>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

A06Insecure Design

>Control Description

Insecure Design slides two spots from #4 to #6 in the ranking as **[A02:2025-Security Misconfiguration](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)** and **[A03:2025-Software Supply Chain Failures](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)** leapfrog it. This category was introduced in 2021, and we have seen noticeable improvements in the industry related to threat modeling and a greater emphasis on secure design. This category focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. This includes flaws in the business logic of an application, e.g. the lack of defining unwanted or unexpected state changes inside an application. As a community, we need to move beyond "shift-left" in the coding space, to pre-code activities such as requirements writing and application design, that are critical for the principles of Secure by Design (e.g. see **[Establish a Modern AppSec Program: Planning and Design Phase](https://owasp.org/Top10/2025/0x03_2025-Establishing_a_Modern_Application_Security_Program/)**). Notable Common Weakness Enumerations (CWEs) include *CWE-256: Unprotected Storage of Credentials, CWE-269 Improper Privilege Management, CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-501: Trust Boundary Violation, and CWE-522: Insufficiently Protected Credentials.* Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top Ten risk categories. Note that there is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes, take place at different times in the development process, and have different remediations. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as needed security controls were never created to defend against specific attacks. One of the factors that contributes to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required. Three key parts of having a secure design are: * Gathering Requirements and Resource Management * Creating a Secure Design * Having a Secure Development Lifecycle ### Requirements and Resource Management Collect and negotiate the business requirements for an application with the business, including the protection requirements concerning confidentiality, integrity, availability, and authenticity of all data assets and the expected business logic. Take into account how exposed your application will be and if you need segregation of tenants (beyond those needed for access control). Compile the technical requirements, including functional and non-functional security requirements. Plan and negotiate the budget covering all design, build, testing, and operation, including security activities. ### Secure Design Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. Threat modeling should be integrated into refinement sessions (or similar activities); look for changes in data flows and access control or other security controls. In the user story development, determine the correct flow and failure states, ensure they are well understood and agreed upon by the responsible and impacted parties. Analyze assumptions and conditions for expected and failure flows to ensure they remain accurate and desirable. Determine how to validate the assumptions and enforce conditions needed for proper behaviors. Ensure the results are documented in the user story. Learn from mistakes and offer positive incentives to promote improvements. Secure design is neither an add-on nor a tool that you can add to software. ### Secure Development Lifecycle Secure software requires a secure development lifecycle, a secure design pattern, a paved road methodology, a secure component library, appropriate tooling, threat modeling, and incident post-mortems that are used to improve the process. Reach out to your security specialists at the beginning of a software project, throughout the project, and for ongoing software maintenance. Consider leveraging the [OWASP Software Assurance Maturity Model (SAMM)](https://owaspsamm.org/) to help structure your secure software development efforts. Often self-responsibility of developers is underappreciated. Foster a culture of awareness, responsibility and proactive risk mitigation. Regular exchanges about security (e.g. during threat modeling sessions) can generate a mindset for including security in all important design decisions.

>Prevention & Mitigation Strategies

  1. 1.Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls
  2. 2.Establish and use a library of secure design patterns or paved-road components
  3. 3.Use threat modeling for critical parts of the application such as authentication, access control, business logic, and key flows
  4. 4.User threat modeling as an educational tool to generate a security mindset
  5. 5.Integrate security language and controls into user stories
  6. 6.Integrate plausibility checks at each tier of your application (from frontend to backend)
  7. 7.Write unit and integration tests to validate that all critical flows are resistant to the threat model. Compile use-cases *and* misuse-cases for each tier of your application.
  8. 8.Segregate tier layers on the system and network layers, depending on the exposure and protection needs
  9. 9.Segregate tenants robustly by design throughout all tiers

>Attack Scenarios

#1Insecure credential recovery via security questions

A credential recovery workflow might include “questions and answers,” which is prohibited by NIST 800-63b, the OWASP ASVS, and the OWASP Top 10. Questions and answers cannot be trusted as evidence of identity, as more than one person can know the answers. Such functionality should be removed and replaced with a more secure design.

#2Business logic abuse in group booking

A cinema chain allows group booking discounts and has a maximum of fifteen attendees before requiring a deposit. Attackers could threat model this flow and test if they can find an attack vector in the business logic of the application, e.g. booking six hundred seats and all cinemas at once in a few requests, causing a massive loss of income.

#3Scalper bot abuse due to missing anti-bot controls

A retail chain’s e-commerce website does not have protection against bots run by scalpers buying high-end video cards to resell on auction websites. This creates terrible publicity for the video card makers and retail chain owners, and enduring bad blood with enthusiasts who cannot obtain these cards at any price. Careful anti-bot design and domain logic rules, such as purchases made within a few seconds of availability, might identify inauthentic purchases and reject such transactions.

>Related CWEs

CWE-382
CWE-183
CWE-602
CWE-501
CWE-444
CWE-362
CWE-525
CWE-646
CWE-419
CWE-434
CWE-522
CWE-628
CWE-807
CWE-598
CWE-311
CWE-799
CWE-1021
CWE-316
CWE-313
CWE-1022
CWE-1125
CWE-451
CWE-256
CWE-73
CWE-286
CWE-436
CWE-269
CWE-653
CWE-676
CWE-841
CWE-266
CWE-693
CWE-642
CWE-539
CWE-656
CWE-472
CWE-657
CWE-454
CWE-312

>References

Ask AI

Configure your API key to use AI features.