1. Access control
- Enforce authorisation on every request (object and function level).
- Deny by default; never trust client-side checks.
- Test for IDOR/BOLA on all APIs.
2. Input and output
- Use parameterised queries (no string-built SQL).
- Encode output to prevent XSS.
- Validate and sanitise all input server-side.
3. Authentication and sessions
- Enforce MFA and strong password policies.
- Secure, short-lived sessions; rotate tokens.
- Protect against brute force and credential stuffing.
4. Configuration and components
- Harden servers; remove defaults and verbose errors.
- Patch and inventory third-party components (SCA).
- Centralise logging and monitor for attacks.
How CyberSigma helps
Our application security testing verifies each of these against the OWASP ASVS and gives your developers precise, prioritised fixes.
This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.
