OWASP Top 10 risks are not new threats — they are the old threats that keep working because teams keep making the same mistakes. The 2021 list (still the current major version as of 2026, with 2025 updates pending) shifted Broken Access Control to the top spot because it remains the #1 source of real-world breaches. If your security review starts and ends with “we run Snyk on dependencies,” you are missing most of the actual attack surface. Here is what to focus on.
Table of Contents
Broken Access Control Is Still Number One
The most common breach pattern is shockingly mundane: a logged-in user changes an ID in a URL and gets data they should not see. Insecure direct object references (IDOR), missing authorization checks on API endpoints, and over-permissive default roles dominate real-world incidents.
The fix is architectural: enforce authorization at the data layer, not the controller layer. Every database query for user-owned resources should include the owner ID in the WHERE clause, and your ORM should make it hard to forget. The OWASP Top 10 project page has detailed prevention guidance for each category.
Cryptographic Failures Hide in Plain Sight
The bar for “encrypted in transit and at rest” is now table stakes. The interesting failures are subtler: storing passwords with fast hashes (use bcrypt, scrypt, or argon2id with appropriate cost parameters), encrypting sensitive fields with deterministic encryption that allows pattern analysis, or rolling your own crypto for “performance reasons.”
Use vetted libraries and KMS-backed key management. AWS KMS, Google Cloud KMS, and HashiCorp Vault each solve the key management problem better than anything you will build in-house.
Injection Has Evolved Beyond SQL
Parameterized queries killed most SQL injection a decade ago, but injection moved up the stack. NoSQL injection through unvalidated MongoDB filter objects, command injection through shell calls in worker queues, LDAP injection in enterprise auth, and template injection in server-rendered email templates are all alive and well.
The pattern is the same: never construct queries by concatenating user input. Use prepared statements, parameterized queries, or strict allowlists. Combine with the practices in our AI-powered cybersecurity guide for modern detection capabilities.
Insecure Design Cannot Be Patched Later
This category was added because too many “vulnerabilities” are not implementation bugs — they are design flaws. Password reset flows that leak account existence, business logic that allows negative quantities in checkout, rate limits that protect login but not signup.
Threat modeling at design time is the answer, and it is not as heavyweight as people fear. A 30-minute whiteboard session with the question “how would I abuse this?” catches more bugs than any scanner. Document the trust boundaries and review them in code review.
Software Supply Chain Is the New Frontier
Supply chain attacks like the xz-utils backdoor and various npm package takeovers have made dependency management a security concern, not just a maintenance one. Pin your dependencies, use lockfiles, audit critical paths, and consider tools like Socket.dev or GitHub’s dependency review.
The SLSA framework documentation defines maturity levels for build pipeline integrity. Most teams should target SLSA Level 2 (signed provenance) as a baseline.
Wrap Up
OWASP Top 10 risks remain at the top of the list because the fixes require organizational discipline, not new tooling. Authorization at the data layer, vetted crypto libraries, parameterized queries, threat modeling, and supply chain hygiene are the unglamorous practices that actually prevent breaches. Combine these with CI/CD pipeline setup that automates security checks and you have a defense-in-depth posture worth having.
Frequently Asked Questions
Are SAST tools worth running in CI?
Yes for catching obvious issues, but treat them as a floor, not a ceiling. They produce false positives and miss logic flaws. Pair them with manual code review and threat modeling.
Should small teams hire a security consultant?
A one-time architecture review and threat model from a competent consultant is one of the highest-ROI security investments a small team can make. Quarterly is overkill; annually is reasonable.
How often should we rotate secrets?
Automated rotation every 90 days for service credentials, immediately on any suspected compromise, and on personnel changes for any human-held secret. Use a secrets manager so rotation is mechanical.
Is OAuth more secure than JWTs?
They solve different problems. OAuth is an authorization framework; JWTs are a token format. Most JWT misuse comes from rolling your own token validation — use a library and verify signatures correctly.
How do I justify security work to product?
Frame in business terms: cost of a breach, customer trust, compliance gates blocking enterprise sales. Specific historical incidents in your industry are more persuasive than abstract risk.
