OWASP Top 10 は、OWASP(Open Worldwide Application Security Project)が発行する、最も重大なウェブアプリケーションセキュリティリスクとして広く認識されているリストです。開発者が防御すべき一般的な脆弱性を理解するための本質的な認識向上リソースです。
OWASP Top 10 とは
A regularly-updated list of the TOP 10 most critical web app security risks:
→ based on real-world data and expert consensus
→ a standard AWARENESS document — the baseline of vulnerabilities to know and prevent
→ not exhaustive, but the most important/common risks to address first
カテゴリ(最新の OWASP Top 10)
1. BROKEN ACCESS CONTROL → users accessing what they shouldn't (authorization flaws)
2. CRYPTOGRAPHIC FAILURES → weak/missing encryption; exposed sensitive data
3. INJECTION → SQL injection, command injection (untrusted input as code/queries)
4. INSECURE DESIGN → security flaws in the design itself
5. SECURITY MISCONFIGURATION → insecure defaults, exposed settings, verbose errors
6. VULNERABLE/OUTDATED COMPONENTS → using libraries with known vulnerabilities
7. AUTHENTICATION FAILURES → weak auth, broken session management
8. DATA INTEGRITY FAILURES → insecure deserialization, untrusted updates (supply chain)
9. LOGGING/MONITORING FAILURES → can't detect/respond to attacks
10. SSRF → server-side request forgery (server tricked into making requests)
