Security
OWASP Top 10: free-recall review
Retrieval beats re-reading. For each prompt, say or write a full answer from memory before you open the model answer — the effort of recall is what makes the material stick when you are reviewing real code.
Reconstruct the unit’s spine — why Broken Access Control is #1, what deny-by-default means in code, the cause-over-symptom reframing, the design-era categories, and how SSRF is defended — without looking back at the lesson.
- 01Why did Broken Access Control jump to #1 in 2021, and what does 'deny by default' mean in code?
- 02Explain the cause-over-symptom reframing in 2021 using Sensitive Data Exposure as the example.
- 03What is Insecure Design (A04), how is it different from a coding bug, and why can't you patch it away?
- 04What is SSRF (A10), why did it rank despite thin data, and how do you defend against it?
- 05Why are 'Vulnerable & Outdated Components' (A06) your problem, and what process keeps the category from drifting?
- 06How should a senior actually read the Top 10 — as a checklist, or as something else?
If you could reconstruct each answer from memory, you hold the unit’s spine: Broken Access Control is #1 because it is both the most common and among the most damaging, fixed with server-side deny-by-default checks; the 2021 list reorganized around root causes (Cryptographic Failures, not Sensitive Data Exposure); Insecure Design names flaws no patch can close; SSRF earned its slot by practitioner vote and is defended by allowlisting and metadata lockdown; vulnerable components are your CVEs and need an SBOM plus CI scanning; and the whole list is a prioritization map, not a checklist.