#4 - Insecure design

A perfect implementation cannot solve an insecure design; instead, effective security controls are required to protect against certain threats. In order to prevent known attack methods, developers must routinely assess threats and make sure that code is robustly designed and tested. Utilize threat modeling for crucial key flows, access control, business logic, and authentication. Establish and use Architecture Risk Assessment protocols to help evaluate and design security and privacy-related controls.