The OWASP Top 10, the benchmark list of the most critical web application security risks, is back for its 8th edition, and the 2025 update tells a story: the fundamentals still matter, but the ecosystem has changed.
Broken Access Control once again takes the top spot. It’s the flaw behind countless breaches, users seeing or doing things they shouldn’t. Nearly 4% of tested applications had at least one such weakness.
Security Misconfiguration jumps from #5 to #2, reflecting how modern apps increasingly rely on complex configurations that can be easily mismanaged. A single toggle or default left open can expose entire systems.
New at #3 is Software Supply Chain Failures, an expanded category recognizing how dependencies, build systems, and distribution pipelines have become prime attack targets. This shift mirrors a broader industry reckoning: attackers now exploit the links between software, not just the code itself.
Cryptographic Failures (#4) and Injection (#5) both slide slightly but remain ever-present. Weak encryption, improper key handling, and classic injection flaws like SQLi and XSS still plague even mature organizations.
Insecure Design (#6) shows modest improvement, a sign that secure-by-design practices and threat modeling are gaining traction. Authentication Failures (#7) holds steady, helped by broader adoption of standard frameworks.
At #8, Software or Data Integrity Failures focus on the trust boundaries within systems, subtle weaknesses that can allow tampering or manipulation. Logging & Alerting Failures stay at #9, a reminder that visibility without timely action is meaningless.
Finally, a newcomer: Mishandling of Exceptional Conditions (#10). This category captures what happens when software behaves unpredictably under stress, from poor error handling to logic breakdowns. It’s a subtle but growing area of risk, especially as systems become more interconnected and AI-driven.
Focusing on Prevalence, Not Frequency
Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, calls the OWASP Top 10 “data-informed,” as it combines contributed testing data with insights from a community survey from application security and development professionals.
“For 2025, OWASP removed CWE restrictions present in 2021, focusing on prevalence instead of frequency. For example, whether a CWE appears four (4) or 4,000 times in the same application does not impact its ranking,” she adds.
The 2025 edition analyzed more than 2.8 million applications and included 589 CWEs which increased from approximately 400 in 2021 and just 30 in 2017. The ranking changes reflect:
- Security Misconfigurations rose due to their presence in 3.00% of tested applications and due to the increasing reliance on configuration-driven behavior
- Authentication Failures saw improvement, likely due to broader adoption of standardized frameworks
- Supply Chain Failures was overwhelmingly voted a top concern in the community survey, with OWASP explicitly calling out malware in software ecosystems, including malicious packages, compromised maintainers, and tampered build processes
Methodological Changes
Constantine adds that the current OWASP Top 10 categories emphasize root cause (such as Misconfiguration) over symptoms (like Sensitive Data Exposure). Each category includes an average of 25 CWEs, with a cap of 40 CWEs per category. “In the 2025 edition, the total number of CWEs mapped across the Top 10 categories increased to 248, reflecting the growing complexity and diversity of application security risks.”
Cybersecurity Impact: Systemic vs. Isolated Threats
According to her, the OWASP Top 10 2025 shifts focus from isolated code flaws to systemic weaknesses that span the entire software development lifecycle. This broader perspective is evident in the emphasis on supply chain security and application resilience:
- Expanded attack surface: The supply chain is a critical perimeter, with attacks originating on developer workstations and propagating through CI/CD pipelines, containers, and cloud environments, making early-stage defenses essential
- Resilience: The concept of resilience in application security has evolved. Modern applications must be designed to gracefully handle stress, failures and edge cases. A lack of resilience can lead to serious consequences, including data corruption, security control bypasses, and cascading system failures. While resilience was considered for inclusion in the OWASP Top 10 2025, it was not included in the final list of categories. OWASP has acknowledged its importance by publishing a Next Steps document, outlining resilience and other emerging concerns that organizations should address to mature their application security programs. This forward-looking guidance encourages teams to go beyond the Top 10 and proactively tackle systemic risks that may not yet be fully represented in testing data.
- Increasing configuration complexity: The rise of Security Misconfiguration to spot #2 highlights the complexity of managing modern application architectures. Cloud services, containers, and infrastructure-as-code introduce complexity that, if mismanaged, can expose an organization to critical vulnerabilities.
AI-Related Impacts to OWASP Top 10 2025
“The OWASP Top 10 for 2025 does not include any AI-specific vulnerabilities,” Constantine continues. “Instead, OWASP developed dedicated frameworks to address risks unique to artificial intelligence systems. These include the OWASP Top 10 for LLM Applications which has grown in 2025 to the comprehensive OWASP GenAI Security Project and the OWASP Top 10 for Machine Learning, which cover threats such as prompt injection, model poisoning, and system prompt leakage.”
While AI continues to influence many areas of technology, Contantine says its specific security challenges are being addressed separately to ensure targeted and effective guidance. “This separation allows the OWASP Top 10 to maintain its relevance and clarity for web application developers and security professionals.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.