Free System Design Interview Course
Get Educative's definitive System Design Interview Handbook for free.
Open Web Application Security Project (OWASP) is a nonprofit organization that is focused on software security. OWASP Top 10 is a broad consensus about the ten most critical security risks faced by web applications. It gives a common language for security professionals and is the first step for developers on their journey to securing their web applications. Globally, OWASP Top 10 is recognized by developers as the first step toward more secure coding.
The OWASP Top 10 web application security risks are as follows:
Access control implies policy enforcement so that users can only access what they are intended to. Broken access control leads to information disclosure, modification, or destruction of data that a user was not authorized to act on.
The non-ability to encrypt data in transit or data at rest can lead to several attacks. You may have noticed the lock icon on your browsers when you go to a website. The lock icon indicates that the site is utilizing HTTPS.
Injection flaws, such as SQL and LDAP injection, occur when a command or query is executed with an unintended parameter. For example, see the code below.
SELECT * FROM employee WHERE name=abc OR 1==1;
1==1 is the most common way for a SQL injection. This tricks the SQL query to return all rows by using the
Insecure design focuses on design flaws. A secure design should follow secure design and architecture guidelines. Performing security threat modeling is one of them.
Running software with default configurations, usernames, and passwords, unnecessary ports exposes applications to the attacker.
Software development frequently reuses components. It is imperative to ensure that the vulnerabilities in these dependencies are actively patched.
Incorrect implementation of the authentication and authorization application allows attackers to get access to passwords, sessions, and privilege escalations.
Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations.
Insufficient logging and monitoring to identify an attack gives attackers more time to penetrate the system.
Server-Side Request Forgery or SSRF occurs whenever an application fetches a remote resource without validation.