OWASP #4 (2021) – Insecure Design

Insecure Design refers to flaws in how a system is planned, not just how it’s built. These aren’t coding bugs - they’re structural issues where security was never considered in the first place.

Examples: - No limits on failed login attempts (no protection against brute force). - Critical features missing access controls by design. - Business logic that can be abused (e.g., discounts applied multiple times). - A system where secure features rely entirely on front-end enforcement.

This category is about missing security controls, not broken ones. The problem starts early - poor threat modeling, vague requirements, or designs that prioritize features over safety.

Unlike coding errors, insecure design can’t be patched easily. It usually requires changes to architecture, logic, or user workflows.

To prevent it: - Do threat modeling early. - Define misuse cases, not just use cases. - Apply secure design patterns (like rate-limiting, role checks, validation). - Involve security in planning, not just testing.

Security isn’t a patch - it’s a design decision.