Secure-by-Default Patterns
Framework Selection Secure-by-default frameworks prevent entire vulnerability classes. Framework selection is most impactful security decision. Auto-escaping templating engines prevent XSS by default. Manual escaping is error-prone. Built-in CSRF token generation and validation prevents CSRF. CSRF protection should be automatic. Typed query builders and ORMs prevent SQL injection. Parameterized queries should be default. Strict Content Security Policy (CSP) limits XSS impact. CSP should be enforced by framework. CI/CD Security Gates Security rules should be encoded in CI/CD pipelines. Automation ensures consistent enforcement. Linters catch common security mistakes. Linting should block commits. SAST (Static Application Security Testing) finds vulnerabilities in code. SAST should block builds. DAST (Dynamic Application Security Testing) tests running applications. DAST should block deployments. Dependency allow-lists prevent malicious packages. Allow-lists should be enforced. Secret scanners prevent credential leaks. Scanning should block commits. Runtime Protections Web Application Firewalls (WAF) block common attacks. WAF provides defense-in-depth. Runtime Application Self-Protection (RASP) detects and blocks attacks from within application. RASP provides context-aware protection. Data Layer Security Least privilege at data layer limits blast radius. Database users should have minimum required permissions. Every request should be authorized. Authorization should never be skipped. Strong tenant isolation prevents cross-tenant access. Isolation should be enforced at database level.OWASP Top 10 Vulnerability Classes
A01:2021 - Broken Access Control
Description Broken access control allows users to access resources or perform actions beyond their permissions. Access control failures are most common vulnerability. Insecure Direct Object References (IDOR) expose internal object IDs without authorization. IDOR enables unauthorized access. Missing function-level access control allows unauthorized function execution. Every function should check authorization. Mitigations Server-side authorization should be enforced on every request. Client-side checks are insufficient. Authorization should never rely on client signals including hidden fields or cookies. Client signals can be manipulated. Centralized authorization with policy engines (OPA, Cedar) and middleware ensures consistent enforcement. Centralization prevents gaps. Deny-by-default authorization requires explicit grants. Deny-by-default prevents accidental exposure. Testing Graph exploration fuzzes routes and IDs to find IDOR. Fuzzing discovers unauthorized access. Negative tests verify authorization failures. Negative tests ensure authorization is enforced. IDOR scanners automate testing. Automation scales testing.A02:2021 - Cryptographic Failures
Description Cryptographic failures expose sensitive data through weak or missing encryption. Cryptographic failures enable data breaches. Mitigations TLS 1.2 or higher should be used everywhere. Older TLS versions have vulnerabilities. HTTP Strict Transport Security (HSTS) forces HTTPS. HSTS prevents downgrade attacks. Certificate pinning validates server certificates where feasible. Pinning prevents man-in-the-middle attacks. Safe rotation is critical. Modern Authenticated Encryption with Associated Data (AEAD) including AES-GCM and ChaCha20-Poly1305 should be used. AEAD provides confidentiality and integrity. Keys should be rotated regularly. Rotation limits exposure from key compromise. Key Management Service (KMS) should back root keys. KMS provides secure key storage. Never roll your own cryptography. Custom crypto is almost always wrong. Tokens and artifacts should be signed. Signing prevents tampering. Secrets should be protected via brokered access, not embedded. Embedded secrets leak.A03:2021 - Injection
Description Injection vulnerabilities allow attackers to execute unintended commands or queries. Injection includes SQL, NoSQL, LDAP, and OS command injection. Mitigations Parameterized queries separate code from data. Parameterization prevents injection. Query builders provide safe query construction. Builders prevent string concatenation. Stored procedures with strict typing limit injection. Typing validates inputs. Dangerous shells and unescaped interpolation should be rejected. Shell injection is critical vulnerability. Input validation should check type, length, and range. Validation rejects malicious input. Input canonicalization prevents encoding attacks. Canonicalization normalizes input. Sandboxed execution for templating and report builders limits impact. Sandboxing contains damage.A04:2021 - Insecure Design
Description Insecure design represents missing or ineffective security controls in design phase. Design flaws cannot be fixed with implementation. Mitigations Threat modeling should occur early in design. Early threat modeling prevents design flaws. Misuse and abuse cases should be built into requirements. Abuse cases identify design weaknesses. Rate limiting prevents abuse. Rate limiting should be designed in. Quotas limit resource consumption. Quotas prevent denial of service. Idempotency enables safe retries. Idempotency should be designed in. Replay protection prevents replay attacks. Replay protection should be designed in. Limited capability tokens are preferable to omnipotent session cookies. Capability tokens limit blast radius.A05:2021 - Security Misconfiguration
Description Security misconfiguration includes insecure defaults, incomplete configurations, and exposed error messages. Misconfiguration is common and exploitable. Mitigations Immutable infrastructure prevents configuration drift. Immutability ensures consistency. Configuration as code enables version control and review. Code enables automation. CIS baselines provide secure configuration standards. Baselines should be enforced. Configuration scanners detect misconfigurations. Scanning should be continuous. Default-deny network and application policies prevent unauthorized access. Default-deny is secure default. Secrets should not be in environment variables by default. Environment variables leak. Telemetry on policy changes enables detection. Monitoring detects unauthorized changes. Drift detection identifies configuration changes. Drift indicates potential compromise.A06:2021 - Vulnerable and Outdated Components
Description Vulnerable and outdated components include libraries, frameworks, and dependencies with known vulnerabilities. Component vulnerabilities are widespread. Mitigations Software Composition Analysis (SCA) identifies vulnerable dependencies. SCA should be continuous. Emergency patch playbooks enable rapid response. Playbooks accelerate patching. Automated dependency update PRs (Renovate, Dependabot) keep dependencies current. Automation reduces lag. Software Bill of Materials (SBOM) documents dependencies. SBOM enables vulnerability tracking. Deprecated runtimes should be avoided. Deprecated runtimes lack security updates. Security fixes should only be backported with vendor support. Unsupported backports are risky. Transitive dependencies should be pinned. Pinning prevents unexpected updates. Allow-list registries prevent malicious packages. Allow-lists provide supply chain security. Signature verification validates package integrity. Verification prevents tampering.A07:2021 - Identification and Authentication Failures
Description Identification and authentication failures allow attackers to compromise accounts. Authentication failures enable account takeover. Mitigations Centralized authentication (OIDC, SAML) ensures consistent implementation. Centralization prevents gaps. Multi-factor authentication (MFA) should be required. MFA prevents credential compromise. Passwordless authentication eliminates password vulnerabilities where possible. Passwordless is more secure. Secure password storage (argon2id, bcrypt) protects passwords. Weak hashing enables cracking. Account lockouts prevent brute force. Lockouts should be temporary. Step-up authentication requires re-authentication for sensitive operations. Step-up limits session compromise. Credential stuffing should be resisted with rate limits and risk signals. Credential stuffing uses breached credentials.A08:2021 - Software and Data Integrity Failures
Description Software and data integrity failures occur when code and data are not protected against integrity violations. Integrity failures enable supply chain attacks. Mitigations Signed releases ensure authenticity. Signing prevents tampering. Verified provenance (SLSA) validates build process. Provenance prevents supply chain attacks. Protected branches prevent unauthorized code changes. Protection enforces review. Mandatory code reviews catch issues. Reviews provide human validation. Pipeline protection including isolated runners, secret hygiene, and ephemeral credentials prevents pipeline compromise. Pipeline security is critical. Integrity checks on configuration, templates, and artifacts detect tampering. Integrity checks validate authenticity.A09:2021 - Security Logging and Monitoring Failures
Description Security logging and monitoring failures prevent detection and response. Logging failures create blind spots. Mitigations Security events should be logged comprehensively. Logging enables detection. Logs should be centralized and protected. Centralization enables analysis. Protection prevents tampering. Alerting should trigger on security events. Alerting enables response. Log retention should support investigation. Retention should meet compliance requirements.A10:2021 - Server-Side Request Forgery (SSRF)
Description SSRF allows attackers to make requests from server to internal resources. SSRF enables internal network access. Mitigations Metadata endpoints should be blocked. Metadata endpoints expose credentials. Egress proxy with allow-lists limits outbound requests. Allow-lists prevent unauthorized requests. IMDSv2 (Instance Metadata Service v2) requires session tokens. IMDSv2 prevents SSRF to metadata. Service isolation limits SSRF impact. Isolation contains damage. Mutual TLS (mTLS) authenticates services. mTLS prevents unauthorized access. URL fetchers should be treated as high risk. URL fetchers enable SSRF. DNS resolution should be restricted. DNS resolution can access internal resources.Additional Critical Vulnerabilities
Cross-Site Scripting (XSS) XSS allows attackers to inject malicious scripts. XSS enables session hijacking and data theft. Auto-escaping templating prevents XSS. Escaping should be automatic. Content Security Policy (CSP) limits XSS impact. CSP should be strict. Input validation rejects malicious input. Validation is defense-in-depth. Deserialization Vulnerabilities Unsafe deserialization enables remote code execution. Deserialization is critical vulnerability. Unsafe deserializers should be avoided. Safe alternatives should be used. JSON with schemas is preferable to binary serialization. JSON is safer. Type verification and whitelists limit deserialization. Verification prevents malicious objects. Polymorphic deserialization should be disabled. Polymorphism enables gadget chains. Payload versioning enables validation. Versioning detects tampering.Testing Strategy
Unit Testing Security-focused unit tests should verify authorization on every controller. Unit tests catch logic errors. Negative tests should verify failures. Negative tests ensure security controls work. Integration Testing DAST with authenticated scans tests running application. DAST finds runtime vulnerabilities. Fuzzers for routing and IDs discover edge cases. Fuzzing finds unexpected behavior. Runtime Testing Canary rules in WAF test new protections. Canaries enable safe rollout. Shadow traffic for anomaly detection finds attacks. Anomaly detection catches unknown attacks.Conclusion
OWASP Top 10 provides critical web application vulnerability classes that security engineers convert into guardrails in frameworks, pipelines, and platforms. Effective web security requires secure-by-default frameworks, automated security gates, and runtime protections. Success requires framework selection with built-in security, CI/CD gates including SAST and DAST, comprehensive testing, and defense-in-depth with WAF and RASP. Organizations that invest in secure-by-default patterns prevent entire vulnerability classes.References
- OWASP Top 10 (2021)
- OWASP Application Security Verification Standard (ASVS)
- OWASP Proactive Controls
- OWASP Cheat Sheet Series
- CIS Benchmarks
- MITRE CWE Top 25