Engineering Playbook

Backend Security

OWASP, AuthN vs AuthZ, and Validation.

Backend Security

Security is not a "feature" you add at the end. It is a constraint on your design.

AuthN vs. AuthZ

  • Authentication (AuthN): "Who are you?" (Login).
    • Tools: OAuth2, OIDC, JWT, Session Cookies.
  • Authorization (AuthZ): "What are you allowed to do?" (Permissions).
    • Tools: RBAC (Role Based), ABAC (Attribute Based), ReBAC (Relationship Based - Google Zanzibar).

The JWT vs. Session Debate

  • Stateless JWT: Token holds the data ({ "role": "admin" }). Fast (no DB lookup). Hard to revoke instantly.
  • Stateful Session: Token is just a random ID (123). Server checks DB/Redis. Slower. Instant revocation.

OWASP Top 10

The OWASP Top 10 is a standard awareness document representing a broad consensus about the most critical security risks to web applications. The list is updated every few years to reflect the evolving landscape of cybersecurity threats.

OWASP

For the complete catalog and detailed information, refer to the official OWASP Top 10: OWASP Top 10

OWASP also maintains specialized lists, including one for LLM applications (OWASP Top 10 for LLMs).

A01:2025 - Broken Access Control (BOLA/IDOR)

The #1 vulnerability, maintaining its position from 2021.

  • Scenario: User A requests /api/orders/999. The order belongs to User B. The API returns it anyway because it checked "Is User A logged in?" but not "Does User A own Order 999?".
  • Fix: Always check ownership at the data access layer.
  • Note: Now includes Server-Side Request Forgery (SSRF) which was rolled into this category.

A02:2025 - Security Misconfiguration

Moved up from #5 in 2021 to #2 in 2025.

  • Leaving default passwords.
  • Exposing stack traces in production errors.
  • Leaving S3 buckets public.
  • Trend: More prevalent as software engineering increases configuration-based behavior.

A03:2025 - Software Supply Chain Failures

New category for 2025, expanding on "Vulnerable and Outdated Components".

  • Using compromised dependencies or libraries.
  • Insecure build processes or distribution infrastructure.
  • Failure to verify software integrity throughout the supply chain.
  • Note: While currently with limited occurrences in data, it has the highest average exploit and impact scores.

A04:2025 - Cryptographic Failures

Falls two spots from #2 to #4 in the ranking.

  • Using weak or outdated cryptographic algorithms.
  • Improper key management or storage.
  • Failure to encrypt sensitive data at rest or in transit.
  • Impact: Often leads to sensitive data exposure or system compromise.

A05:2025 - Injection

Falls two spots from #3 to #5 in the ranking.

  • Scenario: query("SELECT * FROM users WHERE name = '" + input + "'"). User inputs '; DROP TABLE users; --.
  • Fix: Never concat strings to SQL. Use Parameterized Queries (WHERE name = $1, input).
  • Range: Includes Cross-site Scripting (high frequency/low impact) to SQL Injection (low frequency/high impact).

A06:2025 - Insecure Design

Slides two spots from #4 to #6 in the ranking.

  • Failing to design with security in mind from the beginning.
  • Lack of threat modeling in the design phase.
  • Missing secure design patterns and controls.

A07:2025 - Authentication Failures

Maintains position at #7 with a slight name change (previously "Identification and Authentication Failures").

  • Weak password policies or storage.
  • Improper session management.
  • Failure to implement multi-factor authentication where needed.
  • Trend: Standardized authentication frameworks appear to be reducing occurrences.

A08:2025 - Software or Data Integrity Failures

Continues at #8 in the list.

  • Failure to verify integrity of software updates or code.
  • Insecure deserialization of objects.
  • Missing digital signatures or checksums.

A09:2025 - Logging & Alerting Failures

Retains position at #9 with name change (previously "Security Logging and Monitoring Failures").

  • Insufficient logging of security events.
  • Missing or ineffective alerting mechanisms.
  • Failure to detect and respond to security incidents.
  • Note: Great logging with no alerting has minimal value in identifying security incidents.

A10:2025 - Mishandling of Exceptional Conditions

New category for 2025.

  • Improper error handling that exposes system details.
  • Logical errors that create security vulnerabilities.
  • Systems failing open instead of failing secure during abnormal conditions.
  • Scope: Contains 24 CWEs focusing on error handling and abnormal conditions.

Rate Limiting

Prevent DoS attacks and brute force.

  • Leaky Bucket: Smooths out bursts.
  • Fixed Window: "100 reqs per minute." (Vulnerable to bursts at the top of the minute).
  • Implementation: Use Redis to count IP addresses. Middleware like express-rate-limit.

Input Validation

Trust No One. Validate input at the edge (Zod, Joi, Pydantic).

Sanitize output to prevent XSS (Cross-Site Scripting) - although modern Frontends (React) handle most of this automatically.

ORMs

Prisma, Drizzle, TypeORM, and the Active Record vs Data Mapper debate.

Caching Strategies

Cache-aside, read-through, write-through, and write-back patterns.

On this page

Backend SecurityAuthN vs. AuthZThe JWT vs. Session DebateOWASP Top 10A01:2025 - Broken Access Control (BOLA/IDOR)A02:2025 - Security MisconfigurationA03:2025 - Software Supply Chain FailuresA04:2025 - Cryptographic FailuresA05:2025 - InjectionA06:2025 - Insecure DesignA07:2025 - Authentication FailuresA08:2025 - Software or Data Integrity FailuresA09:2025 - Logging & Alerting FailuresA10:2025 - Mishandling of Exceptional ConditionsRate Limiting