Insecure design is a category of its own. It differs from most of the vulnerability classes in the top 10 list. This is because, rather than being a specific flaw that results in an exploitable vulnerability, it refers to the genesis of the application's development cycle itself.
It is an integral part of the design and architecture phase, even before code is written. Wrong decisions during the initial phase of a project can have lasting and potentially severe consequences that lead to functional failures, compromises, and more.
However, insecure design should not be seen as the sole cause of all development vulnerabilities, as vulnerabilities arise from both design and implementation choices. The most common design vulnerabilities include the lack of input validation controls, the disclosure of sensitive information, and the absence of secure communication layers.
| OWASP Top 10 Application Security Risks - 2021 | Reference |
|---|---|
| A04:2021-Insecure Design | OWASP |
At the start of every development project, design choices are made, which if incorrect, negatively impact security (availability, adherence to policies/best practices, information disclosure, and even complete compromise).Francesco Ongaro
