Security Bros - Episode 5 - OWASP Top 10 2025: What Changed, What Moved, and What to Do About It
The OWASP Top 10 2025 dropped late last year, and a few things stand out immediately. Some of the shifts confirm what security teams have been dealing with on the ground. Others reveal how much the conversation around application security has matured – and how much further it still has to go.
If you’ve used OWASP as a benchmark without spending time on how the list is actually built, this breakdown will change how you read it.
What Is OWASP and Who Builds the Top 10?
OWASP stands for the Open Worldwide Application Security Project. It’s a community-driven organization focused on making software more secure. Anyone can contribute. There’s no cost to use its resources.
Every few years, the community publishes a new Top 10 – a list of the most critical security risks in web applications. The 2025 edition follows the 2021 release, which means four years of data and community feedback went into the update.
The list isn’t arbitrary. Eighty percent of it comes from data: 2.8 million applications were submitted for this year’s dataset. Those applications were analyzed for the presence of CWEs – Common Weakness Enumerations, a categorized taxonomy of software weaknesses maintained by MITRE. There are over 900 in the database right now, covering everything from memory management issues to authentication flaws.
What separates a weakness from a vulnerability? Context. A CWE is a potential issue. It may never become exploitable. The presence of weaknesses, combined with CVSS scores (Common Vulnerability Scoring System), is what generates the OWASP rankings. OWASP uses both CVSS v2 and v3 in its formula. Version 4 isn’t included yet.
Two Spots the Community Controls
Most people don’t know this: two of the Top 10 slots are reserved for community votes, not data.
Eight categories come from the raw statistical analysis. The other two come from practitioners – pen testers, security engineers, and contributors – who vote on what they’re seeing in the real world that automated scans haven’t caught yet.
This year, Software Supply Chain Failures came from that community vote. It didn’t cross the data threshold, but security practitioners have been watching supply chain risk grow for years. The community flagged it, and it landed at #3.
That matters. It means the OWASP Top 10 is partly empirical and partly expert intuition. Both views inform the final list, which makes it more useful than a purely automated output – and explains why two categories can feel different in character from the rest.
What Changed Between 2021 and 2025
The headline moves: Security Misconfiguration jumped to #2, and Software Supply Chain Failures (previously Vulnerable and Outdated Components) joined it in the top 3.
Broken Access Control stays at #1. It has held that position since 2021, and across 40 mapped weaknesses, it shows up in more applications than anything else on the list.
Below the top 3, Cryptographic Failures, Injection, and Insecure Design all dropped spots. That’s not a warning sign – it’s progress. When a category drops in the OWASP Top 10, the weaknesses in that category appeared less frequently across the dataset. The industry is getting better at those things.
Insecure Design moved down to #6. That shift reflects a real improvement: more teams are factoring security into their design process rather than adding it on at the end. The trend is real, but it’s fragile. If teams stop paying attention because the ranking dropped, it will climb again.
Identification and Authentication Failures sits at #7. Widespread adoption of third-party authentication libraries and cloud-provider identity services has reduced how often teams build their own auth from scratch. Fewer teams rolling their own authentication means fewer of those weaknesses in the wild.
Server-Side Request Forgery (SSRF), which had its own slot in 2021, folded into the Broken Access Control category this year. The new #10 is Mishandling of Exceptional Conditions – a new entry focused on how applications handle errors.
A Closer Look at the Top 3
Broken Access Control (#1) covers 40 weaknesses related to how applications enforce restrictions on what users can do. Open storage buckets, misconfigured ACLs, improperly scoped permissions – these failures keep showing up at scale because access control is hard to design well and easy to break as systems evolve.
Security Misconfiguration (#2) is broad by design. Default credentials left in place, unnecessary features enabled, cloud configurations that expose more than intended – all of these fall here. The data says misconfiguration is still one of the most widespread issues in production software.
Software Supply Chain Failures (#3) covers risk introduced through third-party packages, open source dependencies, and external components. Every library pulled into a project is an attack surface. The community voted this into the Top 10 because practitioners see it regularly, even when automated scanning doesn’t catch it.
These three share one thing: they’re all addressable through better design and better configuration practice. That’s also what makes them frustrating. These aren’t exotic vulnerabilities. They result from gaps in process.
What This Means If You Don’t Write Code
OWASP is built around application security, but that doesn’t make it irrelevant to infrastructure teams, security analysts, or IT managers who don’t ship code.
Every piece of software running in your environment was built by someone. The weaknesses on this list show up in off-the-shelf tools, cloud services, and SaaS platforms – not just custom applications. Misconfiguration happens in infrastructure as much as in code. Supply chain risk exists whether your team wrote the software or purchased it.
Security Logging and Monitoring sits at #9 on this list. From an application code perspective, that makes sense – logging is hard to get right in software and easy to deprioritize. From a security operations perspective, monitoring should rank much higher. That gap between perspectives is worth sitting with.
The Two-Sided Security Approach
Looking at the Top 10 as a whole, two questions stand out: how do you catch these things before they ship, and how do you find them after they’re in production?
The first question is about shifting left. Security testing, dependency scanning, and threat modeling during the design and development phase catches weaknesses before they become vulnerabilities. Tools like CNAPP (Cloud Native Application Protection Platform) and CSPM (Cloud Security Posture Management) help here by identifying misconfigurations and supply chain risks before an application goes live.
The second question is about monitoring production. Configurations change. New vulnerabilities get disclosed for components that were clean when you shipped. Someone adjusts permissions on a storage bucket to troubleshoot a problem and forgets to lock it back down. Catching these requires active monitoring on the right side of the pipeline.
Teams that handle both sides consistently tend to have smaller gaps. Shifting left without monitoring production, or monitoring production without securing the design, leaves half the problem unaddressed.
FAQ
How often does OWASP update the Top 10?
Roughly every three to four years. The previous edition was 2021. The 2025 release came in late 2025.
What’s the difference between a CWE and a CVE?
A CWE (Common Weakness Enumeration) describes a class of weakness in software – an underlying issue that could be exploited. A CVE (Common Vulnerabilities and Exposures) identifies a specific, publicly known vulnerability in a specific product. CWEs are general; CVEs are specific instances.
Is OWASP Top 10 a security framework?
No. The OWASP Top 10 is an awareness document, not a comprehensive security framework. It covers application security risks. Organizations that need broader coverage look to NIST or CIS Controls, which address policy, infrastructure, and operational security in addition to application risks.
What is broken access control?
Broken access control means an application doesn’t properly enforce restrictions on what authenticated users can do. A user who should only see their own data can access someone else’s. A regular user can reach admin functions. Storage that should be private is exposed publicly. It’s the most widespread weakness in the 2025 dataset.
Does Software Supply Chain Failures being a community pick make it less credible?
No. The community vote reflects what practitioners observe in the field, which data-driven scans sometimes miss. Supply chain risk is well-documented outside of OWASP. The community pick mechanism exists to surface emerging or underrepresented problems before the data catches up.
Like and Subscribe on your favorite app
You can subscribe on your favorite app. We are on Spotify, Apple Podcasts, and YouTube. We recommend YouTube as we will have demos and such fairly regularly so will be best to consume there. We will do our best to describe what we are doing or seeing so if you are in the car you can keep your eyes on the road.
Regardless of where you tune in, don’t forget to like and subscribe!