OWASP , the Open Web Application Security Project, publishes a periodically updated list of the most critical web application security risks. In the 2021 edition, broken access control moved into the top position, displacing injection vulnerabilities that had held that rank for years. This wasn't because access control suddenly became more vulnerable. It was because broken access control became more prevalent and more consequential as web applications grew more complex, more interconnected, and more capable of handling sensitive data at scale. Understanding why broken access control dominates the landscape is the first step to building systems that don't contribute to it. What Broken Access Control Actually Means Access control is the set of policies that determines which users can access which resources and perform which actions.…