OWASP Top Ten (2021) - Ethan Young

### OWASP Top Ten (2021) The OWASP Top Ten (2021) is a standard reference document that outlines the most critical web application security risks. Although there are other security standards like SANS Top 25, OWASP is more focused and widely adopted in web development. Understanding and addressing the OWASP Top Ten is essential to building secure applications. These vulnerabilities, if left unaddressed, can lead to severe consequences for businesses and users alike, such as data breaches, financial losses, and reputational damage: 1. **Robust Access Management:** Prevent broken access control by implementing role-based access control (RBAC), least privilege principles, and AIM. 2. **Least Privilege:** Limit user and component permissions to minimize security breach impact. 3. **Identity and Access Management (IAM):** Use Auth0 to manage digital identities, authentication, and permissions. 4. **Strong Cryptography:** Prevent cryptographic failures using robust encryption algorithms, critical management practices, and secure storage solutions. 5. **Data Storage & Transmission:** Securely store sensitive data using encryption, access controls, and strong password hashing algorithms like bcrypt or Argon2. 6. **Input Validation:** Prevent attacks like SQLi and XSS using parameterized queries, allowlisting, sanitization, and built-in validation functions. 7. **Output Encoding:** Encode user-generated content before displaying it to prevent XSS attacks; use HTML entity, URL, or JavaScript encoding as needed. 8. **Secure Design Principles:** Prevent insecure design by following best practices such as the Principle of Least Privilege, Defense in Depth, and Secure by Design. 9. **Defense in Depth:** implementing multiple layers of security controls to protect against potential attack vectors. 10. **Secure by Design:** building security into systems from the start using best practices such as secure coding and risk assessments. 11. **Proper Security Configuration:** Prevent security misconfigurations using secure defaults, regularly reviewing configurations, and automating security updates. 12. **Component Hygiene:** Prevent vulnerabilities from outdated components by keeping dependencies up-to-date, monitoring for known security issues, and minimizing the use of third-party libraries. 13. **Reliable Identification and Authentication:** Prevent identification and authentication failures using multi-factor authentication (MFA) (ex. Google Authenticator), strong password policies, and secure authentication protocols. 14. **OAuth 2.0:** enables applications to access user data from other applications without the user having to share their login credentials. 15. **OpenID Connect:** an identity layer on top of OAuth 2.0 that provides authentication and authorization capabilities. 16. **Maintain Software and Data Integrity:** Prevent software and data integrity failures by implementing secure code practices, input validation, and checksum verification. 17. **Checksum verification:** verifies the integrity of data or files by comparing calculated checksum values. 18. **Effective Security Logging and Monitoring:** Prevent logging and monitoring failures by capturing and analyzing relevant security events, using intrusion detection systems, and promptly addressing identified vulnerabilities. 19. **Intrusion detection systems (IDS):** monitor network traffic or system events in real-time to detect and alert on potential security breaches or unauthorized access. 20. **Safeguard Against Server-Side Request Forgery:** Prevent SSRF attacks by validating external URLs, using allowlists, and employing network segmentation techniques. **BONUS: Error Handling:** Use generic error messages for end-users, log detailed information server-side, and handle exceptions gracefully to prevent leaks and crashes.