How long does a complete OWASP audit take?

SME web app 5-15 pages + auth + payment: 5-day pentest + 2-day report writing. More complex (15+ roles, microservices): 10-15 days.

In-house audit or external firm?

Ideal: in-house (continuous code review) + external annual (fresh eyes). External costs 1.8-9 M FCFA / year but detects what the team no longer sees. For SMEs with 0 security devs: external mandatory.

Is OWASP Top 10 enough?

Covers 80% of critical bugs. Add: OWASP API Security Top 10 (if REST/GraphQL API), OWASP MASVS (if mobile), CWE Top 25 (breadth). For SME: OWASP Top 10 + API = good base.

CDP Senegal sanctions for leak?

Law 2008-12: fine up to 100 M FCFA + 72h notification obligation (GDPR-like). CDP sanctioned 3 entities in 2024. Reputational damage often > fine.

Too early for most Senegal SMEs. Prefer: annual audit + continuous monitoring (Sentry errors, Cloudflare WAF). Bug bounty relevant from 100K+ users.

Senegal SME OWASP audit: 25 vulnerabilities checklist (2026)

Senegal SME OWASP audit: why in 2026

Senegalese SMEs deploy e-commerce sites (Wave/Orange Money), customer portals (banks, insurers, clinics), business apps (logistics, HR). 78% of these apps have never been security-audited (sample 65 Kolonell audits 2024-2025).

Observed consequences: 2 clinic patient data leaks Dakar (2024), 1 e-commerce database compromise (CC exposed), 6 political defacements (2024-2025 ANSSI Senegal cycles).

Regulatory framework: CDP (Personal Data Commission) — Law 2008-12 + decree 2008-721 — fines up to 100 M FCFA. ANSSI Senegal publishes sector vulnerability bulletins since 2024 (banks, telecoms, healthcare).

This checklist covers OWASP Top 10 2021 + 15 Senegal-context vulnerabilities. Open source tools only (0 FCFA license).

H2: The 25 vulnerabilities to audit

A01 — Broken Access Control (most critical)

IDOR (Insecure Direct Object Reference). URL \/api/invoices/123\ accessible without checking invoice 123 belongs to authenticated user. Test: change ID in URL. Fix: server-side authorization middleware, never client-side.

Path traversal. Parameter \?file=../../etc/passwd\ reads system files. Fix: file whitelist, \path.resolve\ + prefix check.

Forced browsing. \/admin/dashboard\ accessible without admin role. Fix: role-check middleware on every private route.

Privilege escalation. Normal user self-assigns admin role via API \PATCH /users/me {role: 'admin'}\. Fix: whitelist modifiable fields, never \Object.assign(user, req.body)\.

A02 — Cryptographic Failures

Passwords stored plaintext / MD5 / SHA1. Audited 4 SMEs in 2024 storing MD5. Fix: bcrypt cost 12 minimum, or Argon2id.

Weak TLS (TLS 1.0/1.1, RC4 ciphers). Test: \testssl.sh https://yoursite.sn\. Fix: TLS 1.2+ only, Mozilla intermediate ciphers.

Secrets plaintext in Git repo. API keys, DB passwords committed. Test: \git log -p | grep -i "password\\|api_key"\. Fix: \.env.local\ gitignored, immediate rotation if exposed.

A03 — Injection

SQL Injection. \SELECT * FROM users WHERE id = ${req.query.id}\. Test: \sqlmap -u "https://site.sn/?id=1"\. Fix: parameterized queries (Prisma, prepared statements).

NoSQL Injection. \db.users.find({email: req.body.email})\ with body \{email: {$ne: null}}\. Fix: type validation (zod), reject objects where string expected.

Command Injection. \exec(\convert ${userFile} out.pdf\)\ with userFile = \; rm -rf /\. Fix: no shell, use \spawn\ with array args.

Stored XSS (Cross-Site Scripting). Comment \\ rendered unescaped. Fix: escape output (React does by default), strict CSP, HttpOnly cookies.

A04 — Insecure Design

No login rate limiting. Brute force possible. Fix: 5 attempts / 15 min / IP + email (use \express-rate-limit\ or Next middleware).

Predictable password recovery. Token = MD5(email+timestamp). Fix: \crypto.randomBytes(32).toString('hex')\, 1h expiry, single-use.

A05 — Security Misconfiguration

Missing HTTP headers. No HSTS, CSP, X-Frame-Options. Test: securityheaders.com. Fix: Helmet middleware or Next.js \headers()\ config.

Verbose errors in prod. Stack trace exposed. Fix: generic error page, server-side logs only.

Debug endpoints exposed. \/api/debug\, \/phpinfo.php\. Test: \nikto -h https://site.sn\. Fix: remove in prod.

A06 — Vulnerable Components

Outdated dependencies. Test: \npm audit\, \pip-audit\, \composer audit\. Fix: Dependabot/Renovate auto-PR updates.

A07 — Authentication Failures

No MFA. Admin account without 2FA. Fix: mandatory TOTP for admin (cf MFA SME article below).

Session ID in URL. \?sessionid=abc123\ leaks via referer. Fix: HttpOnly Secure SameSite=Lax cookie.

A08 — Software & Data Integrity Failures

Unsigned CDN. \

Senegal SME OWASP web app audit: 25 vulnerabilities checklist (2026)