Chapter 70. Understanding OWASP Insecure Design and Unmasking Toxic Combinations
Idan Plotnik
In the constantly evolving world of application security, we are seeing unprecedented challenges that traditional testing tools like SAST, SCA, and DAST alone cannot solve. They’re unable to keep up with the pace of Agile development and detect the new breed of interconnected, nuanced, and varied risks that modern applications face.
Two often overlooked mechanisms for improving the efficacy and efficiency of application security are the ability to programmatically identify potential design flaws before code has even been written and the ability to connect the dots between disparate types of application risks. The former helps AppSec teams be more proactive and prevent ad hoc work down the line, while the latter helps close the gaps left by siloed tools.
Understand the Implications of Insecure Design
A testament to our dynamic threat landscape is the addition of OWASP A04:2021—Insecure Design as a new category to the OWASP Top 10 in 2021. This signals the need for more proactive and scalable defense strategies to identify application risks stemming from inherent design oversights.
Incorporating threat modeling during the feature design phase and integrating Agile pen testing during feature development is now essential to align with OWASP A04:2021 but faces scalability challenges due to ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
