Application Security
OWASP Top 10 (2021)
1. Broken Access Control
Risk: Users accessing unauthorized resources.
Prevention:
- •Deny by default
- •Implement RBAC/ABAC
- •Validate permissions server-side
- •Log access failures
2. Cryptographic Failures
Risk: Sensitive data exposure.
Prevention:
- •Encrypt data at rest and in transit
- •Use strong algorithms (AES-256, RSA-2048+)
- •Never store passwords in plaintext
- •Use secure key management
3. Injection
Risk: Malicious input executed as code.
Prevention:
typescript
// BAD - SQL injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
db.query(query, [userId]);
4. Insecure Design
Risk: Missing security controls by design.
Prevention:
- •Threat modeling
- •Security requirements
- •Defense in depth
5. Security Misconfiguration
Risk: Default or weak configuration.
Prevention:
- •Disable unnecessary features
- •Remove default credentials
- •Keep software updated
- •Harden server configuration
6. Vulnerable Components
Risk: Using libraries with known vulnerabilities.
Prevention:
- •Regular dependency audits
- •Keep dependencies updated
- •Monitor CVE databases
7. Authentication Failures
Risk: Weak or broken authentication.
Prevention:
- •Multi-factor authentication
- •Strong password policies
- •Secure session management
- •Rate limiting on login
8. Software & Data Integrity
Risk: Untrusted sources for updates.
Prevention:
- •Verify code signatures
- •Use SRI for CDN resources
- •Secure CI/CD pipeline
9. Logging & Monitoring Failures
Risk: Attacks go undetected.
Prevention:
- •Log security events
- •Monitor for anomalies
- •Alert on suspicious activity
10. Server-Side Request Forgery
Risk: Server makes requests to unintended destinations.
Prevention:
- •Validate URLs
- •Use allowlists
- •Block internal IPs