Insecure Design represents flaws in the design and architecture of an application that cannot be fixed by perfect implementation. Unlike implementation bugs, these are missing or ineffective security controls that were never designed into the system.
A developer forgets to validate input in one endpoint. Can be fixed by patching that code.
The system was designed without rate limiting on password reset. Requires architectural changes to fix.
No systematic analysis of potential threats during design
Exploitable gaps in business rules and workflows
No controls on resource consumption or request frequency
Improper trust between system components
Only happy-path scenarios considered in requirements
System ships with unsafe default configurations
Built by an OWASP Member • Part of the OWASP Web Security Lab Series