← Module 1: Secure Software Architecture
Inquiry Question 2: How can the security of a developed solution be evaluated?
Identify the OWASP Top 10 web application security risks and describe mitigations for each
A focused answer to the HSC Software Engineering Module 1 dot point on the OWASP Top 10. Each risk, an example, and a mitigation, the worked broken-access-control example, and the traps markers look for.
Have a quick question? Jump to the Q&A page
What this dot point is asking
NESA wants you to know the standard industry list of the most critical web application security risks, give a concrete example of each, and pair each with a defender-side mitigation. The OWASP Top 10 is updated every few years; the 2021 list is the current reference.
The answer
The Open Worldwide Application Security Project (OWASP) publishes the Top 10 web application security risks. The 2021 list:
A01: Broken Access Control
Users can access resources or perform actions they should not. Example: changing /api/users/123/profile to /api/users/124/profile returns another user's data because the server only checks login, not ownership.
Mitigation: enforce authorisation on every endpoint with object-level checks. Deny by default. Test with unauthorised, low-privilege, and high-privilege accounts.
A02: Cryptographic Failures
Sensitive data is exposed because it was not encrypted properly. Example: passwords stored as plain text or with MD5, payment data sent over HTTP.
Mitigation: HTTPS everywhere, bcrypt or Argon2 for passwords, AES-256 for data at rest, secrets in a key management service.
A03: Injection
Untrusted input is interpreted as code. SQL injection is the headline example, but command injection, LDAP injection, and template injection are all in this category.
Mitigation: parameterised queries, output encoding, allow-list input validation, ORMs that parameterise by default.
A04: Insecure Design
Security flaws baked in at the design stage that no amount of code review can fix. Example: a "password reset" flow that sends the user's current password by email.
Mitigation: threat modelling during design, secure design patterns, reference architectures.
A05: Security Misconfiguration
Default credentials, unnecessary services left on, verbose error messages exposing stack traces. Example: a production database with the default admin password.
Mitigation: hardened configuration, automated configuration scans, principle of least functionality.
A06: Vulnerable and Outdated Components
Using a library with a known CVE (Common Vulnerabilities and Exposures). Example: Log4j 2.14 (Log4Shell).
Mitigation: dependency scanning (npm audit, pip-audit, Snyk, Dependabot), patch promptly, remove unused dependencies.
A07: Identification and Authentication Failures
Weak or missing authentication: brute-forceable login, no MFA, predictable session IDs.
Mitigation: MFA, rate limiting, account lockout, secure session management, password breach checks.
A08: Software and Data Integrity Failures
Trusting code or data without verifying its integrity. Example: pulling an auto-update from an unsigned source, deserialising untrusted data.
Mitigation: signed artefacts, integrity checks (hash, signature), supply chain security tooling.
A09: Security Logging and Monitoring Failures
The system does not log enough to detect or investigate attacks. Example: no record of failed logins, no alert on a thousand-per-second login attempt.
Mitigation: structured logs of security events, centralised log aggregation, alerts on anomalies.
A10: Server-Side Request Forgery (SSRF)
The server makes outbound requests based on user input, allowing an attacker to reach internal services. Example: a "preview this URL" feature that fetches http://localhost/admin.
Mitigation: validate URL targets against an allow-list, block requests to private IP ranges, segregate networks.
A worked SQL injection example
A vulnerable query (do not write this):
def get_user(username):
query = f"SELECT * FROM users WHERE name = '{username}'"
return db.execute(query).fetchone()
Submitting admin' OR '1'='1 as the username turns the query into:
SELECT * FROM users WHERE name = 'admin' OR '1'='1'
which returns every user.
The fix - a parameterised query:
def get_user(username):
query = "SELECT * FROM users WHERE name = ?"
return db.execute(query, (username,)).fetchone()
The database driver substitutes ? with the value safely. The input can no longer change the query structure.
Past exam questions, worked
Real questions from past NESA papers on this dot point, with our answer explainer.
2025 HSC6 marksIdentify three risks from the OWASP Top 10 and for each describe a mitigation that a developer can implement during the secure development lifecycle.Show worked answer →
- Injection (SQL injection)
- An attacker submits crafted input that gets interpreted as code by a backend interpreter, typically a SQL database. Mitigation: use parameterised queries (also called prepared statements) so user input is always treated as data, never as code. Never build SQL strings by concatenation. Validate input against an allow-list.
- Broken access control
- A logged-in user can access resources they should not, such as another user's account by guessing the URL. Mitigation: enforce authorisation checks on every server endpoint, not just in the UI. Use object-level authorisation: every request to /api/orders/123 checks that the current user owns order 123. Deny by default.
- Cryptographic failures
- Sensitive data (passwords, payment info, tokens) is stored or transmitted insecurely. Mitigation: enforce HTTPS site-wide, hash passwords with bcrypt/Argon2 and per-user salts, store secrets in a key management service (not in source code), and use AES-256 for data at rest.
Markers reward three distinct risks correctly named from the OWASP list, a concrete attack example for each, and a specific developer-side mitigation (not just "be careful"). Best answers tie mitigations back to the secure development lifecycle (threat modelling, code review, dependency scanning, security testing).
Related dot points
- Apply input validation, sanitisation and output encoding to defend against injection attacks
A focused answer to the HSC Software Engineering Module 1 dot point on input validation. Allow-list vs deny-list, sanitisation, output encoding, parameterised queries, the worked SQL injection example, and the traps markers look for.
- Identify and mitigate cross-site scripting (XSS), cross-site request forgery (CSRF) and SQL injection vulnerabilities
A focused answer to the HSC Software Engineering Module 2 dot point on web vulnerabilities. XSS (stored and reflected), CSRF, SQL injection, mitigations for each, the worked example, and the traps markers look for.
- Describe the secure development lifecycle, including threat modelling, secure coding practices, security testing and ongoing monitoring
A focused answer to the HSC Software Engineering Module 1 dot point on the SDLC. Threat modelling, secure coding standards, code review, SAST and DAST tools, penetration testing, ongoing monitoring, and the traps markers look for.