Day 8: OWASP Top 10 2021 – #4 Insecure Design

For OWASP Top 10 2021, a brand-new category called Insecure Design will concentrate on the dangers of design flaws. Because adequate security controls were never designed to combat specific threats and a perfect implementation cannot restore unsafe design, it happens when a vendor provides documented features to a product that allow an attacker to undermine the availability or integrity of the application.

If we as an industry are sincere about moving left, OWASP advises the need for more threat modeling, secure design patterns and principles, and reference architectures.

A broad group of errors referred to as “insecure design” are encompassed under the term of “missing or poor control design.”  Among the new categories for 2021 are threat modeling, safe design patterns, and reference architectures, with a need to use threat modeling, safe design patterns, and reference architectures more frequently.

Impact of Insecure Design
  • total takeover of the account
  • Data and system breaches
  • Denial of service by repeatedly impersonating a server, with requests.
  • For compromised, low-level accounts, privilege escalation.
Remedy to Insecure Design
  1. For essential critical flows, access control, business logic, and authentication, use threat modeling.
  2. Security measures and language should be included in user stories.
  3. Include plausibility checks in every level of your application (from frontend to backend).
  4. Write unit and integration tests to verify that all crucial flows are resistant to the threat model. For each level of your program, create a list of use cases and misuse scenarios.
  5. Divide the tiers on the system and network layers based on the exposure and protection requirements.

CWEs List for Insecure Design

References To Get More Understanding of Insecure Design

This will be all for the Day 8 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 


Leave a Reply

Your email address will not be published. Required fields are marked *