OWASP Top 10 (2021): What Every SaaS Developer Should Know

The OWASP Top 10 is the most referenced web application security standard in the world. When enterprise security teams evaluate your SaaS product, this is their baseline.

The 2021 edition introduced significant changes. Here's what each category means and what you should do about it.

A01:2021 — Broken Access Control

Moved from #5 to #1. The most common web application vulnerability. What it means: Users can act outside their intended permissions — accessing other users' data, modifying data they shouldn't, or escalating privileges. Common patterns in SaaS:

• Direct object references without ownership checks (/api/users/123/data accessible to any authenticated user)
• Missing function-level access control (admin endpoints accessible to regular users)
• CORS misconfiguration allowing unauthorized origins

Fixes:

• Deny by default. Every endpoint checks authorization
• Implement proper RBAC (role-based access control)
• Set X-Frame-Options: DENY to prevent clickjacking
• Configure CORS to specific allowed origins

A02:2021 — Cryptographic Failures

Previously "Sensitive Data Exposure." Focuses on the root cause rather than the symptom. What it means: Sensitive data exposed due to weak or missing encryption. Common patterns in SaaS:

• HTTP used instead of HTTPS (no HSTS)
• Weak TLS configuration (old protocols, weak ciphers)
• Sensitive data in URLs (tokens, passwords in query strings)
• Weak password hashing (MD5, SHA1 without salt)

Fixes:

• Enforce HTTPS with HSTS headers
• Use TLS 1.2+ with strong ciphers
• Use bcrypt or Argon2 for password hashing
• Never store sensitive data in URLs

A03:2021 — Injection

Dropped from #1 to #3 as frameworks have improved. Still critical. What it means: Untrusted data sent to an interpreter as part of a command or query. Common patterns in SaaS:

• SQL injection in search or filter parameters
• NoSQL injection in MongoDB queries
• Command injection in file operations
• XSS (Cross-Site Scripting) through unescaped user input

Fixes:

• Use parameterized queries (always)
• Implement Content-Security-Policy headers
• Sanitize and validate all user input
• Use auto-escaping template engines

A04:2021 — Insecure Design (NEW)

Brand new category. Focuses on design flaws rather than implementation bugs. What it means: Missing or ineffective security controls at the design level. Common patterns in SaaS:

• No rate limiting on authentication endpoints
• No account lockout after failed attempts
• Password recovery that reveals account existence
• Missing business logic validation

Fixes:

• Threat model your application before building
• Use rate limiting on all sensitive endpoints
• Implement proper error messages that don't leak information
• Design with the principle of least privilege

A05:2021 — Security Misconfiguration

Moved up from #6. The most fixable category. What it means: Insecure default configurations, incomplete configs, missing hardening. Common patterns in SaaS:

• Missing security headers (HSTS, CSP, X-Frame-Options)
• Default credentials on admin panels
• Unnecessary features enabled (TRACE, directory listing)
• Stack traces or verbose error messages in production

Fixes:

• Set all recommended security headers
• Remove default accounts and credentials
• Disable unnecessary HTTP methods
• Use generic error responses in production
• Scan your application to find misconfigurations automatically

A06:2021 — Vulnerable and Outdated Components

What it means: Using components (libraries, frameworks) with known vulnerabilities. Fixes:

• Run npm audit regularly
• Use Dependabot or Snyk for automated alerts
• Remove unused dependencies
• Subscribe to security advisories for your stack

A07:2021 — Identification and Authentication Failures

What it means: Weaknesses in authentication mechanisms. Fixes:

• Implement multi-factor authentication
• Use strong password policies
• Protect against brute force (rate limiting, account lockout)
• Secure session management (HttpOnly, Secure, SameSite cookies)

A08:2021 — Software and Data Integrity Failures (NEW)

What it means: Code and infrastructure that doesn't protect against integrity violations. Fixes:

• Verify dependencies (lockfiles, integrity hashes)
• Secure your CI/CD pipeline
• Sign your releases
• Validate data serialization

A09:2021 — Security Logging and Monitoring Failures

What it means: Insufficient logging makes it impossible to detect breaches. Fixes:

• Log authentication events (success and failure)
• Log authorization failures
• Set up alerts for suspicious patterns
• Ensure logs aren't stored where they can be tampered with

A10:2021 — Server-Side Request Forgery (NEW)

What it means: The application fetches a remote resource without validating the user-supplied URL. Fixes:

• Validate and sanitize all user-supplied URLs
• Use allow lists for external services
• Don't send raw responses to clients
• Disable HTTP redirects in server-side requests

Check Your OWASP Coverage

TrustGate scans map every finding to the relevant OWASP Top 10 category. Run a free scan to see where your application stands against the 2021 standard.