Where is the new one-page infographic mentioned on the project page?

[schlenk]

The project page https://owasp.org/Top10/ mentions:

The OWASP Top 10 2021 is all-new, with a new graphic design and an available one-page infographic you can print or obtain from our home page.

But the mentioned Infographic isn't linked and some searches did not turn up anything.

Is this still missing or just missing the proper link?
Where can it be found?

[dneville-cvs]

I'm also wondering this...

[zbain]

Same, it doesn't seem to exist? There doesn't seem to be a good way of sharing 2021's list internally except to just pitch them to the blog posting announcing it.

[dneville-cvs]

Wound up making my own one-pager (mostly copy/pasted from elsewhere, I take no credit). Leaving it here in case it's useful for anyone else finding this thread.

OWASP Top 10 (2021)

A01:2021 – Broken Access Control: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

A02:2021 – Cryptographic Failures: The focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data. The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws.

A03:2021 – Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A04:2021 – Insecure Design: Risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.

A05:2021 – Security Misconfiguration: Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Without a concerted, repeatable application security configuration process, systems are at a higher risk.

A06:2021 – Vulnerable and Outdated Components: You are likely vulnerable if you do not know the versions of all components you use (both client-side and server-side) or if you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This includes components you directly use as well as nested dependencies. 

A07:2021 – Identification and Authentication Failures: Application function related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

A08:2021 – Software and Data Integrity Failures: Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An application might rely upon plugins from untrusted sources or CDNs, or it might have an insecure CI/CD process, or the auto-update functionality might download and apply updates without sufficient integrity verification.

A09:2021 – Security Logging and Monitoring Failures: This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Also, you are vulnerable to information leakage if your logging and alerting events are visible to a user or an attacker.

A10:2021 – Server-Side Request Forgery (SSRF): SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

[fcerullo-cycubix]

I've found it here: https://owasp.org/www-project-application-security-awareness-campaigns/