OWASP Top 10: Ten Common Web Application Vulnerabilities and Defenses

OWASP Top 10 is a leading document that summarizes the ten most common and critical vulnerabilities in web applications. Familiarity with them helps development teams understand where to focus attention, how to plan defenses and choose appropriate mechanisms. The document is updated periodically; below is a focused summary with emphasis on defense.

A01:2021 – Broken Access Control: access to resources or actions not authorized for the user. Defense: consistent authentication and authorization on every endpoint, authorization check on server side (not just UI), prohibit direct ID in URL when user should not access another's resource (IDOR), and CORS and default-deny policy.

A02:2021 – Cryptographic Failures: failure to protect sensitive data (weak encryption, obsolete algorithm, or no encryption). Defense: encryption in transit (TLS) and at rest, modern algorithms (not MD5/SHA1 for security), central key management, and do not store sensitive data that is not required.

A03:2021 – Injection: injection of code or commands – SQL, NoSQL, OS command, LDAP. Defense: parameterized queries / prepared statements, use of secure ORM, input validation and sanitization, and execution with minimal permissions. Do not pass input directly to eval, exec or query building.

A04:2021 – Insecure Design: vulnerabilities from insecure design (missing Threat Modeling, security requirements not explicit). Defense: integrate security in requirements and architecture, Threat Modeling, and "defense in depth" mechanisms.

A05:2021 – Security Misconfiguration: insecure configuration – dangerous defaults, detailed error messages, missing headers, or unapplied updates. Defense: hardening of servers and frameworks, remove unnecessary services, set security headers (CSP, HSTS, X-Frame-Options), and automated config scans.

A06:2021 – Vulnerable and Outdated Components: use of libraries or components with known vulnerabilities. Defense: dependency management (dependency check, SCA), regular updates, and remove unused dependencies. CI integration that blocks or alerts on known CVE.

A07:2021 – Identification and Authentication Failures: authentication failures – weak passwords, session fixation, no MFA. Defense: password policy, MFA where possible, secure session management (secure cookie, timeout), protection against brute force and credential stuffing.

A08:2021 – Software and Data Integrity Failures: unverified change in code or data – unsigned updates, unverified deserialization. Defense: sign artifacts, verify checksums, and limit deserialization to trusted sources.

A09:2021 – Security Logging and Monitoring Failures: lack of logs or monitoring that hinders attack detection and response. Defense: logs on authentication, access to sensitive data and errors; protect logs from tampering; monitoring and alerts on suspicious events.

A10:2021 – Server-Side Request Forgery (SSRF): inducing the server to make requests to URLs the attacker specifies. Defense: validation and allowlist of destinations, do not use user input as full URL, and network segmentation for internal services.

Integration in process: OWASP-based security reviews in planning and sprint; automated scans (SAST/DAST/SCA) in CI; team training. Updating to the latest Top 10 version (the document is updated periodically) keeps relevance.

In summary: OWASP Top 10 provides a list of risks and defenses. Integration in process – training, code review, automated scans and hardening – reduces risk and improves application resilience. Recommended to update to the latest document version (OWASP.org).