# A04 - Insecure Design

## Description
Insecure design is a broad category representing different weaknesses expressed as "missing or ineffective control design." The difference between insecure design and insecure implementation is that design flaws are inherent to the application's architecture.

## Common Vulnerabilities
- Missing security controls
- Insufficient threat modeling
- Insecure design patterns
- Business logic flaws
- Missing rate limiting

## Testing Approach
Test business logic flows, analyze application architecture, and look for missing security controls or flawed design patterns.