Application Security
OWASP Top 10 (2021)
- Broken Access Control
Risk: Users accessing unauthorized resources.
Prevention:
-
Deny by default
-
Implement RBAC/ABAC
-
Validate permissions server-side
-
Log access failures
- Cryptographic Failures
Risk: Sensitive data exposure.
Prevention:
-
Encrypt data at rest and in transit
-
Use strong algorithms (AES-256, RSA-2048+)
-
Never store passwords in plaintext
-
Use secure key management
- Injection
Risk: Malicious input executed as code.
Prevention:
// BAD - SQL injection
const query = SELECT * FROM users WHERE id = ${userId};
// GOOD - Parameterized query const query = 'SELECT * FROM users WHERE id = $1'; db.query(query, [userId]);
- Insecure Design
Risk: Missing security controls by design.
Prevention:
-
Threat modeling
-
Security requirements
-
Defense in depth
- Security Misconfiguration
Risk: Default or weak configuration.
Prevention:
-
Disable unnecessary features
-
Remove default credentials
-
Keep software updated
-
Harden server configuration
- Vulnerable Components
Risk: Using libraries with known vulnerabilities.
Prevention:
-
Regular dependency audits
-
Keep dependencies updated
-
Monitor CVE databases
- Authentication Failures
Risk: Weak or broken authentication.
Prevention:
-
Multi-factor authentication
-
Strong password policies
-
Secure session management
-
Rate limiting on login
- Software & Data Integrity
Risk: Untrusted sources for updates.
Prevention:
-
Verify code signatures
-
Use SRI for CDN resources
-
Secure CI/CD pipeline
- Logging & Monitoring Failures
Risk: Attacks go undetected.
Prevention:
-
Log security events
-
Monitor for anomalies
-
Alert on suspicious activity
- Server-Side Request Forgery
Risk: Server makes requests to unintended destinations.
Prevention:
-
Validate URLs
-
Use allowlists
-
Block internal IPs