OWASP Top 10

A01: Broken Access Control

Attackers can access unauthorized data or functions due to missing or misconfigured access control. Pen testing can find issues, but Infrastructure as Code (IaC) and secure coding practices help prevent them. Use MFA and lock down administrative controls.

A02: Cryptographic Failures

Hardcoded passwords, weak keys, or old algorithms expose sensitive data. Scan for secrets and encrypt data in transit and at rest.

A03: Injection

SQL, OS command, and XSS are injection vulnerabilities where malicious input alters execution. Use parameterized queries and sanitize inputs.

A04: Insecure Design

Insecure design comes from poor threat modeling or lack of secure patterns. Use secure SDLC, train developers, and apply secure design principles.

A05: Security Misconfiguration

Insecure defaults, verbose errors, and overly permissive settings are common. Regular hardening, reviews, and IaC scanning help reduce risk.

A06: Vulnerable and Outdated Components

Outdated libraries and dependencies introduce risk. Use a Software Bill of Materials (SBoM) and tools like Veracode SCA to track and update them.

A07: Identification and Authentication Failures

Poor authentication or session handling leads to unauthorized access. Prevent brute force, implement MFA, and follow secure credential handling.

A08: Software and Data Integrity Failures

CI/CD pipelines and third-party components can introduce malicious code. Secure the build and analyze components with SCA tools.

A09: Security Logging and Monitoring Failures

Without good logging, breaches go undetected. Use alerting, centralized logging, and test your detection mechanisms regularly.

A10: Server-Side Request Forgery (SSRF)

SSRF occurs when an app fetches URLs without validation. Sanitize input, whitelist allowed destinations, and verify outbound requests.