OWASP Top 10 — Self-Assessment

The OWASP Top 10 is the industry's reference list of the most critical web application security risks. This page is our self-assessment of how OWL addresses each 2021 category. It is an honest internal review, not a third-party penetration-test certification — where work is ongoing we say so.

Part of NDEVR's compliance & conformity program · Report a security issue: disclosure policy.

1. How we address each category

OWASP 2021 categoryHow OWL addresses it
A01 Broken Access ControlAccess to files and folders is enforced by per-resource and per-folder keys plus share-link permissions, checked from ancestors on every create/read/edit/move/delete. Because content is zero-knowledge encrypted, even a server operator cannot read it.
A02 Cryptographic FailuresEnd-to-end AES-256 content encryption, authenticated AES-256-GCM key wrapping, P-256 ECIES, bcrypt password hashing, and TLS with pinned roots. See cryptography.
A03 InjectionDatabase access uses prepared statements with bound parameters throughout, rather than string-concatenated SQL.
A04 Insecure DesignThe product is designed zero-knowledge from the ground up: the server is architected so that even a full breach does not expose the plaintext of files or messages.
A05 Security MisconfigurationSecure defaults (TLS enforced, no anonymous access) and a baseline of HTTP security response headers (HSTS, nosniff, frame/referrer policies).
A06 Vulnerable & Outdated ComponentsA CycloneDX SBOM and dependency tracking drive vulnerability response. See secure development.
A07 Identification & Authentication Failuresbcrypt-hashed credentials (password never leaves your device), rate limiting and failed-login lockout against brute force, hashed session/verification/reset tokens, and constant-time comparison on authentication paths.
A08 Software & Data Integrity FailuresEd25519-signed update manifests with SHA-256 download verification (a tampered update is refused before it touches disk), plus HMAC-SHA-256 keyed content tags.
A09 Logging & Monitoring FailuresAn administrative audit log of privileged actions, plus request and failed-login logs for abuse detection.
A10 Server-Side Request Forgery (SSRF)Server-side outbound fetches are limited to specific, validated integrations rather than arbitrary user-supplied URLs; we continue to review this surface as integrations evolve.

2. Scope & honesty

This is a point-in-time self-assessment of design and implemented controls. We have not yet completed an independent third-party penetration test or OWASP ASVS audit; when we do, we will reference it here. If you identify a gap, our coordinated vulnerability disclosure program is the place to report it — such reports are especially valued.