Maintained by the OWASP Foundation, the OWASP Top Ten is a regularly reviewed and refreshed list of the web's leading security threats. The OWASP Foundation launched the project in 2003. Since then, this list has been updated every three to four years to keep pace with evolving attack methods and risks—based on input from a community of leading security researchers.
Traditionally, the OWASP Top Ten has primarily covered threats against web applications. However, the project has expanded to include the OWASP Top 10 API Security Risks. The rising popularity of APIs and microservices necessitated this as attackers shifted their sights accordingly.
The OWASP Top Ten gets its data by categorizing common weakness enumeration entries gathered by the MITRE Corporation (which is funded by the US government) into broader categories of vulnerabilities.
Each OWASP list offers a detailed description of each threat, alongside a specific code and associated year. OWASP regularly tracks any threat trends from one update cycle to the next, including any ranking changes, emerging threats, and naming changes. Overall, these rankings help web app and API developers make targeted hardening efforts against their biggest infrastructure risks. It's widely used as an industry standard.
Does HAProxy follow the OWASP Top Ten guidelines?
Yes! As the next-gen application security platform, HAProxy is committed to counteracting the leading threats against web applications and APIs. Our multi-layered security measures counteract DDoS/DoS attacks, cross-site scripting (XSS), SQL injection (SQLi), and many other threats. The HAProxy Enterprise WAF also includes a OWASP CRS compatibility mode based on these guidelines.
To learn more about the OWASP Top Ten and security in HAProxy, check out our web application firewall solution page or our HAProxy Enterprise 2.9 announcement blog.