OWASP Top 10 for SME owners
If you have a website or customer portal, this is the list.
Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.
The OWASP Top 10 is the recognised industry list of common web-app security risks. The original is written for developers. This version is for the business owner paying for the website — each entry ends with three questions you can put to your developer.
A01
Can the wrong person on your website see or change the wrong data?
OWASP A01: Broken access control
A02
Is sensitive data scrambled properly when it's stored or sent?
OWASP A02: Cryptographic failures
A03
Can someone trick your website into running their own commands?
OWASP A03: Injection
A04
Was the website designed to handle attack, or just good behaviour?
OWASP A04: Insecure design
A05
Are your servers and tools properly locked down?
OWASP A05: Security misconfiguration
A06
Is your website built on software with known holes?
OWASP A06: Vulnerable and outdated components
A07
Is your login system actually secure?
OWASP A07: Identification and authentication failures
A08
Can someone tamper with your software or data updates without you noticing?
OWASP A08: Software and data integrity failures
A09
Would you know if your website was being attacked?
OWASP A09: Security logging and monitoring failures
A10
Can someone use your website as a proxy to reach private systems?
OWASP A10: Server-Side Request Forgery (SSRF)