Index · Interview talking points
1 min readRapid overview
Interview talking points
- The 2021 Top 10 reorders by root cause, not symptom — Broken Access Control is #1 because it was found in ~94% of tested apps.
- Three new categories signal where modern risk lives: design (A04), supply-chain/integrity (A08), and SSRF (A10) driven by cloud and microservices.
- Injection now includes XSS; the universal fix is "treat input as data" — parameterized queries and context-aware output encoding with a strict CSP.
- Access control must be server-side, deny-by-default, and ownership-checked per object; hiding a UI button is not a security control.
- Cryptographic Failures is about both data-in-transit and at-rest; passwords need Argon2id/scrypt/bcrypt, not MD5/SHA.
- Insecure Design can't be patched — it's solved upstream with threat modeling, abuse-case testing, and OWASP ASVS/Proactive Controls.
- A06 and A08 together cover the supply chain: know your components (SBOM/SCA) and verify integrity (signatures, lockfiles, hardened CI/CD).
- The Top 10 is a starting point and shared vocabulary — pair it with ASVS for verification and never treat it as a compliance checklist.