Skip to content

DOMAIN:SECURITY

OWNER: julian
UPDATED: 2026-03-18
SCOPE: all client projects, all teams

SECURITY:OWASP_TOP_10

STANDARD: OWASP Top 10 (2021)
ALSO_CHECK: OWASP API Security Top 10 (2023), OWASP ASVS 4.0.3

A01:BROKEN_ACCESS_CONTROL

CHECK: missing function-level access control — can regular user hit admin endpoints?
CHECK: IDOR — can user A access user B's data by changing an ID in URL/request?
CHECK: CORS misconfiguration — are unauthorized origins allowed?
CHECK: JWT — algorithm confusion, missing expiry, weak signing key, missing audience validation
CHECK: missing re-authentication for sensitive ops (password change, email change, role change)
CHECK: path traversal in file operations — ../ in user-supplied paths
CHECK: metadata manipulation — hidden fields, cookies, JWT claims modifiable by client
FALSE_POSITIVE_IF: internal-only API behind network boundary (still flag for defense-in-depth)
NOTE: automated tools catch <20% of access control issues — manual review required
SEVERITY: CRITICAL if auth bypass allows access to other users' data
SEVERITY: HIGH if privilege escalation possible

A02:CRYPTOGRAPHIC_FAILURES

CHECK: data in cleartext transit — HTTP, FTP, SMTP without STARTTLS
CHECK: deprecated crypto — MD5, SHA1 for passwords, DES, RC4, ECB mode
CHECK: hardcoded encryption keys or initialization vectors
CHECK: missing encryption at rest for PII/sensitive data
CHECK: weak TLS — TLS 1.0/1.1, weak cipher suites
CHECK: password storage — MUST be bcrypt/scrypt/Argon2 with salt — NEVER SHA-256, NEVER plaintext
CHECK: missing HSTS header
CHECK: insufficient randomness in tokens/nonces — crypto.randomBytes not Math.random
FALSE_POSITIVE_IF: MD5/SHA1 used for non-security purpose (cache keys, checksums, ETags)
NOTE: PostgreSQL SSL connection != encryption at rest. Need disk-level or column-level encryption.
SEVERITY: CRITICAL if passwords stored in plaintext or weak hash
SEVERITY: HIGH if PII transmitted without TLS

A03:INJECTION

CHECK: string concatenation in SQL queries → parameterized queries required
CHECK: innerHTML/dangerouslySetInnerHTML with user input → XSS (reflected/stored/DOM)
CHECK: exec/spawn/system calls with user input → command injection
CHECK: user input in LDAP queries → LDAP injection
CHECK: user input in template engines → Server-Side Template Injection (SSTI)
CHECK: user input in HTTP headers → CRLF/header injection
CHECK: user input in log statements → log injection/forging
CHECK: NoSQL query construction with user input → NoSQL injection
FALSE_POSITIVE_IF: ORM with proper parameterization (Drizzle, Prisma) handles escaping
FALSE_POSITIVE_IF: framework auto-escapes output (React JSX, Vue templates) — but verify no bypass
NOTE: focus on bypass cases: raw queries, dynamic table/column names, GraphQL query construction
SEVERITY: CRITICAL if user input reaches interpreter unescaped
TOOL: semgrep --config p/owasp-top-ten

A04:INSECURE_DESIGN

CHECK: missing rate limiting on authentication endpoints
CHECK: no account lockout mechanism
CHECK: missing CAPTCHA on public-facing forms
CHECK: business logic flaws — coupon reuse, race conditions in purchases, negative quantities
CHECK: missing abuse case analysis in design docs
CHECK: no threat model documented
NOTE: highest-value category — requires understanding business logic, not just code patterns
NOTE: cannot be fixed by implementation alone — design-level issue
SEVERITY: HIGH — design flaws affect entire application

A05:SECURITY_MISCONFIGURATION

CHECK: default credentials still active
CHECK: unnecessary HTTP methods enabled (TRACE, OPTIONS leaking info)
CHECK: stack traces/verbose errors exposed in production
CHECK: directory listing enabled on web server
CHECK: unnecessary ports/services exposed
CHECK: missing security headers — CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
CHECK: cloud storage with public access (S3 buckets, GCS)
CHECK: debug mode enabled in production (Next.js, Django, etc.)
TOOL: securityheaders.com for quick header check
TOOL: mozilla observatory for comprehensive config check

A06:VULNERABLE_COMPONENTS

CHECK: known CVEs in direct dependencies
CHECK: known CVEs in transitive dependencies (deeper in tree = often missed)
CHECK: abandoned packages — no updates in 2+ years, no maintainer response
CHECK: packages with known maintainer compromise history
CHECK: missing lock file or floating version ranges (*, latest, ^major)
CHECK: container base image vulnerabilities
NOTE: not every CVE is exploitable in context — assess reachability first
TOOL: trivy fs . --severity CRITICAL,HIGH
TOOL: npm audit (basic) or snyk test (with reachability)

A07:AUTHENTICATION_FAILURES

CHECK: weak password policy — < 8 chars, no breach database check (haveibeenpwned API)
CHECK: missing MFA — especially admin functions
CHECK: session fixation — session ID not rotated after login
CHECK: session tokens in URLs
CHECK: missing session timeout (absolute and idle)
CHECK: no credential stuffing protection — rate limiting, CAPTCHA after failures
CHECK: password reset flaws — predictable tokens, no expiry, no invalidation after use

A08:DATA_INTEGRITY_FAILURES

CHECK: CI/CD pipeline without integrity checks on artifacts
CHECK: auto-update mechanisms without signature verification
CHECK: insecure deserialization of untrusted data
CHECK: missing Subresource Integrity (SRI) on CDN-loaded scripts
CHECK: unsigned container images deployed to production
TOOL: cosign verify for image signatures

A09:LOGGING_FAILURES

CHECK: login failures not logged
CHECK: no audit trail for data access/modifications
CHECK: logs not centralized or monitored
CHECK: PII in logs — GDPR violation AND security risk
CHECK: missing alerting for suspicious patterns (brute force, unusual access)
CHECK: log injection — user input in log statements enabling forging
SEVERITY: HIGH if PII in logs (GDPR Art. 32 violation)

A10:SSRF

CHECK: URL fetching with user input — webhooks, image proxy, PDF generation, link preview
CHECK: missing allowlist for external service calls
CHECK: internal network accessible from SSRF — cloud metadata (169.254.169.254), internal APIs
CHECK: DNS rebinding protection
SEVERITY: CRITICAL if internal network/cloud metadata accessible

SECURITY:API_TOP_10

STANDARD: OWASP API Security Top 10 (2023)

API1:BOLA — can user A access user B's objects via API? CHECK: object-level authorization on every endpoint
API2:BROKEN_AUTH — weak API key handling, missing rate limits on auth endpoints
API3:BOPLA — mass assignment, excessive data in responses. CHECK: response filtering, input allowlists
API4:RESOURCE_CONSUMPTION — missing rate limits, pagination, query complexity limits
API5:BROKEN_FUNCTION_AUTH — regular user calling admin API endpoints
API6:BUSINESS_FLOW_ABUSE — scraping, bot attacks, automated purchasing. CHECK: behavioral detection
API7:SSRF — API endpoints fetching external resources
API8:MISCONFIG — CORS, missing headers, verbose errors, default configs
API9:IMPROPER_INVENTORY — undocumented/deprecated endpoints still accessible. CHECK: API inventory
API10:UNSAFE_CONSUMPTION — trusting third-party API responses without validation

SECURITY:THREAT_MODELING

METHODOLOGY: STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation)
PRIVACY_METHODOLOGY: LINDDUN (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, Non-compliance)
RISK_RATING: CVSS v4.0 or OWASP Risk Rating Methodology

WHEN_REQUIRED: new project, major architecture change, new external integration, AI feature addition
OUTPUT: data flow diagram + identified threats + risk ratings + mitigations

SECURITY:AUTHORITIES

PEOPLE: Troy Hunt (breach awareness), Tanya Janca (AppSec/DevSecOps), Jim Manico (OWASP ASVS), Scott Helme (HTTP headers), Liran Tal (Node.js/supply chain), Daniel Miessler (security+AI)
NEWSLETTERS: tl;dr sec (weekly AppSec), Risky Business (weekly infosec), Portswigger Daily Swig, Snyk Blog
CONFERENCES: OWASP Global AppSec EU, Black Hat Europe, BSides, One Conference (The Hague)
STANDARDS: OWASP ASVS 4.0.3, OWASP Testing Guide v4.2, OWASP Cheat Sheet Series, CIS Controls v8, NIST CSF 2.0

READ_ALSO: domains/security/tools.md, domains/security/pitfalls.md, domains/security/reading-list.md