OWASP’s 2021 list shuffle: A new battle plan and primary foe
In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.
Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.
But the injection king has fallen. Long live the king.
Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.
Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.
Broken access control takes the crown (and reveals a trend)
Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.
It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
Preventing the bugs that robots rarely find
The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog.
However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.
Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.
We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.
Injection attacks, the infamous king of vulnerabilities (by category), have lost the top spot to broken access control as the worst of the worst, and developers need to take notice.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.
Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.
But the injection king has fallen. Long live the king.
Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.
Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.
Broken access control takes the crown (and reveals a trend)
Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.
It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
Preventing the bugs that robots rarely find
The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog.
However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.
Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.
We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.
In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.
Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.
But the injection king has fallen. Long live the king.
Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.
Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.
Broken access control takes the crown (and reveals a trend)
Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.
It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
Preventing the bugs that robots rarely find
The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog.
However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.
Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.
We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoMatias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.
Well, the sun will rise tomorrow, and Mario still has “one-up” on Sonic, but injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries (OGNL). It even includes direct assaults against servers using OS command injection techniques. The versatility of injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept this category in the top spot for many years.
But the injection king has fallen. Long live the king.
Does that mean we’ve finally solved the injection vulnerability problem? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.
Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.
Broken access control takes the crown (and reveals a trend)
Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.
It’s quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, “human element” covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
Preventing the bugs that robots rarely find
The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog.
However, I think it’s important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won’t necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion’s share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.
Put simply, security scanners don’t make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.
We're OWASP Top 10 2021-ready, and that's just the beginning! Start your developers on an elevated security skills pathway today.
Table of contents
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Resources to get you started
10 Key Predictions: Secure Code Warrior on AI & Secure-by-Design’s Influence in 2025
Organizations are facing tough decisions on AI usage to support long-term productivity, sustainability, and security ROI. It’s become clear to us over the last few years that AI will never fully replace the role of the developer. From AI + developer partnerships to the increasing pressures (and confusion) around Secure-by-Design expectations, let’s take a closer look at what we can expect over the next year.
OWASP Top 10 For LLM Applications: What’s New, Changed, and How to Stay Secure
Stay ahead in securing LLM applications with the latest OWASP Top 10 updates. Discover what's new, what’s changed, and how Secure Code Warrior equips you with up-to-date learning resources to mitigate risks in Generative AI.
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.