OWASP released its updated Top 10 list of critical web application security risks. The November 6 publication shifts focus to systemic design weaknesses and software supply chain vulnerabilities. This marks the organization’s first major revision since 2021.
The new OWASP Top 10:2025 RC1 addresses complex software systems, moving beyond simple code error patching. OWASP compiled the list using extensive community feedback and analyzed approximately 220,000 Common Vulnerabilities and Exposures (CVEs). Researchers mapped the CVEs to 589 Common Weakness Enumeration (CWE) identifiers, a significant increase from 400 CWEs in the 2021 list. This methodology deepens understanding of vulnerability origins.
“Software Supply Chain Failures” (A03:2025) introduces growing risks from third-party components and development pipelines. This category consolidates and redefines previously covered elements, signaling a crucial concern for application developers and security teams. “Mishandling of Exceptional Conditions” (A10:2025) also emerges as a new category. It addresses vulnerabilities from improper error handling and unexpected system states.
“Broken Access Control” (A01:2025) remains the top application security risk, despite the new additions. It shows persistent prevalence and severe impact. Data shows 3.73% of tested applications, on average, still have at least one Broken Access Control vulnerability. Other critical categories include Security Misconfiguration, Cryptographic Failures, and Insecure Design.
The updated Top 10 requires security professionals to take a more integrated defense approach. Shane Barney, Chief Information Security Officer at Keeper Security, told Dark Reading, “The [2025 OWASP Top 10] highlights how far the industry has come in understanding the real nature of risk. It’s not just about patching bugs anymore. It’s about recognizing that vulnerabilities often stem from the complexity of our systems and the pace at which technology moves. Security teams are no longer chasing flaws; they’re managing the conditions that allow them to form in the first place.” Barney’s perspective emphasizes tightly interwoven application security, software supply chain oversight, and operational resilience.
The OWASP Top 10:2025 guides the industry to confront individual flaws and the systemic weaknesses that enable them.