Back to Journal Application Security

OWASP Top 10 - Understanding and Remediating the Most Critical Web Application Security Risks

A complete guide to OWASP Top 10 2021 — what each vulnerability is, real-world exploitation examples, how to detect it, and how to remediate and build lasting defences into your development lifecycle.

Savadub GRC Team ·
OWASP Top 10 - Understanding and Remediating the Most Critical Web Application Security Risks

OWASP Top 10: The Developer and Security Leader's Guide to Web Application Security

The OWASP Top 10 is the most widely referenced application security awareness document in the world. Maintained by the Open Web Application Security Project (OWASP), the Top 10 represents a broad consensus about the most critical security risks to web applications — based on data from hundreds of contributing organisations and thousands of applications assessed. Understanding these risks and building defences against them is the foundation of any application security program.

A01 — Broken Access Control

What it is: Failure to enforce restrictions on what authenticated users are allowed to do. Attackers exploit broken access control to act as other users or administrators, access unauthorised functionality, or manipulate records they shouldn't be able to touch.

Common manifestations: Insecure Direct Object References (IDORs) — changing a parameter like ?account=12345 to ?account=12344 to access another user's account. Missing function-level access control — an API endpoint that returns admin data to any authenticated user. Elevation of privilege — accessing admin functionality without administrator role.

Detection: Automated scanning catches some access control issues, but manual testing and code review are essential. Look for direct object references, missing authorisation checks on API endpoints, and client-side-only access control that can be bypassed.

Remediation: Implement access control centrally and deny by default — every resource access requires an explicit authorisation decision. Enforce record-level access controls server-side. Log access control failures and alert on patterns of denied access.

A02 — Cryptographic Failures

What it is: Weaknesses related to cryptography — or the absence of cryptography — that expose sensitive data. Previously called "Sensitive Data Exposure", the 2021 list reframes this around the root cause: cryptographic failures that allow data to be compromised.

Common manifestations: Transmitting personal data, passwords, or financial information over HTTP rather than HTTPS. Storing passwords in plaintext or with weak hashing algorithms (MD5, SHA-1). Using deprecated encryption algorithms or weak key lengths. Hardcoded cryptographic keys in source code.

Remediation: Encrypt all data in transit using TLS 1.2 or 1.3. Hash passwords using bcrypt, scrypt, or Argon2 with appropriate work factors. Classify data and apply encryption proportionate to sensitivity. Rotate cryptographic keys and secrets regularly. Scan code for hardcoded secrets.

A03 — Injection

What it is: Untrusted data is sent to an interpreter (SQL, OS commands, LDAP, expression language) as part of a query or command, causing the interpreter to execute unintended commands or access unauthorised data.

SQL Injection remains the most common form — injecting SQL code through input fields to manipulate database queries, bypass authentication, extract data, or even execute OS commands on the database server.

Remediation: Use parameterised queries (prepared statements) for all database interactions — this is the single most effective defence against SQL injection. Implement input validation with allowlists. Use ORMs that handle parameterisation automatically. Apply least privilege to database accounts — the application database user should not have DROP TABLE or xp_cmdshell permissions.

A04 through A10: The Remaining Top 10

A04 — Insecure Design: Security design flaws that cannot be fixed by implementation alone — missing threat modelling, lack of security requirements, insecure design patterns. Remediation requires building security into the design phase through threat modelling, security architecture review, and security-focused design patterns.

A05 — Security Misconfiguration: Insecure default configurations, misconfigured cloud permissions, verbose error messages exposing stack traces, open cloud storage buckets, unnecessary features enabled. Implement hardened configurations, infrastructure as code with security policy checks, and regular configuration scanning.

A06 — Vulnerable and Outdated Components: Using components with known vulnerabilities — outdated libraries, frameworks, and other software with known CVEs. Implement Software Composition Analysis (SCA) in your CI/CD pipeline. Maintain an SBOM (Software Bill of Materials). Patch promptly.

A07 — Identification and Authentication Failures: Weak credential management, missing MFA, weak password policies, insecure session management. Implement MFA, use strong password policies with breach-password checking, set secure session cookie attributes.

A08 — Software and Data Integrity Failures: Code and infrastructure that does not protect against integrity violations — unsigned software updates, insecure CI/CD pipelines, insecure deserialization. Sign all software updates. Verify integrity of external dependencies. Secure your CI/CD pipeline.

A09 — Security Logging and Monitoring Failures: Insufficient logging, monitoring, and alerting that leaves attacks undetected for extended periods. Log all authentication events, access control failures, and input validation failures. Ship logs to a centralised SIEM. Define and test alerting rules.

A10 — Server-Side Request Forgery (SSRF): The server makes HTTP requests to an attacker-controlled URL, potentially accessing internal services, cloud metadata endpoints, or other resources not intended to be publicly accessible. Validate and sanitise all user-supplied URLs. Implement network-level controls to restrict what destinations the server can reach.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like