The OWASP Top 10 represents a broad consensus on the most critical security risks to web applications. Understanding these risks is fundamental for any security program.
A01:2021 – Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data.
Key Defenses:
- Deny by default.
- Implement access control mechanisms once and re-use them throughout the application.
- Log all access control failures.
A02:2021 – Cryptographic Failures
Previously known as "Sensitive Data Exposure," this category focuses on failures related to cryptography which often leads to sensitive data exposure or system compromise.
Key Defenses:
- Encrypt all sensitive data at rest.
- Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
- Disable caching for responses that contain sensitive data.
A03:2021 – Injection
Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Key Defenses:
- Use a safe API, which provides a parameterized interface, or migrate to the use of Object Relational Mapping Tools (ORMs).
- Use positive or "whitelist" server-side input validation.
A04:2021 – Insecure Design
This is a new category for 2021, focusing on risks related to design flaws. If we want to "shift left" as an industry, it calls for more use of threat modeling, secure design patterns, and reference architectures.
Distinction: An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.
A05:2021 – Security Misconfiguration
This is generally the result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
Key Defenses:
- A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down.
- A segmented application architecture that provides effective, secure separation between components.
Conclusion
Adhering to the OWASP Top 10 is the baseline for web application security. Modern frameworks (like Next.js) often provide built-in protections against several of these classes (like XSS), but logical flaws such as Broken Access Control generally require careful manual implementation and testing.