Software Development from Zero
by Sergey Okinchuk
Shift-Left: Security in Every PhaseIdentity, Secrets & Encryption
Topic 02

Common Threats: OWASP Top 10 at a Glance

Concept

Most breaches don't come from exotic, genius hacking — they come from a small set of well-known weaknesses, the same ones over and over. The OWASP Top 10 is a widely used list of the most common, most dangerous web-application vulnerabilities. A developer should recognize the big ones and the ideas behind them.

You don't need to memorize all ten or know how to exploit them. The goal is awareness: knowing these categories exist makes you far more likely to avoid them.

It's like a "most common break-in methods" bulletin from the police: know the top handful of techniques burglars actually use, and you can stop most break-ins with a few sensible precautions.

What OWASP Is

OWASP (the Open Worldwide Application Security Project) is a respected non-profit focused on software security, and its flagship is the Top 10 — a regularly updated awareness list of the most critical web-app risks. It's not a complete security plan or a certification; it's a starting point that tells you where the most common, most damaging weaknesses tend to be.

The Headline Risks

A few of the categories come up constantly. Here are the ones worth recognizing by name.

RiskWhat it is
Broken access controlUsers can reach or change things they shouldn't
InjectionUntrusted input is treated as commands (e.g. SQL injection)
Identification & authentication failuresWeak login lets attackers impersonate users (also called broken authentication)
Security misconfigurationInsecure defaults, exposed settings, left-open doors

The Common Root

Look closely and a pattern appears: most of these come down to two root mistakes — trusting input you shouldn't (injection happens when user input is treated as a trusted command), and getting permissions wrong (broken access control lets people do what they shouldn't). Treat all input as untrusted until checked, and be careful about who's allowed to do what, and you've defended against a large share of real attacks.

Defense in Depth

No single safeguard is enough, so security uses defense in depth: multiple overlapping layers, so that if one fails, others still protect you. Validate input and check permissions and encrypt data and monitor for trouble — not just one. Like a building with a fence, locked doors, and an alarm, layered defenses mean a single weakness doesn't hand an attacker everything.

The Cadence team runs the reminders feature against the list. Is user input validated before it touches the database (injection)? Can a user only ever see and change their own reminders, never anyone else's (broken access control)? Those two checks alone close off the kinds of holes behind a huge fraction of real-world breaches — no exotic expertise required, just awareness of the common threats.

Common Confusions
  • "Hackers use exotic, unstoppable tricks." Most real attacks exploit the same old basics — bad input handling, weak access control. Knowing the common categories defends against the majority of them.
  • "The OWASP Top 10 is a complete security plan." It's an awareness starting point, not a full checklist. It tells you where the biggest risks usually are; real security goes beyond it.
  • "One strong defense is enough." Security uses defense in depth — many overlapping layers. Relying on a single safeguard means one failure exposes everything.
Why It Matters
  • It gives you a real, named map of how software actually gets attacked — and the vocabulary security people use every day.
  • Recognizing that most breaches come from a few common weaknesses is empowering: you can prevent the majority with awareness, not genius.
  • "Injection", "broken access control", and "defense in depth" are core terms you'll meet again in any security discussion.

Knowledge Check

What is the OWASP Top 10?

  • A widely used list of the most common, dangerous web vulnerabilities
  • A complete security plan that fully protects any application by itself
  • An official certification that every web application must legally pass
  • A tool that automatically fixes all of an app's security holes

What is "injection", as a security risk?

  • When untrusted input is treated as commands, like SQL injection
  • When users can reach or change data they shouldn't be able to access
  • When a weak login system lets attackers impersonate real users
  • When the application runs too slowly because of too much input

What two root mistakes underlie many of the common risks?

  • Trusting input you shouldn't, and getting permissions wrong
  • Writing too much code, and not shipping new features fast enough
  • Running the program too slowly, and using up too little memory
  • Choosing the wrong language, and not writing enough documentation

What is "defense in depth"?

  • Multiple overlapping layers of protection, so one failure isn't fatal
  • Putting all of the security effort into just one single strong safeguard
  • Adding security only deep inside the code and never at the surface
  • Making the finished program run faster so attacks have less time

You got correct