WarDek is a complete compliance suite that combines an OWASP vulnerability scanner with NIS2, AI Act and GDPR compliance modules, specially designed for European SMEs.

Is my company subject to NIS2?

The NIS2 directive applies to essential and important entities in sectors such as energy, healthcare, transport, digital, etc. Use our free simulator to check.

How should I use WarDek reports in an audit?

WarDek reports provide a practical working base for your team, auditor, or compliance preparation. They are not an official certification or legal opinion.

How long does a scan take?

A complete OWASP scan typically takes between 2 and 5 minutes depending on the complexity of your website.

Absolutely. We never store your credentials. Reports are encrypted and you can delete them at any time. We are hosted in France.

Can I try before I buy?

Yes! The Free plan lets you test WarDek with 3 scans per month, no credit card required.

How often is the OWASP Top 10 updated?

The OWASP Top 10 is typically updated every 3-4 years. The most recent version was released in 2021, with the 2025 edition incorporating new data on API security, supply chain attacks, and AI-related vulnerabilities. Each update reflects analysis of hundreds of thousands of real-world vulnerability reports.

Is the OWASP Top 10 a legal requirement?

While the OWASP Top 10 is not a legal requirement per se, it is referenced by numerous regulations and standards including PCI DSS, NIS2, and ISO 27001. Many regulatory bodies consider OWASP Top 10 compliance as a baseline for demonstrating due diligence in web application security.

How can SMEs implement OWASP Top 10 protections affordably?

SMEs can start with automated scanning tools like WarDek to identify vulnerabilities, then prioritize fixes based on risk. Many protections are configuration-based (security headers, HTTPS) and cost nothing. Open-source WAFs, regular dependency updates, and security-focused code reviews cover most risks without expensive enterprise solutions.

What is the difference between OWASP Top 10 and OWASP ASVS?

The OWASP Top 10 is an awareness document highlighting the most critical risks. The OWASP Application Security Verification Standard (ASVS) is a comprehensive framework with detailed security requirements organized into three verification levels. The Top 10 is a starting point; ASVS is the full security checklist for thorough assessments.

Can automated tools detect all OWASP Top 10 vulnerabilities?

Automated tools can detect many OWASP Top 10 issues, especially misconfigurations (A05), vulnerable components (A06), and some injection flaws (A03). However, business logic flaws (A04 Insecure Design) and some access control issues (A01) require manual review. A combination of automated scanning and periodic manual testing provides the best coverage.

OWASP Top 10 2025 — Complete Guide for SMEs

What is the OWASP Top 10?

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. Their flagship publication, the OWASP Top 10, catalogs the ten most critical security risks facing web applications. First published in 2003, it has become the de facto standard for web application security awareness.

The 2025 edition builds on data from over 500,000 applications and contributions from hundreds of security experts. For SMEs, these risks are not theoretical — they represent the exact attack vectors used in the majority of real-world breaches. According to Verizon's 2024 Data Breach Investigations Report, 83% of breaches involved external actors exploiting web application vulnerabilities that map directly to the OWASP Top 10.

A01: Broken Access Control

What it is:Access control enforces policies so users cannot act outside their intended permissions. When these controls fail, attackers can view other users' data, modify records, or escalate privileges to administrator level.

Real-world impact:In 2023, a major Australian telecommunications company exposed 10 million customer records due to a broken API endpoint that did not verify the requester's identity. The attacker simply iterated through customer IDs in the URL. The average cost of a broken access control breach is $4.35 million (IBM Cost of a Data Breach Report 2024).

How to check: Test whether authenticated users can access resources belonging to other users by modifying URL parameters, API request bodies, or cookies. Verify that administrative functions are inaccessible to regular users.

How to fix: Implement server-side access control checks on every request. Use deny-by-default policies. Enforce record ownership at the database query level (e.g., always filter by authenticated user ID). Disable directory listing and ensure metadata files (.git, .env) are not accessible.

A02: Cryptographic Failures

What it is:Previously called "Sensitive Data Exposure," this category covers failures in cryptography that lead to exposure of sensitive data. This includes transmitting data in cleartext, using deprecated algorithms (MD5, SHA1 for passwords), weak key generation, and improper certificate validation.

Real-world impact: The 2024 MOVEit breach affected over 2,600 organizations because of inadequate encryption of data at rest. Healthcare organizations are particularly vulnerable: HIPAA violations from cryptographic failures have resulted in fines exceeding $10 million.

How to check: Verify that all data in transit uses TLS 1.2 or higher. Check that passwords are hashed with bcrypt, scrypt, or Argon2. Ensure no sensitive data is stored in cleartext in databases or logs. Scan for expired or self-signed certificates.

How to fix: Enforce HTTPS everywhere with HSTS headers (including subdomains). Use modern hashing algorithms for passwords. Encrypt sensitive data at rest using AES-256. Rotate encryption keys periodically. Never log sensitive data such as passwords, tokens, or credit card numbers.

A03: Injection

What it is: Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection, NoSQL injection, OS command injection, and LDAP injection are the most common variants. Cross-site scripting (XSS) is also categorized here in the 2025 edition.

Real-world impact: SQL injection remains the most exploited vulnerability class. The 2024 Fortra GoAnywhere breach used a deserialization injection to compromise over 130 organizations. XSS attacks accounted for 27% of all web application vulnerabilities reported in 2024 (HackerOne Annual Report).

How to check: Test all user inputs (forms, URL parameters, headers, cookies) with injection payloads. Use automated scanners to detect reflected and stored XSS. Verify that API endpoints reject unexpected data types.

How to fix:Use parameterized queries or prepared statements exclusively — never concatenate user input into queries. Validate and sanitize all input server-side with strict schemas (Zod, Joi). Implement Content Security Policy (CSP) headers to mitigate XSS. Use ORMs with built-in parameterization (Prisma, Drizzle).

A04: Insecure Design

What it is: A new category introduced in 2021, insecure design refers to flaws in the architecture and design of an application that cannot be fixed by implementation alone. This includes missing threat modeling, insecure business logic, and lack of defense-in-depth.

Real-world impact:A European fintech lost €2.3 million when attackers exploited a business logic flaw in their payment flow — the application allowed negative transaction amounts, effectively enabling attackers to transfer money to themselves. No amount of input validation would have caught this without proper threat modeling.

How to check: Review application architecture for defense-in-depth. Verify that security requirements were defined before development. Check for rate limiting on critical functions (login, password reset, payment). Assess whether threat modeling was performed.

How to fix: Integrate security from the design phase. Perform threat modeling using STRIDE or PASTA methodologies. Define abuse cases alongside use cases. Implement rate limiting, circuit breakers, and transaction limits. Separate tenants and trust levels architecturally.

A05: Security Misconfiguration

What it is: The most commonly observed issue in the wild. This includes default credentials, open cloud storage, unnecessary features enabled, incomplete setups, overly permissive CORS, missing security headers, and verbose error messages that expose stack traces.

Real-world impact:In 2024, thousands of organizations were breached through misconfigured S3 buckets, exposed Docker APIs, and default Kubernetes dashboard credentials. Microsoft's 2024 security report found that 80% of cloud breaches stemmed from misconfigurations, not zero-day exploits.

How to check: Scan for missing security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Content-Security-Policy, Permissions-Policy). Test for default credentials. Verify error pages do not leak stack traces or internal paths. Check that unnecessary HTTP methods (TRACE, OPTIONS) are disabled.

How to fix: Implement a hardening checklist for every deployment. Set comprehensive security headers. Disable directory listing, default accounts, and debug modes in production. Use infrastructure-as-code to enforce consistent configurations. Automate configuration audits with tools like WarDek.

A06: Vulnerable and Outdated Components

What it is: Applications that use libraries, frameworks, or other software modules with known vulnerabilities. This includes unpatched operating systems, web servers, database management systems, APIs, and all components including libraries, frameworks, and other software modules.

Real-world impact: The Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j affected millions of applications worldwide. In 2024, critical vulnerabilities in XZ Utils (CVE-2024-3094) demonstrated how supply chain attacks through open-source dependencies can compromise entire ecosystems. Synopsys reported that 84% of codebases contain at least one known vulnerability in open-source components.

How to check: Maintain a software bill of materials (SBOM). Run dependency audits regularly (npm audit, pip-audit, Trivy). Monitor vulnerability databases (NVD, GitHub Advisory Database) for components in use. Verify that no end-of-life components are deployed.

How to fix: Automate dependency updates with tools like Dependabot or Renovate. Remove unused dependencies. Subscribe to security advisories for critical components. Pin exact dependency versions in production. Test updates in staging before deployment.

A07: Identification and Authentication Failures

What it is:Weaknesses in authentication mechanisms that allow attackers to compromise passwords, session tokens, or exploit implementation flaws to assume other users' identities. This includes credential stuffing, brute force attacks, weak password policies, and improper session management.

Real-world impact: Credential stuffing attacks cost businesses an estimated $6 billion annually (Akamai 2024 State of the Internet Report). The 23andMe breach in 2023 compromised 6.9 million user profiles through credential stuffing with credentials leaked from other breaches.

How to check: Test for weak password policies (minimum length, complexity). Verify account lockout after failed attempts. Check that session tokens are invalidated on logout. Test for session fixation and insecure session storage. Verify multi-factor authentication is available.

How to fix: Implement multi-factor authentication (MFA). Use established authentication libraries (Better Auth, NextAuth, Auth0). Enforce strong password policies (minimum 12 characters). Rate limit login attempts. Invalidate sessions on password change. Store session tokens in HttpOnly, Secure cookies.

A08: Software and Data Integrity Failures

What it is: Code and infrastructure that does not protect against integrity violations. This includes using software updates without verification, insecure CI/CD pipelines, and deserialization of untrusted data. Supply chain attacks fall squarely in this category.

Real-world impact: The SolarWinds breach (2020) and the Codecov bash uploader compromise (2021) are textbook examples of supply chain attacks. In 2024, the XZ Utils backdoor (CVE-2024-3094) showed that even core Linux utilities can be compromised through social engineering of maintainers. These attacks affect thousands of downstream organizations simultaneously.

How to check: Verify that software updates are delivered through signed channels. Check CI/CD pipelines for unsigned scripts or dependencies pulled without integrity verification. Audit Subresource Integrity (SRI) for externally loaded scripts and stylesheets.

How to fix: Verify digital signatures on all software updates. Implement Subresource Integrity (SRI) hashes for CDN-hosted assets. Secure CI/CD pipelines with signed commits and protected branches. Use lockfiles and verify checksums for dependencies. Avoid deserializing untrusted data.

A09: Security Logging and Monitoring Failures

What it is: Insufficient logging, detection, monitoring, and active response. Without adequate logging, breaches cannot be detected, and without monitoring, logged events are never reviewed. The average time to identify a breach is 204 days (IBM 2024), largely due to inadequate monitoring.

Real-world impact: The Equifax breach went undetected for 78 days despite the intrusion being visible in logs that nobody reviewed. Organizations with proper security monitoring detect breaches 68 days faster on average, reducing the cost by $1.76 million (IBM 2024).

How to check: Verify that login attempts (successful and failed) are logged. Check that access control failures generate alerts. Ensure logs are stored securely and cannot be tampered with. Verify that log data is retained for a sufficient period (minimum 90 days, preferably 12 months).

How to fix: Log all authentication events, access control failures, and server-side input validation failures. Use structured logging (JSON format) for machine-readable analysis. Implement alerting for suspicious patterns (multiple failed logins, privilege escalation attempts). Store logs centrally with tamper protection. Never log sensitive data (passwords, tokens, PII).

A10: Server-Side Request Forgery (SSRF)

What it is: SSRF flaws occur when a web application fetches a remote resource without validating the user-supplied URL. Attackers can force the server to make requests to internal services, cloud metadata endpoints, or external systems, often bypassing firewalls and access controls.

Real-world impact: The Capital One breach (2019) exploited an SSRF vulnerability to access AWS metadata and steal 100 million customer records. In cloud environments, SSRF is particularly dangerous because the cloud metadata endpoint (169.254.169.254) provides access to IAM credentials, which can be used to access any cloud resource the instance is permitted to reach.

How to check: Test all URL input fields for SSRF by submitting internal addresses (127.0.0.1, 169.254.169.254, internal hostnames). Check whether the application follows redirects that resolve to internal addresses. Verify that DNS rebinding protection is in place.

How to fix: Validate and sanitize all URLs on the server side. Implement allowlists for permitted domains and protocols. Block requests to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints. Disable HTTP redirects or validate redirect targets. Use network segmentation to limit server egress traffic.

Why SMEs Are Especially Vulnerable

Small and medium enterprises face a disproportionate security challenge. While they hold valuable customer data and process financial transactions, they typically lack dedicated security teams. According to the 2024 Hiscox Cyber Readiness Report:

43% of cyberattacks target small businesses
60% of SMEs that suffer a breach close within 6 months
The average breach cost for an SME is $108,000
Only 14% of SMEs have a formal incident response plan

The good news is that addressing the OWASP Top 10 eliminates the vast majority of attack surface. Most vulnerabilities in these categories can be detected automatically and fixed with configuration changes or minor code updates — no six-figure security budget required.

Getting Started with OWASP Compliance

The most effective approach for SMEs is to start with automated scanning to identify the most critical issues, then prioritize fixes based on risk. Here is a practical three-step approach:

Scan: Run an automated security scan to identify missing headers, TLS issues, vulnerable components, and common misconfigurations. This covers A02, A05, A06, and partially A03 and A10.
Fix critical issues first: Address security headers, enable HTTPS with HSTS, update vulnerable dependencies, and review authentication configuration. These are typically configuration changes that take hours, not weeks.
Build security into your process: Integrate automated scanning into your CI/CD pipeline, schedule regular dependency updates, and conduct quarterly security reviews. Prevention is always cheaper than remediation.