What does OWASP stand for?

OWASP stands for Open Web Application Security Project. It is a free, open, non-profit global community founded in 2001 (non-profit since 2004) that produces freely available articles, methodologies, documentation, tools, and technologies to help organizations make web applications safer.

What is the #1 risk in the OWASP Top 10 (2021)?

The #1 risk is Broken Access Control. It maps to 34 CWEs, was found in up to 94.55% of tested apps, and affected 318,487 of the 500,000+ applications studied — meaning users could access things they should not be able to access.

What is the difference between authentication and authorization?

Authentication answers "who are you?" — proving identity, for example with a password or biometric. Authorization answers "what can you do?" — checking permissions, for example whether you are allowed to delete a record. Both must be enforced; authentication alone does not protect resources.

How do you prevent Broken Access Control?

Deny by default, enforce access checks server-side (never trust client-side), implement access control logic once and reuse it, enforce record ownership so users can only CRUD their own data, disable directory listings, invalidate JWTs on logout, rate-limit APIs, log all failures, and test like an attacker.

What is the difference between CWE, CVE, and CVSS?

CWE is a general category of a software weakness, such as path traversal. CVE is a specific named vulnerability in a real product, such as Log4Shell. CVSS is a 1–10 scoring system that rates how exploitable and impactful a vulnerability is.

ASVS is the OWASP Application Security Verification Standard — an actionable checklist you run against your application. The Top 10 tells you what the problems are; ASVS tells you how to build against them.

Who is Syed Mohamad Arif?

Syed Mohamad Arif is a Frontend and Mobile Developer based in Kuala Lumpur, Malaysia, with 5 years of experience building cross-platform applications with React Native, React, and TypeScript. He currently works as a Mobile App Developer at Paywatch Malaysia and is the creator of the Hikayat Daily Global app on Google Play.

Who created Hikayat Daily Global?

Hikayat Daily Global was created by Syed Mohamad Arif, a Malaysian React Native developer. The Android app is published on the Google Play Store at https://play.google.com/store/apps/details?id=com.hikayatdailyglobal.

LokalGig is a Malaysian local services marketplace connecting freelancers with clients for everyday gigs and side projects. It was built end-to-end by Syed Mohamad Arif with React, TypeScript, Tailwind, Supabase, and Vercel, and is live at https://lokalgig.my/.

What technologies does Syed Mohamad Arif specialize in?

Syed Mohamad Arif specializes in React Native and Expo for cross-platform mobile apps, and React, Next.js, and TypeScript for web. His regular toolkit also includes Tailwind CSS, Redux, React Query, Firebase, Supabase, PostgreSQL, and CI/CD pipelines through Azure DevOps, Expo EAS, and Codemagic.

Is Syed Mohamad Arif available for freelance or contract work?

Yes. Syed Mohamad Arif offers freelance website and mobile app development services to clients in Malaysia and remotely worldwide. Engagements typically cover design in Figma, development in React or React Native, and full deployment to Vercel and the App Store / Play Store. Reach him at syedarifjr@gmail.com or +60 14-529 7072.

Where is Syed Mohamad Arif based?

Syed Mohamad Arif is based in Sentul, Kuala Lumpur, Malaysia, and is open to remote work worldwide.

How can I contact Syed Mohamad Arif?

Email: syedarifjr@gmail.com. Phone / WhatsApp: +60 14-529 7072. LinkedIn: https://linkedin.com/in/syedmhdarif. GitHub: https://github.com/syedmhdarif.

How do I hire a mobile app developer in Malaysia?

You can hire Syed Mohamad Arif directly as a freelance mobile app developer based in Kuala Lumpur, Malaysia. He builds cross-platform iOS and Android apps with React Native and Expo, handles design in Figma, development in TypeScript, and full submission to the App Store and Play Store. Email syedarifjr@gmail.com or WhatsApp +60 14-529 7072 to start a conversation.

Where can I find a freelance React Native developer in Kuala Lumpur?

Syed Mohamad Arif is a freelance React Native developer based in Kuala Lumpur, Malaysia, with 5 years of professional experience and live apps on the Google Play Store (Hikayat Daily Global, Hikayat Diri). He works with clients across Malaysia — including Petaling Jaya, Shah Alam, and Selangor — and remotely worldwide. Visit https://syedmohamadarif.site for projects and contact details.

How much does it cost to build a mobile app in Malaysia?

Cost depends on scope, integrations, and timeline. A basic single-platform MVP typically starts in the low five figures MYR; a full cross-platform iOS and Android app with auth, payments, push notifications, and store submission usually lands in the mid-to-high five figures MYR. Syed Mohamad Arif provides clear, fixed-scope quotes after a free discovery call. Reach out at syedarifjr@gmail.com for a tailored estimate.

Do you build both iOS and Android apps?

Yes. Syed Mohamad Arif builds cross-platform iOS and Android apps from a single React Native + Expo codebase, with native modules where needed. Full release pipelines run through Expo EAS or Codemagic, including Apple App Store and Google Play Store submission.

Do you offer both UI/UX design and development?

Yes. Syed Mohamad Arif works across the full product lifecycle — UI/UX design and prototyping in Figma, development in TypeScript with React or React Native, testing, CI/CD, and deployment. This bridges the gap between design and engineering and avoids handoff friction.

Do you work with Malaysian SMEs and startups?

Yes. Syed Mohamad Arif works with Malaysian SMEs, startups, and international clients on websites, web apps, and cross-platform mobile apps. Engagements run remotely across Malaysia (Kuala Lumpur, Selangor, Penang, Johor) and worldwide. Invoicing supported in MYR or USD.

OWASP Top 10 — Key Takeaways – Learning Space

Q: What is the OWASP Top 10?

The OWASP Top 10 is an awareness document that lists the most critical web application security risks. It is published roughly every 3–4 years. The current 2021 edition is based on data from 500,000+ applications — the largest dataset OWASP has ever used — with 8 of 10 categories derived from data and 2 from practitioner surveys.

What is OWASP?

OWASP stands for Open Web Application Security Project — a free, open, non-profit global community founded in 2001 (non-profit since 2004), dedicated to making web applications safer worldwide.

Core Value	What it Means
Open	Everything is transparent — code, finances, documents
Innovation	Encourages experimentation, hackathons, CTFs
Global	Inclusive of everyone, everywhere
Integrity	Vendor-neutral — no product bias

Anyone can join — beginners welcome. Members are volunteers from all walks of the tech world.

What is the OWASP Top 10?

An awareness document listing the most critical web application security risks, published roughly every 3–4 years.

•Latest edition: 2021
•Based on data from 500,000+ applications — the largest dataset OWASP has ever used
•8 of 10 categories derived from hard data
•2 of 10 derived from security practitioner surveys
•Focus shifted to root causes (e.g. bad cryptography) over symptoms (e.g. exposed credit card data)

Key Terminology

Term	Simple Definition
CWE	General category of a software weakness (e.g. "path traversal")
CVE	A specific, named vulnerability in a real product (e.g. Log4j)
CVSS	A scoring system (1–10) for how exploitable or impactful a vulnerability is
ASVS	OWASP's Application Security Verification Standard — an actionable checklist you run against your app

The 2021 OWASP Top 10 at a Glance

#	Risk	One-liner
1	Broken Access Control	Users can access things they shouldn't
2	Cryptographic Failures	Weak or missing encryption exposes data
3	Injection	Attackers execute unauthorized commands (was #1 in 2017)
4	Insecure Design	Poor architecture makes security impossible
5	Security Misconfiguration	Default settings, wrong configs left exposed
6	Vulnerable & Outdated Components	Unpatched third-party libraries
7	Identification & Auth Failures	Weak login/session mechanisms
8	Software & Data Integrity Failures	Untrusted updates, CI/CD pipeline risks
9	Security Logging & Monitoring Failures	No logs = no visibility into attacks
10	Server-Side Request Forgery (SSRF)	Server tricked into making unintended requests

Deep Dive: Broken Access Control (#1)

Why it's #1 — The Numbers

Metric	Value
CWEs mapped	34
Apps affected (max)	55.97%
Max coverage	94.55% — nearly every app tested had this issue
Exploit score	6.92 / 10
Impact score	5.93 / 10
Total vulnerable apps	318,487 out of 500,000+
Unique exploit paths (CVEs)	19,013

Authentication vs Authorization

Don't confuse them — both must be enforced.

Authentication  →  WHO are you? (Proving your identity)
Authorization   →  WHAT can you do? (Your permissions)

Types of Access Control

Type	How it Works
RBAC (Role-Based)	Access based on your role: user / admin / superuser
DAC (Discretionary)	Access based on user identity or group membership
MAC (Mandatory)	Access based on sensitivity labels assigned to data
Permission-Based	Access based on specific action strings: read / write / delete

Common Attack Scenarios

•Changing URL params: ?account=john → ?account=admin
•Force-browsing to /admin without being an admin
•Privilege escalation — acting as a higher-level user
•JWT token tampering or replay after logout
•CORS misconfiguration exposing APIs to unintended origins
•Using unauthorized HTTP methods (e.g. DELETE) on API endpoints

How to Protect Your App

Principle	Action
Deny by default	Block everything unless explicitly granted
Enforce server-side	Never trust client-side access checks
Implement once, reuse	Standardize access control logic across the app
Enforce record ownership	Users should only CRUD their own data
Disable directory listings	Don't expose your app's file structure
Invalidate JWT on logout	Prevent token replay attacks
Rate-limit APIs	Minimize damage if a breach occurs
Log all failures	Track and alert on unauthorized access attempts
Test like an attacker	Include security-focused QA, not just happy-path

Final Takeaways

1. OWASP Top 10 ≠ Your Top 10 — Use it as a baseline awareness document. Your specific app may have different priority risks.

2. Build security in from the start — Retrofitting access control is harder and costlier than doing it right during design.

3. Use ASVS alongside the Top 10 — The Top 10 tells you what the problems are. ASVS tells you how to build against them.

4. Access control is only effective if enforced server-side — Client-side checks can always be bypassed. The server is the source of truth.

5. Keep watching for updates — The Top 10 refreshes every 3–4 years. Next edition expected around 2024–2025.

Based on the OWASP Top 10 (2021) — InfoSec Skills Learning Path by John Wagnon (F5 Networks)