OWASP Top 10 — Self-Assessment
The OWASP Top 10 is the industry's reference list of the most critical web application security risks. This page is our self-assessment of how OWL addresses each 2021 category. It is an honest internal review, not a third-party penetration-test certification — where work is ongoing we say so.
1. How we address each category
| OWASP 2021 category | How OWL addresses it |
|---|---|
| A01 Broken Access Control | Access to files and folders is enforced by per-resource and per-folder keys plus share-link permissions, checked from ancestors on every create/read/edit/move/delete. Because content is zero-knowledge encrypted, even a server operator cannot read it. |
| A02 Cryptographic Failures | End-to-end AES-256 content encryption, authenticated AES-256-GCM key wrapping, P-256 ECIES, bcrypt password hashing, and TLS with pinned roots. See cryptography. |
| A03 Injection | Database access uses prepared statements with bound parameters throughout, rather than string-concatenated SQL. |
| A04 Insecure Design | The product is designed zero-knowledge from the ground up: the server is architected so that even a full breach does not expose the plaintext of files or messages. |
| A05 Security Misconfiguration | Secure defaults (TLS enforced, no anonymous access) and a baseline of HTTP security response headers (HSTS, nosniff, frame/referrer policies). |
| A06 Vulnerable & Outdated Components | A CycloneDX SBOM and dependency tracking drive vulnerability response. See secure development. |
| A07 Identification & Authentication Failures | bcrypt-hashed credentials (password never leaves your device), rate limiting and failed-login lockout against brute force, hashed session/verification/reset tokens, and constant-time comparison on authentication paths. |
| A08 Software & Data Integrity Failures | Ed25519-signed update manifests with SHA-256 download verification (a tampered update is refused before it touches disk), plus HMAC-SHA-256 keyed content tags. |
| A09 Logging & Monitoring Failures | An administrative audit log of privileged actions, plus request and failed-login logs for abuse detection. |
| A10 Server-Side Request Forgery (SSRF) | Server-side outbound fetches are limited to specific, validated integrations rather than arbitrary user-supplied URLs; we continue to review this surface as integrations evolve. |
2. Scope & honesty
This is a point-in-time self-assessment of design and implemented controls. We have not yet completed an independent third-party penetration test or OWASP ASVS audit; when we do, we will reference it here. If you identify a gap, our coordinated vulnerability disclosure program is the place to report it — such reports are especially valued.