• Broken Access Control
• Cryptographic Failures
• Injection
• Insecure Design
• Security Misconfiguration
• Vulnerable and Outdated Components
• Identification and Authentication Failures
• Software and Data Integrity Failures
• Security Logging and Monitoring Failures
• Server-Side Request Forgery

• What are Salted Passwords and Password Hashing? | Okta
• How to Hash Passwords: One-Way Road to Enhanced Security (auth0.com)

• Static code Analysis
• What Tools

Importantly, insecure design is not always accidental. One reason is that security may not be an organization’s top priority. Acting securely involves people, effort, and time, and it can slow down business processes. For example, a business unit might request a new application to be quickly developed and released to capitalize on favorable market conditions; to do this the app’s developers might omit threat modeling or implementing security features in the app’s design.