Index · Quick recall (Q&A)

3 min read
20 min read
Rapid overview

Quick recall (Q&A)

Q: What changed for Broken Access Control in the 2021 OWASP Top 10?

A: It moved to the #1 position. It was the most serious risk found in the contributed test data — 94% of tested applications had some form of broken access control — so it rose from #5 to the top of the list.

Q: Which three categories were newly introduced in the 2021 edition?

A: A04 Insecure Design, A08 Software and Data Integrity Failures, and A10 Server-Side Request Forgery (SSRF).

Q: Why was "Sensitive Data Exposure" renamed to "Cryptographic Failures"?

A: The old name described a symptom (data was exposed) rather than the cause. The 2021 list refocuses on the root cause — failures in, or absence of, cryptography — which is more actionable for engineers.

Q: How does Insecure Design differ from Security Misconfiguration?

A: Insecure Design is a flaw in the control design itself — it exists before any code is written and cannot be patched by configuration. Misconfiguration is a correctly designed control set up incorrectly. You fix design with threat modeling; you fix misconfiguration with hardening.

Q: What is the single most effective defense against injection?

A: Parameterized queries / prepared statements (or a safe ORM), so untrusted input is always treated as data and never as executable code or query structure.

Q: Why is XSS no longer its own Top 10 category?

A: In 2021 it was merged into A03 Injection, because XSS is fundamentally an injection problem — untrusted input being interpreted in a new context (the browser/HTML/JS interpreter).

Q: What is an IDOR and which category does it belong to?

A: An Insecure Direct Object Reference — accessing another user's object by manipulating an identifier (e.g. an account ID in a URL). It belongs to A01 Broken Access Control.

Q: How should passwords be stored to satisfy A02 Cryptographic Failures?

A: With a salted, memory-hard, adaptive key-derivation function such as Argon2id, scrypt, or bcrypt — never plaintext, never fast general-purpose hashes like MD5 or SHA-256 alone.

Q: What classic vulnerability did A05 Security Misconfiguration absorb in 2021?

A: XML External Entities (XXE), which was its own category in 2017, is now folded into Security Misconfiguration.

Q: What former category did A08 Software and Data Integrity Failures absorb?

A: Insecure Deserialization (a standalone 2017 category) is now part of A08, alongside unsigned updates and insecure CI/CD pipelines.

Q: What is SSRF and why is it dangerous in cloud environments?

A: Server-Side Request Forgery tricks the server into making requests to attacker-chosen destinations. In the cloud it's especially dangerous because it can hit the instance metadata endpoint (169.254.169.254) to steal IAM credentials.

Q: Why is A09 Security Logging and Monitoring Failures considered high-impact despite being hard to test?

A: Without logging and alerting, breaches go undetected for long periods, turning a containable incident into a major, prolonged compromise. The risk is in the time-to-detect, which dynamic testing rarely surfaces.

Q: Is the OWASP Top 10 a complete security standard?

A: No. It is an awareness and prioritization document. For verification use OWASP ASVS, and for building secure controls use the OWASP Proactive Controls.

Q: What is the core principle behind defending Broken Access Control?

A: Deny by default and enforce authorization server-side in trusted code on every request, checking object ownership — never rely on the client or UI to hide functionality.

See also