Scan Salesforce Guest User Logs

OWASP Top 10 Updated for 2021, with Broken Access Control Now #1

OWASP-102021-01-Blog

The Open Web Application Security Project, or OWASP, recently released the 2021 Top 10 web application security threats. It’s the first update since 2017 and there were some significant changes, including some categories being combined and threats shifting in order of criticality. Two things jumped out at us, with context from OWASP:

  • Broken Access Control moved up from the fifth position to #1, as the most serious web application security risk. 94% of applications were tested for some form of broken access control. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
  • Security Misconfiguration moved up from #6 to #5. OWASP found that 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up.


We’ve recognized for years that both of these are underappreciated and critical risks. While it’s not good news that they continue to be among the top 10 web app security threats, OWASP’s updated list is a huge validation of the philosophy and focus of AppOmni.

The shared responsibility model for SaaS security is essential knowledge and practice for all organizations but doesn’t get the recognition it deserves. Some organizations just may not be aware that security is incumbent on both them and their SaaS vendors: The vendors have a responsibility to deliver a secure platform, and the customer has a responsibility to secure their data. It’s a tall order to manage configurations and secure data on multiple SaaS platforms, and that’s where AppOmni can help.

Check out this post on The Daily Swig for more perspective on the OWASP Top 10 update. And sign up for a free AppOmni Risk Assessment to learn more about your SaaS security posture and risks.

Brendan O’Connor
CEO and Co-founder, AppOmni