- #owasp
- #security
- #small-business
- #web-basics
The OWASP Top Ten in plain English
All ten OWASP categories in one honest sentence each, with examples that could happen to a real shop on Main Street. No jargon walls.

Security advice for websites usually arrives buried in jargon. Someone says "OWASP Top Ten" and half the room nods without knowing what any of the ten are. So here is the whole list in plain English, one honest sentence each, with examples that could happen to a real business on Main Street.
First, what OWASP is
OWASP is a nonprofit that studies how web applications actually get broken into. Every few years it publishes a ranked list of the ten most common categories of weakness. The list is free, vendor neutral, and it is the closest thing web security has to a shared vocabulary. I am studying for Security+ and eJPT right now, and this list shows up in both. If you build websites, or you pay someone who does, it is worth ten minutes.
One caveat before the list. The Top Ten is a map of common risk, not a checklist that makes you safe. You can address all ten and still get burned by something dumb like a reused password. It improves your odds. It does not zero them.
The ten, in plain English
1. Broken access control. The site lets people do things they should not be able to do. Example: a booking page where changing /appointments/482 to /appointments/483 in the address bar shows you a stranger's name and phone number.
2. Cryptographic failures. Sensitive data gets stored or sent without real protection. Example: a landscaper's quote form that submits over plain http, so the customer's address and gate code cross the coffee shop wifi readable to anyone listening.
3. Injection. The site treats what a user typed as instructions instead of plain text. Example: someone puts a snippet of database code in the name box of a contact form and the site runs it. This is one classic way a customer list walks out the door.
4. Insecure design. The plan was broken before anyone wrote a line of code. Example: restaurant gift cards numbered 1001, 1002, 1003, so guessing valid card numbers is just counting.
5. Security misconfiguration. The software is fine but the settings are not. Example: an admin login still on the default password, or a cloud storage folder left public with a dog groomer's whole client spreadsheet inside.
6. Vulnerable and outdated components. You inherit every hole in every plugin and library you use. Example: a five year old WordPress plugin on a salon site with a known exploit that bots scan for around the clock.
7. Identification and authentication failures. The site cannot reliably tell who is who. Example: no limit on login attempts, so a bot quietly tries ten thousand passwords against your admin page overnight.
8. Software and data integrity failures. The site trusts code and updates it never verifies. Example: your page loads a script from someone else's server, that server gets compromised, and now every visitor to your menu page runs an attacker's code.
9. Logging and monitoring failures. Nobody is watching, so break-ins go unnoticed for months. Example: a shop owner learns about card skimming code on their checkout page from a customer's bank, ninety days after it landed.
10. Server-side request forgery. An attacker tricks your server into fetching things on their behalf. Example: a paste-a-URL-to-preview feature that gets pointed at internal systems the attacker could never reach directly. A plain brochure site rarely has this one. It matters when your server fetches URLs that users hand it.
What this means for a small local site
Most local business sites are a few pages and a contact form. That is a small attack surface, and it is a real advantage. The categories that bite small sites hardest are numbers 5, 6, and 7: bad settings, stale plugins, and weak logins. Three moves cover a lot of ground:
- Turn on HTTPS everywhere and check that the padlock shows on every page, not just the homepage.
- If the site runs on WordPress or a page builder, update it monthly and delete every plugin you do not use.
- Put a long unique password and two-factor login on the admin panel and on your domain registrar account.
When I build client sites I lean static wherever I can. My first client site, a nail salon here in Heber City, is static pages with no database and no admin panel. Fewer moving parts means most of this list has nothing to grab. The tradeoff is fewer features. There is no online booking system, so appointments happen over WhatsApp. For a small salon, that trade is worth it.
I am not certified in anything yet. I am a developer studying Security+ and eJPT, and the Top Ten is the ground floor both exams stand on. You do not need a cert to check the basics on your own site, and you do not have to do it alone either. If you run a local business site and want to know where you stand, I do a free 24-hour audit, three real findings, yours to keep either way. Start at /audit.
community rating
$ ls ./comments
sign in or create an account to rate and comment.
no comments yet, be first.