Date: Sep 9, 2021, 9:12:30 AM

Date: Sep 30, 2021, 12:41:23 PM

Editor: Cedric

Editor: Cedric

Name: A04:2021 – Insecure Design

Name: A04:2021 – Insecure Design

Description: Insecure design is a broad category representing many different weaknesses, expressed as “missing or ineffective control design.” Missing insecure design is where a control is absent. For example, imagine code that should be encrypting sensitive data, but there is no method. Ineffective insecure design is where a threat could be realized, but insufficient domain (business) logic validation prevents the action. For example, imagine domain logic that is supposed to process pandemic tax relief based upon income brackets but does not validate that all inputs are correctly signed and provides a much more significant relief benefit than should be granted.

Description: Insecure design is a broad category representing many different weaknesses, expressed as “missing or ineffective control design.” Missing insecure design is where a control is absent. For example, imagine code that should be encrypting sensitive data, but there is no method. Ineffective insecure design is where a threat could be realized, but insufficient domain (business) logic validation prevents the action. For example, imagine domain logic that is supposed to process pandemic tax relief based upon income brackets but does not validate that all inputs are correctly signed and provides a much more significant relief benefit than should be granted.