owasp-top-10

• Conducting security audits and code reviews
• Implementing secure coding practices in new features
• Reviewing authentication and authorization systems
• Assessing input validation and sanitization
• Evaluating third-party dependencies for vulnerabilities
• Designing security controls and defense-in-depth strategies
• Preparing for security certifications or compliance audits
• Investigating security incidents or suspicious behavior

Ranked by Risk Severity:

1. A01 - Broken Access Control (↑ from #5)
2. A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
3. A03 - Injection (↓ from #1)
4. A04 - Insecure Design (NEW)
5. A05 - Security Misconfiguration
6. A06 - Vulnerable and Outdated Components
7. A07 - Identification and Authentication Failures
8. A08 - Software and Data Integrity Failures (NEW)
9. A09 - Security Logging and Monitoring Failures
10. A10 - Server-Side Request Forgery (SSRF) (NEW)

Load detailed guidance for each vulnerability:

| Vulnerability | Reference File |

|---|---|

| Broken Access Control | skills/owasp-top-10/references/broken-access-control.md |

| Cryptographic Failures | skills/owasp-top-10/references/cryptographic-failures.md |

| Injection | skills/owasp-top-10/references/injection.md |

| Insecure Design | skills/owasp-top-10/references/insecure-design.md |

| Security Misconfiguration | skills/owasp-top-10/references/security-misconfiguration.md |

| Vulnerable Components | skills/owasp-top-10/references/vulnerable-components.md |

| Authentication Failures | skills/owasp-top-10/references/authentication-failures.md |

| Integrity Failures | skills/owasp-top-10/references/integrity-failures.md |

| Logging & Monitoring | skills/owasp-top-10/references/logging-monitoring.md |

| SSRF | skills/owasp-top-10/references/ssrf.md |

| Prevention Strategies | skills/owasp-top-10/references/prevention-strategies.md |

1. Identify Scope: Determine application components and attack surface
2. Select Vulnerabilities: Choose relevant OWASP categories based on features
3. Load Reference: Read appropriate reference file(s) for detailed patterns
4. Analyze Code: Review code against vulnerable and secure patterns
5. Document Findings: Record vulnerabilities with severity and remediation
6. Verify Fixes: Test that remediations properly address issues
7. Test Security: Run automated security testing (SAST, DAST, SCA)

Defense in Depth

• Layer security controls at network, application, data, and monitoring levels
• Ensure failure of one control doesn't compromise entire system

Secure by Default

• Deny all access by default, explicitly grant permissions
• Fail securely (errors don't expose sensitive information)
• Minimize attack surface (disable unused features)
• Apply least privilege to all accounts and services

Input Validation

• Validate type, length, format, and allowed values
• Use allow-lists over deny-lists
• Sanitize for specific context (SQL, HTML, shell, etc.)
• Never trust client input

1. Trusting User Input: Always validate and sanitize all user-supplied data
2. Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
3. Exposing Errors: Log detailed errors internally, show generic messages to users
4. Missing Authorization: Check permissions on every request, not just UI
5. Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
6. Ignoring Dependencies: Regularly audit and update third-party libraries
7. No Logging: Log security events for detection and incident response
8. Default Configurations: Harden all systems, disable defaults

SAST (Static): SonarQube, Semgrep, ESLint security plugins

DAST (Dynamic): OWASP ZAP, Burp Suite

SCA (Dependencies): npm audit, Snyk, Dependabot

Secrets Scanning: GitGuardian, TruffleHog

Penetration Testing: Metasploit, Kali Linux tools

• OWASP Top 10 2021: https://owasp.org/Top10/
• OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
• OWASP ASVS: Application Security Verification Standard
• CWE Top 25: Common Weakness Enumeration
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• CVE Database: https://cve.mitre.org/
• Snyk Vulnerability DB: https://snyk.io/vuln/