[Mile2Test]

Discuss at least one of the top 10 OWASP security principles and why it is a critical control.

[Eugene Estes]

Broken access control is one of the most significant security threats listed in the OWASP Top 10. The rules and procedures that specify what users are permitted to see, use, or alter within a system are referred to as access control. Inadequate implementation of access control can allow unauthorized users to access accounts, sensitive data, and administrative tasks that ought to be prohibited. Because of this, one of the most significant vulnerabilities affecting web apps and organizational systems nowadays is faulty access control.
There are numerous ways that access control can be compromised. For instance, by merely altering a URL parameter or modifying session data, a regular user would be able to access administrative pages. In other circumstances, hackers might get over security measures and access sensitive company documents or financial information about customers. These flaws frequently result from developers’ improper server-side user permission verification. Attackers can therefore take advantage of these weaknesses to carry out illegal activities or steal crucial data.
Because access control is the cornerstone of system security, this OWASP principle is regarded as a vital control. Inadequate permission controls can still enable attackers to get around security measures even when an application employs encryption and strong passwords. Access control is used by organizations to make sure that workers, clients, and administrators can only access resources that are pertinent to their duties. Without appropriate controls, private information could be revealed, resulting in monetary losses, legal repercussions, and reputational harm to a company.
Strong authentication and authorization procedures should be put in place by companies to lower the risk of compromised access control. Permissions should be assigned based on work duties using role-based access control. Additionally, unless authorization is specifically given, systems ought to prevent access by default. Frequent penetration testing and security testing code reviews can help find vulnerabilities before attackers take advantage of them. To avoid unwanted access, enterprises should also keep an eye on user behavior and adhere to appropriate session management procedures.

[Seth Brumfield]

Eugene, good job covering access control. I think the company I work for is pretty bad at this. Over the last few years I have moved roles, and don’t need the same access that I used to have. For instance, I can see individual’s personal hourly pay. This was useful and necessary when I first started, but I don’t need that information now, and there are also other people that can pull this data. Even without being an administrator people can have to much access.

[Lenay Nichols]

I agree, broken access control is one of the most serious security risks because it can allow unauthorized users to access sensitive information even when other security measures are in place. I also agree that role based access control plays an important role in protecting sensitive information since users should only have access to the resources they need to perform their jobs. In your opinion, what is the most effective way for organizations to identify access control weaknesses before they are exploited?

[Seth Brumfield]

One of the top 10 OWASP security principles in 2025 was injection. It is the process of writing a malicious code, this code is then scrapped while a web browser is looking for info and compiling data. It moved down from 3rd to 5 in 2025 but I think it will go back up in 2026. I think currently it is being used on software, like a software scrapper pulling Zillow house prices to create a database. Someone might right some code, hoping the software doesn’t notice it. Then when you write a SQL prompt to digest the data, it gets activated and takes off.

I think it will end up going back up because more people are using AI and having the skill of scrapping data isn’t as big of a hindrance as before. You can have an AI agent write the code or you, or even perform the scrapping. Maybe a lot more of the top 10 will go up in volume as people start to go onto the internet in ways that they never did before!

https://owasp.org/Top10/2025/A05_2025-Injection/

[Eugene Estes]

That’s what makes injection particularly concerning today is how the threat landscape is evolving. You mentioned software scrapers pulling data from sites like Zillow, and that’s a perfect example. Automated tools often ingest massive amounts of unverified data. If a scraper or data pipeline doesn’t sanitize inputs, an attacker could embed malicious payloads inside the scraped content.

[Lenay Nichols]

One OWASP security principle that I think is very important is Identification and Authentication Failures. This security control helps make sure we are really who we say we are before we can access a system. A good example of this is logging into an email account. We usually will need a username and password to prove our identity. If a system has weak passwords or does not properly verify users, someone else may be able to gain access to an account that does not belong to them. This is a very important security control because many cyberattacks start when an attacker steals or guesses a user’s login information. Once they get into an account, they may be able to view private information, change settings, or they could even gain access to other systems. Organizations can reduce this risk by requiring strong passwords, using multi factor authentication, and regularly monitoring for suspicious login activity. By making sure users are properly identified and authenticated, organizations can better protect their systems and sensitive data.

[Author]

Posts