If you’re struggling to know where to start with Secure by Design, there are few better places than the OWASP Top 10 – but what is it and why does it matter?

–

01 – Who is OWASP, and why does it exist?

The Open Worldwide Application Security Project (thankfully shortened to OWASP) is a non–profit, open community dedicated to improving software security.

Since its founding in 2001, OWASP has provided free tools, documentation, and resources to help organisations build, maintain, and manage secure applications.

With tens of thousands of members worldwide, OWASP is one of the most respected voices in application security – the exact reason we based our first assessments at Perceptive on their guides.

–

02 – What is the OWASP Top 10, and why was it created?

The Top 10 (for web apps), one of OWASP’s most impactful contributions, is a regularly updated (every 3–4 years) report that highlights the ten most critical security risks in web applications.

Its goals are simple:

• Raise awareness of the most pressing vulnerabilities affecting modern web apps.
• Provide actionable guidance to help orgs mitigate those risks.
• Standardise security best practices, making it easier for teams to prioritise threats effectively.

Compiled by security experts from around the world, the Top 10 is based on real–world data and expert consensus, ranking risks by frequency, severity, and potential impact.

–

03 – Why does the OWASP Top 10 matter for Secure by Design

Adopting the OWASP Top 10 isn’t just about risk reduction – it’s about baking security into your software development lifecycle (SDLC), which is a key point of a proactive secure–by–design approach.

The Top 10 and more broadly, a proactive approach to security:

• Strengthens security culture, by educating developers, QA teams, and stakeholders on real–world vulnerabilities.
• Drives secure coding practices, by helping engineering teams write more resilient software from the outset.
• Enhances regulatory compliance, many security standards (e.g. PCI DSS, ISO 27001) align with the OWASP Top 10 principles.
• Prioritises security efforts by guiding teams to focus on high–impact vulnerabilities rather than getting lost in minor issues.
• Demonstrates industry best practice, indeed many auditors and security professionals view adherence to the OWASP Top 10 as a baseline indicator of security maturity.

Ultimately, the Top 10 isn’t just a list – it’s a roadmap for building secure applications.

You can probably see why we picked it for our first Perceptive assessment now 😉

–

This month, in future posts, we’re going to be deep diving into each of the Top 10 to help with your Secure by Design endeavours, so make sure to follow along!