The OWASP Top 10 is the closest thing web security has to a canonical checklist. It’s not exhaustive — it’s the ten classes of vulnerability that actually show up in real breaches, ranked by how often they cause damage. If you defend against these ten, you’ve closed the doors attackers walk through most often.
Here’s each one with the single most important thing to actually do about it.
1. Broken access control
The #1 cause of real breaches. A user accesses data or actions they shouldn’t. Defense: verify authorization on EVERY endpoint, server-side, every time. Never rely on the UI hiding a button. The classic bug: /api/orders/123works for order 123’s owner, but also for anyone who changes the number. Check ownership on every request.
2. Cryptographic failures
Sensitive data exposed because it wasn’t encrypted, or was encrypted badly. Defense: TLS everywhere (no exceptions), encrypt data at rest, hash passwords with bcrypt/argon2 (never MD5/SHA1), rotate keys, and never log secrets or PII.
3. Injection
SQL injection, command injection, LDAP injection. Defense: parameterized queries ALWAYS (never string-concatenate user input into SQL), validate and sanitize input at the boundary, use an ORM that parameterizes by default, and never pass user input to a shell.
4. Insecure design
Vulnerabilities baked into the architecture, not the code. Defense: threat-model before you build. Ask “what could go wrong?” for each feature. A password-reset flow that emails a predictable token is an insecure DESIGN, not a coding bug. Catch it at design time.
5. Security misconfiguration
Default passwords, debug mode in production, overly permissive CORS, verbose error messages that leak internals. Defense: secure defaults, no debug in prod, infrastructure-as-code so configuration is reviewed, and a hardening checklist for every deploy target.
6. Vulnerable and outdated components
Using a library with a known CVE. Defense: Dependabot or Snyk enabled, weekly patching cadence, an SBOM (software bill of materials), and a policy to upgrade critical-severity vulns within 48 hours.
7. Identification & authentication failures
Weak passwords, broken session management, credential stuffing. Defense: use a third-party identity provider (Auth0, Clerk, WorkOS), enforce MFA, use short-lived tokens, rate-limit auth endpoints, and never roll your own session logic.
8. Software & data integrity failures
Trusting code or data without verifying it — e.g. auto-updating from an untrusted source, deserializing untrusted data. Defense: signed builds, verified deploys, an SBOM, and never deserialize untrusted input with a permissive deserializer.
9. Security logging & monitoring failures
You got breached and didn’t notice for 6 months. Defense: log security-relevant events (auth, access-control failures, admin actions), alert on anomalies, retain logs 90+ days, and make sure the logs themselves can’t be tampered with.
10. Server-side request forgery (SSRF)
Your server fetches a URL the attacker controls, and they point it at internal services (cloud metadata endpoints, internal admin tools). Defense: allow-list outbound destinations, block requests to internal IP ranges and cloud metadata endpoints, and validate any user-supplied URL before fetching it.
The 80/20 of web security
If you do four things, you close most of the real risk: verify access control on every endpoint, parameterize every query, use a third-party auth provider with MFA, and keep dependencies patched. The remaining six matter, but those four are where the breaches actually come from.
How we approach this
Our Cybersecurity engagements run an OWASP-aligned review of every application we touch — automated scanning in CI plus a manual review of the access-control and auth surfaces, which is where tools are weakest and humans are strongest.
Takeaways
- Broken access control is the #1 real-world breach cause. Verify on every endpoint.
- Parameterize every query. Always.
- Use third-party auth + MFA. Don’t roll your own.
- Keep dependencies patched — Dependabot/Snyk on, weekly cadence.
- Log security events and actually watch them.
