The OWASP Top 10 is intended as an awareness tool to help raise visibility of web app. security issues.<p>I'd agree with the article that it gets misused (a lot) as some kind of checklist that, if you apply, you can have a "secure" application.<p>Ironically OWASP has several other great projects that are designed to provide methodologies to improve application security like ASVS <a href="https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project" rel="nofollow">https://www.owasp.org/index.php/Category:OWASP_Application_S...</a> and at a more organizational level, OWASP SAMM <a href="https://owaspsamm.org/" rel="nofollow">https://owaspsamm.org/</a> .<p>Where I do feel some frustration with this article is where , to me, it feels like it's suggesting that "shift left security" (the idea that security activities should take place earlier in the development lifecycle) is any any way a new concept.<p>The idea of doing more application security work early in the development process has been around at least 20 years and probably more.<p>Instead of having new buzzwords for it, to try and make it more attractive, I'd be much more interested in a study of <i>why</i> after all this time it's still not uncommon to see a first security touchpoint for a project be a penetration test done 2 weeks before go-live.