# OWASP Top 10 Review (Cycle 10)

**Date**: 2026-06-25
**Framework**: OWASP Top 10:2021
**Mode**: Delta review — AZ-1113 over cycle-9 baseline (`owasp_review_cycle9.md`).

| Category | Cycle-9 status | Cycle-10 delta |
|----------|----------------|----------------|
| A01 — Broken Access Control | PASS | No change |
| A02 — Cryptographic Failures | PASS | No change |
| A03 — Injection | PASS | No change |
| A04 — Insecure Design | PASS | No change |
| A05 — Security Misconfiguration | PASS | No change |
| A06 — Vulnerable Components | PASS_WITH_WARNINGS | No new packages; D-AZ795-1 + D2-cy4 carry-overs unchanged |
| A07 — Auth Failures | PASS | No change |
| A08 — Data Integrity Failures | PASS | No change |
| A09 — Logging / Monitoring Failures | PASS_WITH_WARNINGS → **improved** | F-AZ795-1, F-AZ795-2, F-AZ810-1 **resolved**; F-AZ810-2 still open (informational) |
| A10 — SSRF | N/A | No URL-fetch changes |

## A09 detail

AZ-1113 closes the REST client-visible exception echo paths identified in cycles 7–8. Server-side logging of full exceptions is preserved (existing patterns). `error-shape.md` v1.0.1 documents the static strings for consumer reference.

**Remaining A09 item**: F-AZ810-2 (`DateTime` vs `DateTimeOffset` on `capturedAt`) — time-handling correctness, not information disclosure.

## Verdict

**PASS** (cycle-10 delta on A09 information-disclosure items).

Cumulative: **PASS_WITH_WARNINGS** — F-AZ810-2 + dependency carry-overs only.