What’s new in the 2025 edition of the OWASP Top 10

| minute read

On November 6th, the Open Worldwide Application Security Project announced the release candidate for the 2025 edition of their famous OWASP Top 10. In this post, we'll take you through the highlights of what's new in this edition. 

 

Keep in mind that the new edition is still a release candidate. We do not expect any major changes in the final version, but some of the details might still change before the final version is released. 

What is the OWASP Top 10? 

OWASP's Top 10 list of Web Application Security Risks is a list of the most critical security risks for web applications, based on data from a wide range of organisations and security experts. It serves as a guide for developers, security professionals, and organisations to prioritise their security efforts and has become the most well-known awareness document for web application security. 

Since its first release in 2003, the Top 10 has been regularly updated to reflect the evolving threat landscape. The previous edition was released in 2021, and now, in 2025, we have a new version that brings several changes and updates. 

So what's new? 

  1. The entry for "Server-Side Request Forgery" has been merged into "Broken Access Control". Broken Access Control remains at the top of the list as the number one most critical web application security risk. 
  2.  "Security Misconfiguration" moves up from position 5 to position 2, reflecting its continued prevalence and impact on web application security. For cloud and infrastructure security, this category is the number one risk due to leaked credentials, which is the top security misconfiguration. 
  3.  Previously at number 6, "Vulnerable and Outdated Components" has been moved up to number 3 and has been expanded and renamed to "Software Supply Chain Failures", reflecting the growing importance of supply chain security. Supply chain attacks are increasing in frequency and can be very costly. In OWASP’s community survey, 50% of respondents ranked this risk at number one. Some well-known examples of supply chain attacks are the SolarWinds attack, Log4Shell, PhantomRaven, and XZ Utils.  
  4.  The return of an old friend: "Mishandling of Exceptional Conditions" comes in at number 10. This was originally part of the Top 10 in 2003 as "Error Handling Problems". Its return indicates a rise in applications that do not treat exceptional conditions with due care, leading to potential security vulnerabilities. 
  5.  "Security Logging and Monitoring Failures" has been renamed to "Logging & Alerting Failures", emphasizing the importance of not just logging security events but also generating actionable alerts. 

There are several other changes in order or terminology, see the graphic below for the changes:

What does this mean for you as a developer? 

  1. Broken Access Control is still the number one risk, so make sure to review your access control mechanisms and ensure that users can only access resources they are authorised to. 
  2. Security Misconfiguration's rise to number 2 means that you should pay close attention to your hardening practices. Remember: most third-party or open-source software comes preconfigured to be useful for as many different types of users as possible. This means you cannot assume default settings are secure, it is still a DevOps team’s responsibility to ensure proper hardening of your application, the components you use and the environment it runs in. 
  3. Keeping track of vulnerable and outdated components is still important, but there's an added emphasis on monitoring your entire supply chain. Yes, you should keep your packages up to date when a new version comes out. But maybe not 5 minutes after that new version is released. The next Shai-Hulud is waiting in the sands... 
  4. Exceptions are very useful for figuring out what went wrong. But most of the information in an exception message or stack trace should never end up on an end-user's screen. Always make sure you catch errors, log them to a centraliszed log aggregation tool (like Elastic or Splunk), and show the user a friendly message that doesn't leak sensitive information. 
  5. Logging is great, but if you don't have any alerting in place, you might not even know when something bad is happening. Make sure your logging system can generate alerts for critical events, and that someone is monitoring those alerts. Essentially, there's no point in having an alarm if nobody's there to listen for it. It is also essential to log the right things so monitoring and alerting can be configured properly. It can be very useful to sit down with your security officer or a SOC analyst to ask them how useful your logs are for their monitoring efforts. 

Conclusion 

  1. The 2025 edition of the OWASP Top 10 brings several important updates that reflect the evolving landscape of web application security. As a developer, it's crucial to stay informed about these changes and adapt your security practices accordingly. 
  2. The OWASP Top 10 is a great resource for promoting awareness of the most common risks for web applications, but security doesn’t stop there. You can read all about the OWASP Top 10 on the official OWASP website. While you’re there, take a look at some of their other security-related documents and frameworks, such as the Application Security Verification Standard (ASVS), the Software Assurance Maturity Model (SAMM), or the DevSecOps Maturity Model (DSOMM)

- Rick den Haan 

Special thanks to Bram Patelski, Milan Meyer, Lara van Zuilen and Greet Mattheus for their contributions.

Sources for this article: 

Search