OWASP Top 10 (2021)

The OWASP Top 10 (2021) is a curated list of the most critical security risks to web applications. It’s not just for security teams - every developer should understand these risks. Below is a short summary of each, along with why or when it matters most.

1. Broken Access Control
   Occurs when users can access things they shouldn’t. Always important in systems with roles, permissions, or private data.

2. Cryptographic Failures
   Happens when sensitive data isn't encrypted or is handled poorly. Critical in login systems, APIs, and anything storing PII.

3. Injection
   Letting user input alter backend commands (SQL, shell, etc.). High risk anywhere raw input hits queries or code.

4. Insecure Design
   Security wasn’t considered early enough. Important during planning, especially in complex or high-trust systems.

5. Security Misconfiguration
   Dangerous defaults, exposed tools, or unused features left on. Should be part of every deployment checklist.

6. Vulnerable & Outdated Components
   Outdated libraries often contain known vulnerabilities. This matters in any project that includes third-party code - which is nearly all modern software.

7. Identification & Authentication Failures
   Bad login and session handling. Key for protecting accounts and APIs.

8. Software & Data Integrity Failures
   Trusting bad sources or unverified updates. Matters in CI/CD, package installs, and auto-updating systems.

9. Security Logging & Monitoring Failures
   Without logs, attacks go unnoticed. Useful in production, audits, and incident response.

10. Server-Side Request Forgery (SSRF)
    When a server is tricked into making internal requests. Especially dangerous in cloud or internal-only apps.

Treat this list as a mindset, not just a checklist.