OWASP Top Ten: Insecure Design

Alex Archondakis

Managing Consultant

Alex is one of our managing consultants here at Pentest People. Focusing mainly on web application penetration testing. Alex has spoken at many key events while with us, including BSides London and even DSS ITSEC Latvia.

OWASP Top Ten: Insecure Design

A new addition to the OWASP Top Ten, Insecure design is one of the leading causes of data breaches today. By understanding and avoiding these patterns, you can make your Web Applications more secure. In this blog post, we will give you a brief overview of Insecure Design and provide tips on how to avoid this vulnerability in your own applications.

What is Insecure Design?

This is focused on the risks associated with flaws in design and architecture. It focuses on the need for threat modelling, secure design patterns, and principles. The flaws in the designs are not something that can be rectified by an implementation.

How Can This be Exploited?

To exploit this, attackers can threat model workflows in the software to reveal a broad range of vulnerabilities and weaknesses. These vulnerabilities arise when developers, QA, and/or security teams fail to anticipate and evaluate threats during the code design phase. As the threat landscape evolves, mitigating design vulnerabilities requires consistent threat modelling to prevent known attack methods.

How Do You Prevent Vulnerabilities Being Exploited From Insecure Design?

To protect your applications, there are multiple practices to be aware of that can save your business. One of the best practices is to define your security rules, checks and access controls in each user story.

Another security measure is using threat modelling assessment processes per each component and feature, along with many more measures you can monitor to ensure your safety from vulnerabilities being exploited. Insecure design is a leading cause of data breaches. By understanding and avoiding insecure design patterns, you can make your applications more secure.

Here at Pentest People, we are actively identifying security vulnerabilities in your systems defences in order to mitigate them, in the event of a real-life hacker attempting to exploit your business’s weaknesses.

Watch our Consultant Explain Insecure Design in Under a Minute!

Video/Audio Transcript