OWASP Top 10 (2025)
Published on
The OWASP Top 10 list, created by the Open Web Application Security Project (OWASP), highlights the most critical security risks for web applications. It is revised every few years to track changes in the threat landscape.
I previously wrote about the 2017 list, and then the 2021 list. Now that the 2025 update has been released, I wanted to review it and compare it with 2021.
Here are the top 10 risks from the 2025 list, ordered by most critical:
- Broken Access Control
- Security Misconfiguration
- Software Supply Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software or Data Integrity Failures
- Security Logging and Alerting Failures
- Mishandling of Exceptional Conditions
Key changes from 2021 to 2025
The 2025 update reflects the growing complexity of software development, including the rise of AI code tools. Several notable changes:
-
Ranking shifts: Broken Access Control remains #1. Security Misconfiguration rose from #5 to #2. Cryptographic Failures fell from #2 to #4, Injection from #3 to #5, and Insecure Design from #4 to #6.
-
Expanded scope: Software Supply Chain Failures (previously Vulnerable and Outdated Components at #6) moved up to #3. Its scope now includes the full software lifecycle: third-party code, tools, updates, builds, deploys, and even IDE risks. This category now spans many roles in large organisations, which should make it a critical concern for leaders.
-
New categories: Mishandling of Exceptional Conditions is new at #10, focusing on improper error handling and logical errors. Server-Side Request Forgery (SSRF) has been consolidated into Broken Access Control.
-
Renaming and refinements: Authentication Failures (previously Identification and Authentication Failures) and Security Logging and Alerting Failures (previously Security Logging and Monitoring Failures) for clarity.
Below is a brief summary of each 2025 category, noting its position and any changes from 2021, along with prevention tips.
Broken Access Control
2021 position: #1
Changes: Remains #1, with server-side request forgery (SSRF) consolidated into it.
Occurs when access controls are poorly enforced, allowing unauthorised access to data or functions.
Prevention: Apply strict authentication and authorisation checks on all endpoints. Use frameworks that handle access control securely. Ensure AI your tools are using secure access patterns.
Security Misconfiguration
2021 position: #5
Changes: Moved up to #2.
Misconfigurations in software, servers, or databases expose systems.
Prevention: Audit configurations regularly, disable unused features, and keep systems patched. With AI tools accelerating development, implement automated config validation and have your (human) engineers do thorough code reviews!
Software Supply Chain Failures
2021 position: #6 (as Vulnerable and Outdated Components)
Changes: Expanded scope, moved to #3.
Failures in verifying the integrity of software dependencies, builds, and distributions.
Prevention: Regularly scan and update components, verify integrity in CI/CD pipelines, and track dependencies. Leaders should govern AI-generated code and third-party tools.
Cryptographic Failures
2021 position: #2
Changes: Moved down to #4.
Weak encryption, poor key management, or use of unencrypted channels.
Prevention: Use strong encryption (when was the last time you reviewed your encryption algorithms?), enforce HTTPS, and avoid storing unnecessary sensitive data.
Injection
2021 position: #3
Changes: Moved down to #5.
Happens when untrusted data is sent to an interpreter without validation.
Prevention: Use parameterised queries, input validation, and sanitisation.
Insecure Design
2021 position: #4
Changes: Moved down to #6.
Flaws in the design stage, such as missing threat modelling.
Prevention: Apply secure design principles, perform threat modelling, and use secure reference architectures.
Examples include:
- Secure design principles: Adopt principles like least privilege (granting minimal access needed) and defence in depth (multiple layers of security).
- Threat modelling: Use frameworks such as STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) or PASTA (Process for Attack Simulation and Threat Analysis) to identify and mitigate risks early.
- Secure reference architectures: Follow standards like OWASP's Application Security Verification Standard (ASVS) or NIST's Cybersecurity Framework (CSF) to guide secure system design.
Authentication Failures
2021 position: #7 (as Identification and Authentication Failures)
Changes: Renamed, remains #7.
Covers weak passwords, credential reuse, and session flaws.
Prevention: Use multi-factor authentication, enforce strong password policies, and rate-limit login attempts.
Software or Data Integrity Failures
2021 position: #8
Changes: Remains #8.
Failures to maintain trust boundaries and verify integrity of software and data.
Prevention: Validate data, apply integrity checks in deployment, and avoid untrusted deserialisation.
Security Logging and Alerting Failures
2021 position: #9 (as Security Logging and Monitoring Failures)
Changes: Renamed, remains #9.
Without logging and alerting, attacks may go undetected.
Prevention: Implement centralised logging, monitor for anomalies, and set up security alerts.
Mishandling of Exceptional Conditions
2021 position: Not present
Changes: New in 2025.
Improper error handling, logical errors, and failing open under abnormal conditions.
Prevention: Implement robust error handling, validate inputs, and design for failure modes.
Closing thoughts
The OWASP Top 10 (2025) highlights the impact of modern development practices, including AI tools, on security risks. Software engineers must prioritise secure design, automated checks, and governance over AI-generated code to address rising issues like Broken Access Control and Security Misconfiguration. Software Supply Chain Failures now demands cross-team responsibility, from developers to DevOps.
For the full details, see the official OWASP Top 10 2025 list.
This post was tagged: