The OWASP Top 10 is the most widely referenced framework in application security. Security teams use it to prioritise testing. Developers use it to understand risk. Compliance frameworks reference it. Procurement teams ask about it. If you build or secure web applications, the OWASP Top 10 shapes how the industry thinks about your risk.
The 2025 update reflects how the threat landscape has evolved — particularly the rise of AI-integrated applications, supply chain attacks, and the persistent, expensive failure of access control. Here is a practitioner's breakdown of what changed, what stayed, and what your team should be prioritising.
The OWASP Top 10 — 2025 Edition
Broken Access Control Stable #1
Moved to #1 in 2021 and stays there. Access control failures allow users to act outside their intended permissions — accessing other users' data, performing privileged actions, or bypassing authorisation entirely. It is the most frequently found vulnerability in real-world applications and the most impactful when exploited. 94% of applications tested had some form of broken access control.
Cryptographic Failures Stable #2
Formerly "Sensitive Data Exposure" — renamed to focus on root cause rather than symptom. Covers failures in encryption at rest and in transit, use of weak or outdated algorithms, poor key management, and transmitting sensitive data in clear text. Frequently enables data breaches that organisations do not detect for months.
Injection Down from #1
SQL, NoSQL, OS, and LDAP injection — still critically dangerous but declining in prevalence as modern frameworks and parameterised queries become standard. XSS is now included in this category. Injection vulnerabilities remain a priority in older codebases and any application with direct database query construction.
Insecure Design 2021 Addition
A category addressing architectural and design-level failures — security flaws baked into how a system is conceived, not just how it is implemented. Calls for threat modelling, secure design patterns, and reference architectures as standard practice. Cannot be fixed by patching — requires design changes.
Security Misconfiguration Up
Covers misconfigured cloud environments, unnecessary features enabled, default credentials, verbose error messages, and missing security hardening. With cloud adoption accelerating, misconfiguration has become one of the most impactful vulnerability classes — it is responsible for a significant proportion of major breaches. XXE (XML External Entities) is now included here.
Vulnerable and Outdated Components Stable
Using components — libraries, frameworks, runtime environments — with known vulnerabilities. Log4Shell demonstrated the catastrophic potential of this category in 2021. Software composition analysis and a mature dependency management process are now standard security requirements, not optional practices.
Identification and Authentication Failures Stable
Weak credential policies, missing MFA, insecure session management, credential stuffing vulnerabilities. Previously titled "Broken Authentication." Declined from #2 as standardised authentication frameworks (OAuth, OIDC) have improved baseline practices — but custom authentication implementations remain a consistent finding.
Software and Data Integrity Failures 2021 Addition
Covers assumptions about software updates, critical data, and CI/CD pipelines without verifying integrity. Includes insecure deserialization and supply chain attacks. The SolarWinds and XZ Utils attacks are real-world illustrations of the severity of this category. Applies to any application that auto-updates dependencies or consumes third-party data without verification.
Security Logging and Monitoring Failures Stable
Without adequate logging, breaches go undetected. The average time to identify a breach remains over 200 days globally — logging failures are a primary reason. This category covers insufficient logging of security-relevant events, missing alerting, logs not monitored, and incident response plans that have never been tested.
Server-Side Request Forgery (SSRF) Stable
SSRF flaws allow attackers to induce the server to make requests to unintended locations — often used to access cloud metadata services, internal network resources, or other services not accessible externally. In cloud environments, SSRF is frequently used to retrieve IAM credentials from the instance metadata service, enabling full account compromise.
The Key Changes in 2025
AI-integrated application risks are now explicitly recognised
While the OWASP Top 10 itself does not yet include a dedicated AI category, the 2025 guidance explicitly acknowledges LLM-integrated applications as a distinct risk surface, with references to the OWASP LLM Top 10 for teams building AI-powered features. Prompt injection, insecure output handling, and excessive agency are highlighted as priorities for applications in this category. If your application integrates an LLM, the main OWASP Top 10 alone is insufficient — you need to assess against both frameworks.
Supply chain security elevated
A08 (Software and Data Integrity Failures) has received significantly more attention in 2025 guidance, driven by the increasing frequency and severity of supply chain attacks. The expectation is now that organisations have software bill of materials (SBOM) processes, integrity verification for third-party components, and CI/CD pipeline security reviews as standard practices — not aspirational ones.
Misconfiguration remains stubbornly persistent
A05 has moved up the list. Despite years of awareness, misconfiguration remains one of the most common breach enablers — particularly in cloud environments. The 2025 update emphasises that with the scale and complexity of modern infrastructure, manual configuration review is insufficient. Automated, continuous misconfiguration detection is now the baseline expectation.
Prioritisation guidance: If you are starting an AppSec programme or running a limited assessment budget, focus on A01 (Broken Access Control), A02 (Cryptographic Failures), and A05 (Security Misconfiguration) first. These three account for the majority of real-world application breaches and are consistently underinvested in relative to their actual risk.
What This Means for Your Business
The OWASP Top 10 is not a compliance checkbox. It is a signal about where attackers are finding real success in real applications — derived from data across hundreds of thousands of applications. When Broken Access Control sits at number one for four years running, it means organisations are consistently failing to implement and enforce authorisation controls correctly. When misconfiguration keeps rising, it means infrastructure is being provisioned faster than security teams can review it.
For engineering leadership, the practical implication is straightforward: your highest-return investment in application security is not in new tooling or scanning software. It is in ensuring your development teams understand access control design, that your cloud environments have automated misconfiguration detection, and that your dependencies are tracked and updated.
For security teams, the 2025 OWASP Top 10 should drive your test plan. If your penetration test coverage does not address all ten categories in the context of your specific application architecture, you have gaps that a motivated attacker will find before you do.
How does your application stack up against the OWASP Top 10?
Our application security assessments test against the full OWASP Top 10 and beyond — with findings that are actionable, risk-ranked, and explained in plain language for both technical and non-technical stakeholders.
Book a Free Consultation →