Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: Secure By Design
Topic: Security

Security teams are constantly outgunned — too many threats, too little budget. The question isn’t whether to act, it’s where to act first. According to Steve Winterfeld, Advisory CISO at Akamai, the answer has existed since 2001, and it still holds up today.

That answer is OWASP.

The Open Worldwide Application Security Project is a volunteer-driven, open-source community that has spent more than two decades distilling the most exploited vulnerabilities in software into focused, actionable Top 10 lists. With over 30,000 volunteers and 60 chapters across the globe, it’s one of the most trusted resources in enterprise security — and one that Winterfeld says every security professional should be actively using.

The premise is straightforward: if you know which vulnerabilities attackers exploit most often, and you eliminate those, you have dramatically reduced your exposure. “As a CIO, I have a $10 budget and $20 worth of problems,” Winterfeld explained. “If you can fix 10 vulnerabilities — just 10 — these are the ones you should fix, because these are the most common techniques used by hackers. You’re taking out over 50% of attacks by addressing just those 10.”

The original OWASP Top 10 focused on web application security risks. It was so comprehensive that it remained largely unchanged for over a decade — a sign, Winterfeld notes, of both its thoroughness and the stubborn persistence of foundational vulnerabilities. But the threat landscape has changed dramatically, and so has OWASP’s scope.

A Top 10 list for API security followed, reflecting the rapid proliferation of APIs as a primary attack surface. That list was revised after just a couple of years as the threat patterns evolved. Then came a Top 10 for large language models — updated after just one year — and now a separate list specifically for generative AI. The distinction matters: generative AI answers questions, while agentic AI makes decisions. Both carry unique risks, and OWASP has begun addressing them separately.

Winterfeld emphasized that the value of OWASP extends well beyond the web application list most security teams are familiar with. There are over a dozen specialized lists, covering mobile applications, low-code environments, and Internet of Things devices. There are also cheat sheets — practical, ready-to-use references for developers and security engineers working under time pressure.

For Akamai, the alignment is direct. The company’s web application firewall, API firewall, and generative AI firewall are all built around the same principle that OWASP codifies: understanding attacker behavior to block it at the edge. Winterfeld and his team regularly reference OWASP data in Akamai’s State of the Internet cybersecurity reports.

The community angle is one Winterfeld is especially enthusiastic about. For security professionals looking to build skills or expand their networks, finding a local OWASP chapter is a practical starting point. Volunteering with the project offers hands-on experience with real vulnerability research — the kind of work that shows up on a resume and in real-world security posture.

The message for security leaders is clear: OWASP is not a compliance checkbox or a one-time audit reference. It’s a living, evolving resource built by practitioners for practitioners — one that continues to expand as new technology surfaces bring new risk profiles. The investment to engage with it is low. The return, as Winterfeld frames it, can be enormous.