If you build or run a web application, the OWASP Top 10 is the most important document you've probably never read. Published by the Open Web Application Security Project, it's a consensus list of the ten most critical security risks facing web applications today.

1. Broken Access Control

Failures here let attackers view other users' data, access admin functions, or perform privileged actions without authorisation.

Fix it: Deny by default. Implement role-based access control server-side. Never trust client-supplied data to determine permissions.

2. Cryptographic Failures

Transmitting sensitive data in cleartext, using weak algorithms like MD5, or mismanaging keys all fall here.

Fix it: Enforce HTTPS. Use AES-256 and TLS 1.2+. Hash passwords with bcrypt or Argon2 — never MD5 or SHA1.

3. Injection

SQL, NoSQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command.

Fix it: Use parameterised queries. Validate all user input. Apply least privilege to database accounts.

4. Insecure Design

Missing or ineffective security controls in the design phase — before a line of code is written.

Fix it: Adopt threat modelling during design. Consider abuse cases alongside use cases.

5. Security Misconfiguration

Default credentials, unnecessary features enabled, verbose error messages, and open cloud storage all qualify.

Fix it: Establish a hardening checklist. Remove unused features. Set HTTP security headers. Scan configurations regularly.

6. Vulnerable and Outdated Components

Using libraries or frameworks with known CVEs is extremely common and easily exploited.

Fix it: Maintain a dependency inventory. Automate updates with Dependabot. Remove unused dependencies.

7. Identification and Authentication Failures

Weak credential policies, absent MFA, and session management flaws let attackers assume other users' identities.

Fix it: Enforce strong passwords. Implement MFA. Rate-limit auth endpoints. Invalidate sessions on logout.

8. Software and Data Integrity Failures

Unverified software updates and supply-chain assumptions. The SolarWinds attack is a landmark example.

Fix it: Verify package signatures. Harden your CI/CD pipeline. Maintain a software bill of materials (SBOM).

9. Security Logging and Monitoring Failures

Without adequate logging, breaches go undetected. The industry average for breach detection is over 200 days.

Fix it: Log all auth events and access control failures. Alert on anomalous patterns. Store logs securely.

10. Server-Side Request Forgery (SSRF)

Attackers trick the server into making requests to arbitrary destinations — including internal services and cloud metadata.

Fix it: Validate all user-supplied URLs. Use an allowlist. Block requests to internal IP ranges.

The OWASP Top 10 is a starting point, not a complete programme. EX-N offers web application security assessments tailored for startups — clear, actionable reports at startup-friendly pricing.