Top Ten


  1. Broken Access Control: actually put correct checks in place
  2. Cryptographic Failures: leaking information in clear text, or weak encryption
  3. Injection: using untrusted user input - SQL, cross-site scriptiong
  4. Insecure Design: think about security at the start, not the last minute (kind of a process thing instead of a vulnerability)
  5. Security Misconfiguration: insecure settings, default things exposed
  6. Vulnerable and Outdated Components: dependencies. Keep them up to date, especially security vulnerabilities
  7. Identification and Authentication Failures: breakable auth via credential stuffing, weak passwords, unencrypted, etc
  8. Software and Data Integrity Failures: prevent vulnerabilities from getting injected by things like spoofed or malicious packages
  9. Security Logging and Monitoring Failures: log suspicious activity in a way that can be identified
  10. Server-Side Request Forgery: an attacker gets the server to make an unexpected request to a protected internal resource