OWASP TOP 10 / A04:2021

Insecure Design

Flaws in the architecture and design itself — missing or ineffective security controls that no amount of clean code can fix.

New in 2021, this category recognizes that some weaknesses come from design decisions, not implementation bugs. Examples include missing rate limiting, weak business-logic controls, and inadequate threat modeling.

Secure design means building in controls from the start — threat modeling, secure design patterns, and abuse-case testing.

How to prevent it

Threat-model early, use secure design patterns, establish a secure development lifecycle, and write abuse cases alongside use cases.

Mapped weaknesses (CWE)

CWE-209 Sensitive Information in Error Message CWE-256 CWE-522 Insufficiently Protected Credentials CWE-657

Free tools to test for it

Password Strength →

Related terms

Social Engineering Vulnerability

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.