OWASP

Top Ten

2021:

1. Broken Access Control: actually put correct checks in place
2. Cryptographic Failures: leaking information in clear text, or weak encryption
3. Injection: using untrusted user input - SQL, cross-site scriptiong
4. Insecure Design: think about security at the start, not the last minute (kind of a process thing instead of a vulnerability)
5. Security Misconfiguration: insecure settings, default things exposed
6. Vulnerable and Outdated Components: dependencies. Keep them up to date, especially security vulnerabilities
7. Identification and Authentication Failures: breakable auth via credential stuffing, weak passwords, unencrypted, etc
8. Software and Data Integrity Failures: prevent vulnerabilities from getting injected by things like spoofed or malicious packages
9. Security Logging and Monitoring Failures: log suspicious activity in a way that can be identified
10. Server-Side Request Forgery: an attacker gets the server to make an unexpected request to a protected internal resource