A framework for encoding application security vulnerabilities through Mary Shelley's 1818 masterwork
The Frankenstein OWASP Trilogy: Legacy Parts → Leaking Genius → System Catastrophe
Original artwork © 2025 Narnaiezzsshaa Truong | Cybersecurity Witwear
Introduction: The Monster in the Mirror
Mary Shelley published Frankenstein in 1818. The OWASP Top 10 was first published in 2003. Yet Shelley's novel anticipates every major category of application security failure—185 years before we had terminology for them.
Victor Frankenstein's tragedy isn't just a Gothic horror story. It's a systematic encoding of what happens when creators build powerful systems without responsibility, oversight, or security controls. Every OWASP vulnerability is enacted in the narrative. The creature's suffering and Victor's destruction stem from the same root cause: creation without control.
This article presents a comprehensive framework for teaching OWASP Top 10 through Frankenstein's narrative, with editorial compressions designed for pattern recognition and memory retention.
The Framework: Frankenstein's Security Failures
Methodology
Each OWASP category maps to a specific failure in Frankenstein's story. The framework uses three components:
- OWASP Category: The official vulnerability classification
- Frankenstein Mapping: How the vulnerability manifests in the narrative
- Editorial Compression: A 5-10 word phrase capturing the core failure pattern
This structure enables rapid pattern recognition while maintaining technical precision.
A01: Broken Access Control
Frankenstein Mapping: The creature escapes the boundaries Victor intended
Editorial Compression: "You built it, but you never gated it."
The Narrative
Victor creates the creature but establishes no boundaries, no access controls, no authorization mechanisms. The creature escapes the laboratory, enters society, accesses Victor's family, destroys what Victor values most. This is textbook broken access control: powerful capability with no authorization layer, no identity verification, no enforcement of intended boundaries.
The Security Parallel
Modern applications repeat Victor's mistake constantly: they create functionality without authorization checks, build features without access control layers, ship capabilities without enforcing who can use them. Like Victor's creature, these unconstrained features escape their intended scope and cause havoc.
Key insight: You built the creature. You shipped the feature. But you never gated it.
A02: Cryptographic Failures
Frankenstein Mapping: Victor's secrets are exposed; no protection for sensitive knowledge
Editorial Compression: "No cipher guards the forbidden spark."
The Narrative
Victor's research—the secret of life itself—remains unprotected. His journals lie scattered, readable by anyone (including the creature). The "forbidden spark" that reanimates dead tissue is never encrypted, never secured, never protected from unauthorized access. This exposure enables the creature to understand his own creation and fuels his rage at Victor's abandonment.
The Security Parallel
Sensitive data—customer information, intellectual property, authentication secrets—left unencrypted in databases, config files, or repositories. The "forbidden spark" of your business (trade secrets, user data, proprietary algorithms) exposed to anyone with access. Like Victor's journals, unencrypted data tells anyone who reads it exactly how to exploit what you've built.
Key insight: The most dangerous knowledge requires the strongest protection. Victor had neither.
A03: Injection
Frankenstein Mapping: Victor's ambition injects unchecked logic into nature's system
Editorial Compression: "Unvalidated ambition corrupts the host."
The Narrative
Victor's ambition literally injects foreign logic into nature's operating system. He introduces code (his reanimation technique) into a host (dead matter) without validation, without understanding consequences, without checking if the host can safely process these inputs. The result: corruption of the natural order, unintended execution of malicious outcomes, system compromise.
The Security Parallel
Injection attacks insert malicious code into a trusted context—SQL queries, command interpreters, XML parsers. Like Victor's unvalidated reanimation process, these attacks succeed when applications accept input without validation, allowing attacker-controlled data to be executed as code. The ambition (user input, external data) corrupts the host (database, system, application).
Key insight: Input without validation is ambition without ethics—both corrupt the system they touch.
A04: Insecure Design
Frankenstein Mapping: The creature was architected without ethical safeguards
Editorial Compression: "Design without refusal births chaos."
The Narrative
Victor's fundamental design is insecure from inception. He never considers: What if the creature is rejected by society? What if it experiences suffering? What if it seeks revenge? He builds no safeguards, no contingency plans, no "refusal logic" that might prevent catastrophic outcomes. The design itself—reanimating the dead without considering consequences—is inherently insecure.
The Security Parallel
Insecure design means security wasn't considered during architecture. No threat modeling. No abuse case analysis. No consideration of what attackers might do with the functionality. Like Victor's creature, these systems are fundamentally flawed from conception—adding security controls later can't fix architectural decisions made without security input.
Key insight: Design without refusal logic (security constraints, ethical guardrails, threat modeling) births chaos regardless of implementation quality.
A05: Security Misconfiguration
Frankenstein Mapping: Victor fails to secure his lab, his journals, his legacy
Editorial Compression: "Misconfigured genius leaks threat vectors."
The Narrative
Victor is brilliant—a genius scientist capable of achieving what no one else has. Yet he leaves his laboratory unsecured (anyone could enter), his journals unprotected (the creature reads them), his notes scattered (information leakage everywhere). His genius doesn't extend to security practices. The misconfiguration isn't technical incompetence—it's security negligence by someone who should know better.
The Security Parallel
Brilliant developers build sophisticated applications, then deploy them with default credentials, debug mode enabled, error messages exposing internals, or public S3 buckets. Technical excellence doesn't equal security competence. Like Victor's misconfigured lab, these systems leak threat vectors through configuration failures rather than code flaws.
Key insight: Genius without security hygiene is vulnerability waiting to be exploited.
A06: Vulnerable and Outdated Components
Frankenstein Mapping: Victor uses outdated anatomical knowledge
Editorial Compression: "Legacy parts, stitched without audit."
The Narrative
Victor literally stitches together legacy components—body parts from corpses, based on outdated anatomical understanding. He doesn't audit these components for integrity, doesn't verify they'll work together safely, doesn't consider what vulnerabilities they might introduce. The result: a being whose component parts were never designed to function together, creating systemic instability.
The Security Parallel
Applications built on outdated libraries, deprecated frameworks, unpatched dependencies. These "legacy parts" are stitched together without security audits, creating systems where any component's vulnerability becomes the whole application's vulnerability. Like Frankenstein's creature, these Frankenstein applications are unstable assemblages of parts that were never meant to work together.
Key insight: Stitching together parts without auditing their security creates monsters.
A07: Identification and Authentication Failures
Frankenstein Mapping: The creature lacks identity, is misrecognized, and denied access
Editorial Compression: "No credentials, no recognition, no rights."
The Narrative
The creature has no legitimate identity. No birth certificate, no name, no social recognition. He cannot authenticate his existence or authorize his presence in society. Every attempt to gain access (to community, to family, to Victor himself) fails because he cannot prove who he is or establish his right to exist. This identity failure drives much of his rage and destructive behavior.
The Security Parallel
Authentication failures occur when systems cannot reliably verify identity or when users lack proper credentials. Like the creature, unauthenticated requests are denied access, leading to either lockout (legitimate users blocked) or catastrophic bypass (attackers impersonate legitimate users). Without proper identity management, the system cannot distinguish friend from foe.
Key insight: Without credentials, without recognition, without authentication—no rights, no access, no trust.
A08: Software and Data Integrity Failures
Frankenstein Mapping: Victor's data (notes, research) is corrupted or stolen
Editorial Compression: "Integrity decays when authorship is abandoned."
The Narrative
Victor abandons his creation and his research. His notes are left unprotected, his research integrity compromised. The creature reads and interprets Victor's journals—data corruption through unauthorized access and interpretation. The original intent of Victor's research (scientific advancement) is corrupted into the creature's understanding (rejection and abandonment). Data integrity fails when the creator abandons responsibility for what he's created.
The Security Parallel
Software supply chain attacks, compromised dependencies, unsigned code, tampered data. When developers don't maintain integrity checks, don't sign their work, don't verify dependencies, the integrity of the entire system decays. Like Victor's abandoned research, code without integrity verification can be read, modified, and weaponized by anyone who accesses it.
Key insight: Abandoning your creation means abandoning its integrity. Both decay without oversight.
A09: Security Logging and Monitoring Failures
Frankenstein Mapping: No one tracks the creature's movements or Victor's experiments
Editorial Compression: "No logs, no alerts, no accountability."
The Narrative
No one monitors Victor's laboratory experiments. No one tracks the creature's movements until after murders occur. There are no logs of who accessed the lab, no alerts when the creature escapes, no monitoring of either Victor's or the creature's actions. By the time anyone notices problems, multiple people are dead. The lack of visibility enables escalating catastrophe.
The Security Parallel
Security without logging and monitoring means breaches go undetected for months. Like Victor's unmonitored experiments, attacks proceed unnoticed until damage is catastrophic. No logs means no forensic reconstruction. No alerts means no incident response. No monitoring means no accountability—attackers operate freely because no one's watching.
Key insight: If you're not watching, you won't see the attack until it's too late.
A10: Server-Side Request Forgery (SSRF)
Frankenstein Mapping: The creature acts as a proxy for Victor's forbidden requests
Editorial Compression: "Requests rerouted through unintended agents."
The Narrative
The creature becomes a proxy for Victor's forbidden desires—the ambition to transcend natural boundaries, to achieve what should remain impossible. Victor makes requests (creates life) that nature should refuse, but routes them through an intermediary (the creature) that has capabilities Victor lacks. The creature acts with authority (physical power, persistence) that Victor intended to control but cannot. Requests are rerouted through an unintended agent with unintended consequences.
The Security Parallel
SSRF attacks trick servers into making requests they shouldn't. The server becomes an unwitting proxy with authority (trusted network position, API access) that attackers exploit to reach resources that should be forbidden. Like Victor's creature, the server makes requests with capabilities the attacker lacks directly, routing forbidden requests through a trusted intermediary.
Key insight: When requests route through unintended proxies, authority is exploited and boundaries are bypassed.
The Complete OWASP-Frankenstein Mapping
| OWASP Category | Frankenstein Mapping | Editorial Compression |
|---|---|---|
| A01: Broken Access Control | The creature escapes the boundaries Victor intended | "You built it, but you never gated it." |
| A02: Cryptographic Failures | Victor's secrets are exposed; no protection for sensitive knowledge | "No cipher guards the forbidden spark." |
| A03: Injection | Victor's ambition injects unchecked logic into nature's system | "Unvalidated ambition corrupts the host." |
| A04: Insecure Design | The creature was architected without ethical safeguards | "Design without refusal births chaos." |
| A05: Security Misconfiguration | Victor fails to secure his lab, his journals, his legacy | "Misconfigured genius leaks threat vectors." |
| A06: Vulnerable and Outdated Components | Victor uses outdated anatomical knowledge | "Legacy parts, stitched without audit." |
| A07: Identification and Authentication Failures | The creature lacks identity, is misrecognized, and denied access | "No credentials, no recognition, no rights." |
| A08: Software and Data Integrity Failures | Victor's data (notes, research) is corrupted or stolen | "Integrity decays when authorship is abandoned." |
| A09: Security Logging and Monitoring Failures | No one tracks the creature's movements or Victor's experiments | "No logs, no alerts, no accountability." |
| A10: Server-Side Request Forgery (SSRF) | The creature acts as a proxy for Victor's forbidden requests | "Requests rerouted through unintended agents." |
Using This Framework
For Education
Single vulnerability teaching: Use one Frankenstein mapping to introduce an OWASP category, then teach technical details.
Complete OWASP coverage: Teach all ten vulnerabilities through Frankenstein's narrative arc, showing how security failures interconnect.
Pattern recognition: The editorial compressions serve as memory anchors—students remember "You built it, but you never gated it" more easily than "A01: Broken Access Control" definitions.
For Assessment
Use Frankenstein framework diagnostically:
- "Are you building without gating?" → Audit access controls
- "Is your genius misconfigured?" → Review security configurations
- "Are you stitching legacy parts?" → Audit dependencies
- "Are you watching?" → Review logging and monitoring
For Communication
The editorial compressions translate technical vulnerabilities for non-technical stakeholders:
- Executives understand "Design without refusal births chaos"
- Boards grasp "Misconfigured genius leaks threat vectors"
- Developers remember "Unvalidated ambition corrupts the host"
Why Frankenstein?
Universal Recognition
Mary Shelley's novel is taught globally. The story transcends cultures. Nearly everyone knows Victor and his creature, making the framework immediately accessible across languages and contexts.
Thematic Precision
Frankenstein isn't just metaphorically similar to security failures—it IS a security failure story. Victor's tragedy stems from the same causes as modern breaches: building powerful systems without control, oversight, or responsibility.
Narrative Coherence
Unlike teaching ten disconnected vulnerabilities, Frankenstein provides a single narrative showing how security failures interconnect and cascade. Victor's failures aren't isolated—each enables the next, just as real-world vulnerabilities chain together in attack paths.
Emotional Resonance
The tragedy of Frankenstein aids memory retention. Students remember Victor's failures because they're embedded in emotional narrative, not dry technical documentation.
Conclusion: The Monster Is The System
Frankenstein's creature isn't the monster—the system that created him is. Victor's failures of responsibility, oversight, and security are the true horror. The creature's suffering and society's destruction both stem from creation without control.
Modern applications are our creatures. We bring them to life, release them into the world, and often abandon responsibility for their security. Like Victor, we're shocked when our creations cause harm—but the failure is ours, not theirs.
Protection starts with recognition.
If you can recognize Victor's pattern in your development practices—building without gating, genius without configuration, legacy parts stitched without audit—you can intervene before tragedy strikes.
Frankenstein isn't a cautionary tale from 1818.
It's a mirror showing us today's security failures.
The monster was never the creature.
The monster is the system we built without security.
About the Framework
This framework is part of the Cybersecurity Witwear project—teaching security through visual mythology. The Myth-Tech Security Education approach uses culturally universal stories to encode technical concepts for pattern recognition and memory retention.
Framework: Myth-Tech Security Education
Author: Narnaiezzsshaa Truong
Published: October 26, 2025
For more frameworks and educational resources:
Copyright Notice
Article text © 2025 Narnaiezzsshaa Truong.
Visual frameworks © 2025 Narnaiezzsshaa Truong.
Cover image © 2025 Narnaiezzsshaa Truong.
All rights reserved.
Visual frameworks available for educational use with attribution.
For commercial licensing inquiries, contact www.linkedin.com/in/narnaiezzsshaa-truong
Top comments (0)