Problem Statement
You are reviewing a new feature. What secure design checks do you do up front to avoid A04: Insecure Design?
Explanation
Define the trust boundaries and data flows before coding. Identify assets, roles, and abuse cases. Decide what must never happen, like cross-tenant data reads, and set server-side controls to prevent it. Add defense in depth for each critical action: validate inputs, authorize every request, and log security events.
Use the OWASP Testing Guide’s sections on modeling and deriving tests to shape these controls early. This avoids bolting on fixes later.
Code Solution
SolutionRead Only
Checklist: assets, roles, entry points, authZ checks, logging, rate limits, error handling
