A place to launch cybersecurity learning and brushing up is OWASP, Open Worldwide Application Security Project. An organization working to software security. The top ten details leading vulnerabilities for the year. And this year's winners are...
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery
I'll dive into each vulnerability in a series of posts defining the risk, well-known incidents and defensive practices. And, I'll start with Broken Access Control, users are given or gain access to information or privileges within an application outside the role of their account. An example is Alice. She works for a bank. She's never told anyone, but she uses a bank application that seems to grant her more privilege than she thought she should have. If Alice isn't a model employee, she may be able to access information or take actions within the application that could cause customer relations or business harm.
I'll begin a deeper dive tomorrow regarding Broken Access Control.
Open Worldwide Application Security Project (2025, September 15) Top 10 Web Application Security Risks. https://owasp.org/www-project-top-ten/
Broken Access Control
(Been gone a while. Nasty illness.)
2019 Capital One experienced a cloud-data breach. A possible 100 million accounts potentially could have negative effects. The issue resulted in legal action. What the bad actor, Paige Thompson, extracted were social security numbers, bank accounts, personal information, credit scores and more.
Paige had worked for AWS, which CO used. She found her way through a firewall and the data bucket wasn't properly configured. The bucket allowed for privileges that should have been restricted.
CNN Business (2019, July 30) A hacker gained access to 100 million Capital One credit card applications and accounts https://www.cnn.com/2019/07/29/business/capital-one-data-breach
What configuration did CO falter? First, their firewall was not rule restrictive to filter out entry. Secondly, the data bucket itself allowed Paige to extract data that should have been restricted on a zero trust basis. Not enough specific details remains. Data has a best chance of security when nestled under many layers of defense.
Cryptographic Failure
Clear data is not secure data. Weak cryptography is not secure data. One thing with securing data is that the bar always moves further out. An organization is only so many months and possibly a year out from having to re-asses that their data storage is up-to-date in cryptography.
Government in the EU has a set of privacy laws to curtail leaking clear information, GDPR (General Data Protection Regulation).Financial institutions have their own standards, PCI DSS (Payment Card Industry Data Security Standard). US government has an entire organization for standards general, NIST (National Institute of Standards and Technology).
NIST lists several cryptography methods for various applications such as Block ciphers, Cryptographic hash algorithms, Key establishment, Post-quantum cryptography, Lightweight cryptography, Privacy-enhancing cryptography.
NIST (2025, November 2) “CRYPTOGRAPHY” https://www.nist.gov/cryptography
The point is that there are many ways to skin a cat. Organizations have guidelines, laws and standards. The final say is from the system architects. On top of these points are appliances of hardware security modules, VPN, Firewall and Intrusion Prevention Systems. And probably others I am leaving out.
Yahoo’s data breach of 2013 was a combination of encrypted and non-encrypted information. Some of the billions of personal data information were hashed with MD5, which was widely seen as vulnerable as early as 1996.
Wikipedia (2025, November 2) “Yahoo data breaches” https://en.wikipedia.org/wiki/Yahoo_data_breaches
Wikipedia (2025, November 2) “MD5” https://en.wikipedia.org/wiki/MD5
OWASP strongly recommends not keeping personal data or personal identifiable data stored at all or for as short a time as possible. Even with data encrypted, it may become clear during in use through the web by interception.
OWASP (November 2, 2025) “A02:2021 – Cryptographic Failures” https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
Injection
A single word sums the entire concept like a nurse bending over a child and sticking a needle in the bum, injection puts something unintended somewhere no one thought of putting it -admins- and making things happen.
SQL injection is the type best known. It’s been around since websites and SQL combined. A bad actor types SQL bits into a form or input field on a Website without data validation and admin status may be granted.
OWASP lists many types such as NoSQL, OS command, Object Relational Mapping, LDAP, Expression Language or Object Graph Navigation Library.
OWASP (November 3, 2025) “A03:2021 – Injection” https://owasp.org/Top10/A03_2021-Injection/
Three classes of SQL injection comprise the attacks:
Inband is extracting data straight into the Webpage. Out-of-band is using another channel for data like an email. Inferential or blind requests are sent to the server and responses are reviewed for server reaction.
Many techniques are available for an admin to avoid injection. Essentially, they center around stopping input that can query the database. OWASP (November 3, 2025) “A03:2021 – Injection” https://owasp.org/Top10/A03_2021-Injection/
Insecure Design
Security and developers work together to create a trusted, confidential and integrity focused product. No product or app is perfect. Combating future vulnerabilities, zero days takes planning and forethought.
A proven development model incorporating security guidelines and testing is key. Agile development is one in which there are no ends to the development. The model contains testing, review and planning as part of its circle of improvement.
Equifax in 2019 suffered a massive personal information exploitation. The PI of 147 million people was stolen. Equifax did not rush to fix the issue until several months later. The company was fined $700 million.
Security Journey (2025) “OWASP Top 10 Insecure Design Explained” https://www.securityjourney.com/post/owasp-top-10-insecure-design-explained
Bad actors exploited a security gap in a tool for making web apps to take the data. The company’s CEO resigned for the incident.
CNN Business (July 22, 2019) “Equifax exposed 150 million Americans’ personal data. Now it will pay up to $700 million” https://www.cnn.com/2019/07/22/tech/equifax-hack-ftc/index.html
Applications need design based on need to know or need to use basis. Defense in depth by walling information and parts of systems to minimize cross over.
Comments