The OWASP Foundation has been a guiding light for security professionals and enthusiasts alike, providing critical, practical advice on the most insidious software vulnerabilities across a plethora of categories and platforms. It has been the first major update since 2021 to the flagship OWASP Top 10 Web Vulnerabilities, and in that time, the industry has been rocked by a stampede of AI technology, tools, and code, each creating a dichotomy of security efficiency and risk for both cybersecurity and software engineering professionals.
Despite this rapid advancement upending how many of us approach our jobs, it is fascinating to witness, yet again, that the more things change, the more they stay the same. Several vulnerability classes that were present in every prior list remain, such as injection flaws. This veritable cockroach of the security world refuses to die—for now—but prominent categories like Broken Access Control and Security Misconfiguration have toppled it from its long-held top spot over the past few years, as they represent areas of secure coding best practices that developers struggle to master.
A new category, Mishandling of Exceptional Conditions, claimed spot ten after Server-Side Request Forgery merged with Broken Access Control, indicating that these tricky, more complex bugs are increasingly common. 2021’s Vulnerable and Outdated Components has been expanded and renamed Software Supply Chain Failures, moved up to number three, and is now a category of deep concern as software dependencies, build systems, and distribution infrastructure stand as prominent points of exploitation, especially across the enterprise sector.
Proprietary AI agents and tools may promise seamless code, or indeed, flawless threat detection. Still, there is no substitute for the security-skilled “human in the loop” as we tackle a cybersecurity landscape that needs them more than ever. Smart enterprises recognize this, and together we must evolve how we manage and remediate these top ten vulnerability classes and beyond, with developers at the heart of the solution.
Securing the software supply chain in the era of rapid-fire risk
Software supply chain attacks are not new, but the increasing scope and potency of this attack class have made headlines in recent years. The overwhelming scope of the SolarWinds supply chain attack, and other incidents like the Colonial Pipeline breach, revealed to the world just how dangerous and disruptive they can be. OWASP has now given them a designated category, augmenting the previous one, Using Components with Known Vulnerabilities, to reflect all supply chain risks, not just those caused by known vulnerabilities. They also revealed that exactly 50% of respondents in their community survey ranked this category as their top concern.
Given that it is also the highest average incidence in OWASP’s latest contributed dataset, the security community is right to be alarmed. As explained in the chapter, supply chain vulnerabilities are difficult to identify in the first place, and risk mitigation involves organizations keeping meticulous, up-to-date records of each component, dependency, and configuration that are in use, and ensuring any patches and updates are applied as needed. Sadly, few companies boast this elite level of component management.
As developers write less code themselves, especially as AI tools rise to prominence in enterprise coding environments, the risk of software supply chain failures is set to increase significantly. It has never been more critical for security-skilled developers to test and oversee code, especially code generated by third-party apps and sources. Every developer must be brought on the journey as an integral part of the security program, put through the paces of meaningful learning pathways and upskilling, and ultimately verified as having the right skills to make trusted commits with trusted tools in their arsenal. Anything less is adding to the problem.
Mishandling of Exceptional Conditions: Representative of an expanding knowledge gap among developers
Developers and what is expected of them in their roles have been in flux for the past couple of years as every industry wrestles with everything from AI implementation to AI product creation, growing consumer expectations, and a fraught threat landscape that cannot be controlled without their help. Their KPIs and the job in general are getting more complex by the day.
Mishandling of Exceptional Conditions is a challenging symptom of this environment, because it is fundamentally interwoven with the increasing complexity of modern codebases and tech stacks. As systems grow in size and interact with numerous external services, frameworks, and asynchronous operations, the number of potential failure points, not to mention the error-handling logic required to address them, grows rapidly, often before security programs can adjust to accommodate them. With overstretched developers frequently focusing on the path of least resistance, this can lead to incomplete or inconsistent error-handling blocks that fail to cover edge cases, unexpected system states, or third-party library errors. This is especially true of developers with low security awareness, operating in environments where a security-first culture is nothing more than a seminar buzzword.
Modern security programs must identify and remediate not just vulnerabilities themselves, but also the knowledge gaps within the development cohort that lead to them in the first place. If developers lack knowledge of input validation, rate limiting, and general safe error-handling practices, this particular category represents a disaster waiting to happen in complex environments, and these engineers should be working on far less sensitive projects until this learning is completed and verified.
While the majority of the OWASP Top 10 2025 remains similar to the 2021 edition, the past five years have been a seismic shift in the way both security professionals and developers work. With a stark acceleration in code-level risk, CISOs must prioritize developer upskilling, observability, and ultimately, security governance to combat new and emerging threats.
Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon. Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.