Insecure Design highlights risks that stem from flawed application architecture or logic, rather than implementation bugs. It’s about building systems without considering security from the start—like missing threat modeling, insecure workflows, or lack of design validation. Unlike coding errors, insecure design means the system works as intended—but that intention is insecure. Examples include allowing brute-force attacks due to lack of rate limits or not validating critical actions like password changes.
