req 6.3 Custom and third-party software vulnerabilities
  • ·HIPAA 164.308(a)(8) Evaluation
  • ·CMMC 2.0 RA.L2-3.11.2 Vulnerability scan, SI.L2-3.14.1 Flaw remediation
A07Critical

Identification and Authentication Failures

Weak, missing, or improperly implemented authentication.

What it is

This category (previously Broken Authentication) covers any failure to correctly verify the identity of an entity interacting with the application. Manifestations include missing authentication on critical functions, brute-forceable login flows, weak password policies, predictable session IDs, JWT validation that decodes but does not verify, and credential stuffing surface area without monitoring. Identification and authentication failures are the foundational weakness behind most disclosed account takeovers and an explicit control area in HIPAA, PCI-DSS, and CMMC.

Common patterns

  • Routes with no authentication middleware on sensitive paths (/admin, /internal, /debug).
  • JWT verification calls with verify:false, missing signing key, or accepting 'alg':'none'.
  • Login flows without rate limiting, account lockout, or CAPTCHA on repeated failures.
  • Password requirements that allow trivially-crackable choices ('a' or '12345').
  • Hardcoded API keys, DB passwords, or signing secrets in source.
  • Session IDs generated from predictable sources (timestamps, weak PRNG, sequential counters).

CWE guides Deva ships for A07

CWE-287Improper Authentication
CWE-306Missing Authentication for Critical Function
CWE-798Hardcoded Credentials

What Deva detects

Deva flags routes whose path suggests sensitivity (admin, internal, debug, dashboard) and that lack any authentication middleware in their chain. The scanner detects JWT.verify with verify:false, signing-key references that resolve to literal short strings, password comparison without constant-time helpers, and session ID generation using Math.random or other weak sources. Hardcoded credential detectors run continuously in the IDE and as a CI step.

Real-world breaches in this category

2021

Colonial Pipeline ransomware

Initial access was a leaked legacy VPN password reused from another breach. The VPN account remained active despite being unused, and 2FA was not enforced on it. The ransom payment was ultimately around 4.4 million USD.

2020

SolarWinds Orion supply chain attack

Attackers planted credentials in the build pipeline through which Orion updates were signed. Although the proximate cause was build-system compromise (A08), the broader weakness was that build-system access was not subject to phishing-resistant authentication.

Compliance impact

  • ·NIST 800-53 IA-2 Identification and Authentication
  • ·PCI-DSS v4.0 Req 8.3 Strong authentication, Req 8.4 Multi-factor authentication
  • ·HIPAA 164.312(d) Person or Entity Authentication, 164.308(a)(5) Security Awareness Training
  • ·CMMC 2.0 IA.L2-3.5.1 Identify users
A08High

Software and Data Integrity Failures

Code or data accepted from untrusted sources without integrity verification.

What it is

Software and data integrity failures cover any path by which untrusted code or data flows into a trust boundary without verification. Examples include insecure deserialization (where an attacker-controlled byte stream is reconstructed into application objects), CI/CD pipelines that trust unauthenticated artifact sources, auto-update mechanisms that fetch updates over insecure channels, and dependencies installed from registries without integrity hashes. The SolarWinds Orion supply-chain attack is the canonical real-world example.

Common patterns

  • Python pickle.load on data from HTTP requests, message queues, or cache backends.
  • Java ObjectInputStream.readObject on data from network sources (gadget-chain RCE).
  • .NET BinaryFormatter on attacker-controlled bytes.
  • PHP unserialize on cookie or query-string values.
  • CI/CD steps that fetch scripts from URLs without hash pinning or signature verification.
  • Package installations without lockfile or integrity-hash verification.

CWE guides Deva ships for A08

CWE-502Insecure Deserialization

What Deva detects

Deva flags every call site that deserializes data via a format capable of arbitrary class instantiation (pickle, ObjectInputStream, BinaryFormatter, NetDataContractSerializer, PHP unserialize, Ruby Marshal, YAML.load without SafeLoader). Findings include the upstream data source and a suggested format alternative (JSON, MessagePack, Protobuf) that does not deserialize into application objects.

Real-world breaches in this category

2020

SolarWinds Orion (multiple victims)

Attackers gained access to SolarWinds' build pipeline and injected malicious code into Orion update packages. The packages were signed with SolarWinds' legitimate signing key and distributed through the normal update channel. Thousands of organizations including US federal agencies installed the trojaned updates.

2015

Apache Commons Collections deserialization (multiple victims)

Discovery of gadget chains in widely-used Java libraries (Apache Commons Collections, Spring AOP) enabled reliable remote code execution against any application that deserialized Java objects from network sources. The class of exploit affected JBoss, WebSphere, WebLogic, and Jenkins among many other Java applications.

Compliance impact

  • ·NIST 800-53 SI-7 Software, Firmware, and Information Integrity
  • ·PCI-DSS v4.0 Req 6.5.5 Improper error handling and data integrity
  • ·CMMC 2.0 SI.L2-3.14.1 Flaw remediation, SI.L2-3.14.4 Update protections
A09Medium

Security Logging and Monitoring Failures

Attacks succeed undetected because the application does not log enough or the team does not look.

What it is

Security logging and monitoring failures cover any gap in the observability stack that lets an attack progress undetected. Common manifestations include missing logs on auth events, logs that are written but never reviewed, log storage that the attacker can also reach, log formats that lose attribution detail (no user ID, no source IP), and detection rules that exist but are not tuned. The 2021 OWASP edition added this category explicitly because it is the difference between a breach that is contained in hours and one that goes undetected for months. The mean dwell time of an undetected breach is over 200 days.

Common patterns

  • Authentication and authorization decisions logged at INFO without source IP, user ID, or correlation ID.
  • Failed login attempts not logged at all, or logged without enough metadata to detect credential stuffing.
  • Privilege changes, role assignments, or permission grants not audit-logged.
  • Application logs stored in the same blast radius as the application (attacker who compromises the app also tampers with the logs).
  • Log retention shorter than the typical breach dwell time.
  • Alerts wired to channels (email, low-priority Slack) that are not acted on.

What Deva detects

Deva includes a configurable rule pack that flags state-changing operations (privilege changes, financial transactions, permission grants, data exports) where no audit-log write is present in the same function. The rule is intentionally tunable: not every state change needs an audit log, but most regulated operations do. The compliance frameworks for HIPAA, PCI-DSS, and SOX all impose specific logging requirements that this rule pack maps to.

Real-world breaches in this category

2013

Target (40M payment cards)

The intrusion was detected by Target's FireEye sensors and reported into a malware management console. The alerts were not acted on for two weeks while attackers exfiltrated payment data. The technical detection succeeded; the operational response failed.

2023

MOVEit Transfer (CL0P campaign)

CL0P exploited a zero-day in MOVEit Transfer (CVE-2023-34362) and exfiltrated data from hundreds of organizations. Many victims discovered the breach weeks later via extortion notices because logging in MOVEit did not surface the anomalous SQL injection patterns the campaign used.

Compliance impact

  • ·NIST 800-53 AU-2 Event Logging, AU-12 Audit Record Generation
  • ·PCI-DSS v4.0 Req 10 Logging and monitoring
  • ·HIPAA 164.312(b) Audit Controls
  • ·SOX Section 404 (audit trail integrity)
  • ·CMMC 2.0 AU.L2-3.3.1 Audit logs, AU.L2-3.3.5 Audit correlation
A10High

Server-Side Request Forgery (SSRF)

An application fetches a URL supplied by an attacker, becoming a proxy for internal-network access.

What it is

Server-Side Request Forgery is new to the OWASP Top 10 in 2021 because the rise of cloud computing made it disproportionately dangerous. An application that fetches a URL the user controls becomes an attacker-controlled proxy: the request leaves the attacker's machine but originates from inside the application's network. In cloud environments, this lets the attacker reach cloud-metadata services (AWS IMDS, GCP metadata) that hand out IAM credentials to local-network callers, internal databases, admin interfaces, and other services not exposed to the public internet.

Common patterns

  • User-supplied URLs passed to fetch, axios, requests, urlopen, http.Client.Do.
  • Image, document, or video preview features that fetch URLs the user provides.
  • Webhook delivery to user-configured destinations without allowlist validation.
  • Server-side OAuth or OpenID Connect discovery fetches against attacker-supplied issuer URLs.
  • PDF generation or screenshot services where the user supplies the URL to render.
  • XML External Entity attacks pivoting to SSRF via SYSTEM URL entities.

CWE guides Deva ships for A10

CWE-918Server-Side Request Forgery
CWE-611XML External Entity (often pivots to SSRF)

What Deva detects

Deva tracks request inputs to URL-fetch sinks across language ecosystems (fetch, axios, http.request, java.net.URL.openConnection, RestTemplate.exchange, requests.get, urllib.request.urlopen, http.Client.Do). The scanner reports findings when the URL traces back to a user-controlled source without passing through a recognized allowlist, DNS resolution check, or dedicated egress proxy. IMDS-specific addresses (169.254.169.254, metadata.google.internal) are called out in fix recommendations.

Real-world breaches in this category

2019

Capital One (100M records)

A WAF misconfiguration combined with SSRF allowed an attacker to reach the AWS Instance Metadata Service (IMDS) from inside the company's network. The exposed IMDS endpoint handed out temporary IAM credentials that could read 30+ S3 buckets containing credit application data. The combined cost (settlements, regulatory penalties, incident response) exceeded 270 million USD.

2022

GitLab CVE-2022-2884

An SSRF vulnerability in GitLab's GitHub import functionality let attackers force a server-side fetch to internal addresses, including the local Redis instance, which they then used to gain remote code execution.

Compliance impact

  • ·NIST 800-53 SC-7 Boundary Protection, SI-10 Information Input Validation
  • ·PCI-DSS v4.0 Req 1.3 Network segmentation
  • ·CMMC 2.0 SC.L2-3.13.1 Communications protection

Note on the 2025 draft: OWASP published a 2025 Top 10 draft in late 2024 with significant restructuring (Insecure Design moved to A02, new LLM-specific category at A10). Deva's compliance preset covers both 2021 and 2025 categories. See the 2025 draft analysis blog post for the technical breakdown.

Citation note: OWASP Top 10 category descriptions and rankings are maintained by the OWASP Foundation under Creative Commons licensing. The breach summaries and Deva-specific detection details on this page are written by the Deva Security Team. Direct-link to any category via /owasp#a01-broken-access-control.