Application Security

OWASP Top 10 (2021)

1. Broken Access Control

Risk: Users accessing unauthorized resources.

Prevention:

• Deny by default
• Implement RBAC/ABAC
• Validate permissions server-side
• Log access failures

2. Cryptographic Failures

Risk: Sensitive data exposure.

Prevention:

• Encrypt data at rest and in transit
• Use strong algorithms (AES-256, RSA-2048+)
• Never store passwords in plaintext
• Use secure key management

3. Injection

Risk: Malicious input executed as code.

Prevention:

// BAD - SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);

4. Insecure Design

Risk: Missing security controls by design.

Prevention:

• Threat modeling
• Security requirements
• Defense in depth

5. Security Misconfiguration

Risk: Default or weak configuration.

Prevention:

• Disable unnecessary features
• Remove default credentials
• Keep software updated
• Harden server configuration

6. Vulnerable Components

Risk: Using libraries with known vulnerabilities.

Prevention:

• Regular dependency audits
• Keep dependencies updated
• Monitor CVE databases

7. Authentication Failures

Risk: Weak or broken authentication.

Prevention:

• Multi-factor authentication
• Strong password policies
• Secure session management
• Rate limiting on login

8. Software & Data Integrity

Risk: Untrusted sources for updates.

Prevention:

• Verify code signatures
• Use SRI for CDN resources
• Secure CI/CD pipeline

9. Logging & Monitoring Failures

Risk: Attacks go undetected.

Prevention:

• Log security events
• Monitor for anomalies
• Alert on suspicious activity

10. Server-Side Request Forgery

Risk: Server makes requests to unintended destinations.

Prevention:

• Validate URLs
• Use allowlists
• Block internal IPs