After this lesson, you will be able to: Recognize, find, and fix Insecure Design (OWASP A04): flaws in the architecture and business logic that no amount of perfect coding can patch.
Insecure Design is OWASP A04, added in 2021 to capture a different class of problem: the design itself is flawed, not the implementation. You can write bug-free code for a feature that should never have existed as designed. The fix is threat modeling and secure design patterns, applied before code is written.
Insecure Design is a missing or ineffective control by design, distinct from an implementation bug. Examples: a password-reset flow that relies on guessable security questions; a checkout that trusts a client-supplied price; an account-recovery path with no rate limiting, enabling credential stuffing; a 'transfer funds' feature with no second-factor for large amounts. The code may be perfectly written, but the design assumed trust it should not have. The defense lives upstream, in how the feature is conceived.
Insecure design is found by threat modeling and abuse-case analysis, not by scanning code.
For each feature, ask 'how would an attacker abuse this?' (abuse cases), not just 'does it work?'.
Threat-model the data flow: what is trusted, where, and why? (STRIDE is a common framework.)
Look for missing controls by design: no rate limiting on auth/reset, no spending limits, trusting client-side values (price, role, quantity).
Check whether security requirements existed at all: was abuse considered in the spec?
Review the flow with a 'deny by default' mindset; if a control is absent, it is a design gap.
Bake the control into the design; never trust the client for security decisions.
// INSECURE DESIGN: trusts the client-supplied priceapp.post('/checkout', (req, res) => {charge(req.body.price); // attacker sends price: 0.01});// SECURE DESIGN: the server computes the price from trusted dataapp.post('/checkout', (req, res) => {const price = computePriceFromCart(req.user.cartId); // server-side truthcharge(price);});// Design-level controls to add up front: rate limiting + lockout on auth// and password reset; server-side validation of all security-relevant// values; spending/transfer limits with step-up auth; threat modeling in// the design review.
Pick the precise distinction.
Sign in and purchase access to unlock this lesson.