OWASP Top 10 explained for non-technical founders

The OWASP Top 10 is the most widely referenced security standard in web development. Published by the Open Web Application Security Project, it lists the ten most critical vulnerability categories found in real-world applications. If your web application is vulnerable to any of these, you have a serious problem. Here's what each one means in plain language.

A01 — Broken Access Control

The most common vulnerability. Users can access data or perform actions they shouldn't be able to. Example: changing an order ID in the URL from 12345 to 12346 and seeing someone else's order. This is called IDOR (Insecure Direct Object Reference). It's trivial to exploit and catastrophic for customer data.

A02 — Cryptographic Failures

Sensitive data transmitted or stored without proper encryption. Common examples: passwords stored in plain text (still happens), credit card numbers logged in application logs, data sent over HTTP instead of HTTPS. If your database is breached and passwords are plaintext, every user's account everywhere is compromised.

A03 — Injection

Attacker-controlled data is interpreted as code. SQL injection is the classic example: entering '; DROP TABLE users; -- into a search box that executes it against the database. Modern ORMs largely prevent SQL injection, but NoSQL injection, LDAP injection, and OS command injection remain common in custom-built systems.

A04 — Insecure Design

Security flaws baked into the architecture before a line of code is written. A "forgot password" flow that sends the actual password instead of a reset link. A file upload feature with no type validation. These can't be patched — they require redesign.

A05 — Security Misconfiguration

Default settings left in place. Debug mode enabled in production. Unnecessary ports open. Admin panels exposed to the internet. S3 buckets set to public. The 2019 Capital One breach (100M records) was caused by a misconfigured WAF — not a code vulnerability.

A06 — Vulnerable and Outdated Components

Using libraries, frameworks, or infrastructure with known vulnerabilities. The 2017 Equifax breach (147M records) was caused by an unpatched Apache Struts vulnerability that had a fix available for two months. Ask your developer what their dependency update process is.

A07 — Authentication Failures

Weak login implementations. No rate limiting on password attempts (allows brute force). Session tokens that don't expire. Password reset links that remain valid indefinitely. Allowing weak passwords. Credential stuffing — using leaked passwords from other sites — accounts for most account takeovers.

A08, A09, A10 — Software Integrity, Logging, SSRF

The remaining three: unverified software updates that can introduce malicious code (A08), insufficient logging that means breaches go undetected (A09), and Server-Side Request Forgery where an attacker tricks your server into making requests on their behalf — often used to access cloud metadata APIs and steal credentials (A10).

What to do with this information

Send this list to your developer and ask them to address each point. If they can't explain their mitigation for each category, get a security audit. A penetration test that covers OWASP Top 10 costs a fraction of the average breach. In 2024, the average cost of a data breach was €4.2M — and for an SME, that's typically existential.