Airlock and the OWASP Top 10 Web Application Security Risks 2025

This site describes the OWASP Top 10 Web Application Security Risks for 2025 and how Airlock addresses them. Airlock Gateway and Airlock Microgateway deliver WAF and WAAP capabilities – Gateway as an appliance, Microgatway as a container-native solution for Kubernetes envirnonments. Airlock IAM enforces strong authentication and centralised identity and access management across applications and APIs.

Table of contents

A01:2025 Broken Access Control

Broken Access Control refers to failures in enforcing authorisation rules, allowing users to access data or functionality beyond their privileges. Common examples include insecure direct object references (IDOR), missing server-side access checks, privilege escalation, and server-side request forgery (SSRF).

How Airlock mitigates exploitation

Airlock's Gateway/Microgateway acts as a central policy enforcement point, denying access by default – only explicitly mapped resources are reachable, each configurable with roles and access restricitions. Airlock IAM propagates role information upon successful authentication, enabling consistent, session-aware authorisation decisions across all protected applications. Requests are additionally validated against defined and learned policies, providing protection against tampering, path traversal, and SSRF.

Relevant Airlock capabilities
  • Upstream authentication [IAM] and authorisation
  • Step-up and step-down authentication
  • Deny-by-default access model
  • CSRF protection
  • Deny rules for SSRF and path traversal

A02:2025 Security Misconfiguration

Applications are exposed to attack when insecure defaults, incomplete configurations, misconfigured security headers, or improper error handling are legt unaddressed.

How Airlock mitigates exploitation

Airlock provides secure defaults and a configuration model where requests are explicitly mapped to backend services. Configuration validators and policy learning reduce misconfigurations. Responses and headers are rewritten to enforce security best practices and suppress sensitive information.

Relevant Airlock capabilities
  • Secure default configuration
  • Policy learning
  • Configuration validation
  • OpenAPI specification enforcement
  • GraphQL schema validation
  • Security header Injection, header filtering and response rewriting
  • Cookie Store
  • Error page replacement

A03:2025 Software Supply Chain Failures

When third-party components, build pipelines, or update mechanisms are compromised, vulnerabilities or malicious code can be intriduced into an application undetected.

      How Airlock mitigates exploitation

      Airlock Gateway/Microgateway mitigates vulnerabilities in backend components through virtual patching and protocol termination, reducing exposure without requiring application changes. This is particularly relevant when third-party components cannot be patched immediately. The Airlock platform itself is hardened through measures such as SELinux, compiler-level protections (NX, ASLR), and strict privilege separation. The software supply chain is continuously monitored, and necessary security patches are delivered promptly outside of regular release cycles when required.

      Relevant Airlock capabilities
      • Virtual patching
      • Infrastructure as code (IaC)
      • Enforce MFA authentication
      • HTTP protocol termination and regeneration
      • Security compartments  / least privilege
      • Continuous monitoring of the software supply chain with prompt security patch delivery outside regular release cycles

      A04:2025 Cryptographic Failures

      Sensitive data is exposed when encryption is absent, weak cryptographic algorithms are used, or key management is handled insecurely.

        How Airlock mitigates exploitation

        Airlock terminates TLS with strong configurations including support for post-quantum cryptography. Sessions and cookies are protected against theft and manipulation. Authentication data is separated from applications and handled securely.

        Relevant Airlock capabilities
        • TLS termination (front-end & back-end)
        • Post-quantum cryptography support
        • HSM support

        A05:2025 Injection

        Malicious input is interpreted as commands or queries when user-supplied data is not properly validated or sanitised, enabling attacks such as SQL injection, command injection, and cross-site scripting (XSS).

          How Airlock mitigates exploitation

          Airlock detects and blocks injection attempts using deny rules and dynamic allowlisting. Protocol validation and request parsing prevent malformed or ambiguous requests from reaching applications. Rather than relying solely on signature-based detection of known exploits, Airlock's rules target attack classes and patterns - providing proactive protection against new and unknown variants.

          Relevant Airlock capabilities
          • Deny rules
          • Dynamic allowlisting & allowlist learning
          • HTTP protocol validation and regeneration
          • JSON, GraphQL, multipart parsing

          A06:2025 Insecure Design

          When security controls are missing or ineffective at the architectural level, exploitable weaknesses emerge that cannot be remediated through implementation fixes alone, but require fundamental design changes.

            How Airlock mitigates exploitation

            Airlock compensates for insecure application designs by enforcing controls at every enforcement point - from perimeter to service-to-service communication in zero-trust architectures. Rate limiting, session management, and API protection address common design weaknesses. Consistent protection is ensured across Kubernetes and VM-based deployments.

            Relevant Airlock capabilities
            • Deny-by-default access model
            • Secure segregation of tenants
            • Upstream authentication [IAM] & privilege/session management
            • Anomaly Shield (machine learning-based threat detection)
            • Native Kubernetes integration for zero-trust architectures

            A07:2025 Authentication Failures

            Weak or incorrectly implemented authentication and session management allows attackers to impersonate users or bypass login mechanisms, including through missing MFA, weak credential recovery, or lack of protection against automated attacks such as credential stuffing and brute force.

              How Airlock mitigates exploitation

              Airlock centralises authentication using Airlock IAM and supports risk-based authentication by evaluating context against historical patterns to adapt authentication strength. Sessions are protected against hijacking and manipulation.

              Relevant Airlock capabilities
              • Support for multiple authentication schemes including OIDC/OAuth2, FIDO2/Passkeys, form-based, Kerberos, client certificates (mTLS)
              • Risk-based authentication [IAM]
              • Multi-factor authentication (MFA) [IAM]
              • Secure session management / Cookie Store
              • Client fingerprinting

              A08:2025 Software or Data Integrity Failures

              Untrusted or modified code and data are processed as trusted when integrity checks are absent, enabling attacks such as insecure deserialisiation or the injection of malicious updates.

                How Airlock mitigates exploitation

                Airlock protects the communication layer between client and application and therefore has no visibility into integrity failures that occur within the application itself, such as unverified updates or unsafe dependency loading.

                Relevant Airlock capabilities
                • Signed Airlock software updates

                A09:2025 Security Logging and Alerting Failures

                When logging and alerting are insufficient or misconfigured, security incidents go undetected or unaddressed for longer, giving attackers more time to cause damage.

                  How Airlock mitigates exploitation

                  Airlock detects and logs attacks in real time and integrates with external SIEM systems to support rapid incident response and analysis.

                  Relevant Airlock capabilities
                  • Centralised logging & event generation
                  • Tracing support
                  • Metrics for allowed and blocked requests
                  • Masking of sensitive data in logs
                  • Real-time dashboards
                  • SIEM integration (CEF/JSON)

                  A10:2025 Mishandling of Exceptional Conditions

                  When unusual or unexpected conditions are not properly handled, systems may crash, leak sensitive information, or become unavailable due to denial of service.

                    How Airlock mitigates exploitation

                    Airlock detects abnormal behaviour, limits resource usage and ensures stable operation even under exceptional conditions. Backend error pages are replaced to prevent leakage of sensitive information such as stack traces or version details.

                    Relevant Airlock capabilities
                    • Anomaly Shield
                    • Rate limiting & DoS protection
                    • Backend health checks & failover clustering
                    • Error page replacement

                    Capabilites marked [IAM] are provided by Airlock IAM. All other capabilities are part of Airlock Gateway/Microgateway. Some capabilities apply to both products.

                    About OWASP

                    The Open Worldwide Application Security Project (OWASP) is a global, open community focused on improving software security. It provides free resources such as tools, documentation and standards to support organisations in building and operating secure aplications. More information: www.owasp.org

                    OWASP Top 10 Web Application Security Risks

                    The OWASP Top 10 for Web Application Security is published every three to four years and serves as a key reference for application security awareness. It highlights the most critical risks. OWASP also publishes separate Top 10 lists for APIs and non-human identities – each targeting a distinct attack surface. Airlock addresses all these threats across the full HTTP stack, combining WAF/WAAP-based request protection and authorisation enforcement with Airlock IAM for strong authentication.

                    Information for you

                    -Our whitepapers-
                    White paper: The puzzle pieces of modern authentication

                    White paper: The puzzle pieces of modern authentication

                    Identity management is like a puzzle: you have to understand the big picture, identify the relevant pieces and put them together in the right order. This white paper shows how to do that.

                     

                    Request white paper

                    Whitepaper: How to make cIAM a success

                    Increasing requirements for security and user-friendliness make Customer Identity and Access Management an essential. Read our whitepaper to find out how you can secure your competitive advantage with the right CIAM strategy.

                     

                    Request whitepaper

                    Whitepaper: Security for cloud-native applications

                    You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

                     

                    Request whitepaper

                    Whitepaper: Zero Trust is a journey

                    The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


                    This white paper discusses the effects of continuous digitalization and its impact.

                    Request free of charge

                    Off to DevSecOps

                    In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

                     

                    Request free of charge

                    Airlock 2FA - Strong authentication. Simple.

                    Double security - this is what two-factor authentication offers in the field of IT security.


                    Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

                    Download for free

                    Further whitepapers

                    We provide you with free white papers on these and other topics:

                     

                    • Successful IAM projects
                    • compliance
                    • Data protection (DSGVO)
                    • Introduction of PSD2
                    • PCI DSS requirementsPCI DSS requirements
                    Request free of charge