The landscape of web application security just got a major refresh. OWASP’s latest Top 10 list for 2025 introduces two new risk categories, reorders several long-standing threats, and signals a shift from “classic vulnerabilities” to systemic risk vectors.
If your dev-team, AppSec team or CISO hasn’t reviewed the new list yet, now is the time. These are the flaws attackers are actively abusing — and defenders can no longer treat them as “some other team’s problem.”
Why This Matters: Risk, Trends & Context
- Critical mass of attacks: Broken access control (A01) remains the #1 risk — in the data set, 3.73 % of applications tested had one or more CWEs in this category.
- Supply-chain and configuration risk dominate: Software supply-chain failures (A03) and security mis-configuration (A02) jumped to top 3 — reflecting how modern attacks exploit build systems, dependencies, and deployment mis-steps.
- New risk categories reflect maturity: “Mishandling of Exceptional Conditions” (A10) is new for 2025 — covering error-handling, failing-open logic, abnormal states. That’s a shift from just “injection” or “XSS”.
- Engineering culture must evolve: The message is clear — security is not just “code review” or “WAF rules” but architecture, deployment pipelines, third-party software, monitoring and exceptional logic.
The Top 10 Risks: 2025 Edition
Here’s a breakdown of each category, what it covers, and what to watch for.
| Rank | Category | What it means | Key Red Flags & Facts |
|---|---|---|---|
| A01 Broken Access Control | Users or attackers can act outside intended privileges (e.g., SSRF, horizontal/vertical escalation) | Remains top risk; SSRF is now folded into this category. | Unchecked APIs, missing role checks, direct object references. |
| A02 Security Misconfiguration | Unsafe default configs, exposed services, insecure deployment | Moved up from #5 in 2021. “Config as code” mistakes dominate. | Dev environments left open, cloud buckets mis-set, excessive permissions. |
| A03 Software Supply Chain Failures | Vulnerabilities from dependencies, build tools, CI/CD pipelines | New category reflecting modern attacks on dependencies. | Submitting malicious code into libraries, compromised NPM modules, rogue build artifacts. |
| A04 Cryptographic Failures | Weak or missing encryption, key management problems | Drops two spots from 2021, but still critical. | Hard-coded keys, outdated TLS, missing data encryption at rest. |
| A05 Injection | Classic injection (SQL, XSS, NoSQL) but persists | Still high risk, though other categories are rising. | User input used unsafely, dynamic SQL without sanitisation, unsanitised JSON. |
| A06 Insecure Design | Architectural and design weaknesses, lack of threat modelling | Newly downranked but still major. | No security built-in, microservices trusting each other blindly, insecure defaults. |
| A07 Authentication Failures | Broken login flows, multi-factor missing, weak auth | Slight name change but essentially same class. | Default creds, privilege escalation via auth flaws, insecure session management. |
| A08 Software or Data Integrity Failures | Tampering of code/data, CI/CD bypass | Focus moves beyond components to integrity of distribution. | Unsigned updates, compromised containers, manipulated data stores. |
| A09 Logging & Alerting Failures | No meaningful logging, no alerting pipeline, lack of response | Old category reshaped to emphasise alerts. | No audit trails, silent failures, missing alerts when exploit happens. |
| A10 Mishandling of Exceptional Conditions | New for 2025: failure to handle edge-cases, error handling gone wrong | Attackers exploiting overlooked paths. | Failing open when exception triggers, logic paths not tested, hidden backdoors via un-used code paths. |
Expert Insights: What This Really Means for Teams
1. Shift Left + Shift Right
Designing secure code doesn’t stop at deployment. You need to incorporate:
- Threat modelling and secure defaults (early)
- Dependency screening and supply chain security (build)
- Runtime monitoring, logging and anomaly detection (ops)
2. Supply Chain is the New Perimeter
Previously, perimeter was network/firewall. Now your “attack surface” includes:
- NPM/PyPI/Cargo modules
- CI/CD pipelines
- Compiled binaries, container images
- Cloud-native build systems
Teams must treat dependencies as first-class security objects — verify, scan, and isolate.
3. Configs Matter More Than Code
Misconfiguration risks (cloud storage buckets, Kubernetes RBAC, mis-set S3 policies) now outrank many code flaws. DevOps, architects, and security teams must align.
4. Build in Integrity Checks
Whether code, data, or containers — if an attacker can tamper with integrity without detection, you’ve lost. A08 highlights that. Plain code scanning isn’t enough; you need artefact signing, digest checking, and robust update channels.
5. Exceptional Paths Are Attack Paths
New category A10 warns: vulnerabilities often hide in logical flows nobody tests (error paths, seldom-used APIs, legacy code). Treat “exceptions & edge cases” like normal flows. Write tests for them.
Action Plan: How to Respond Now
Here’s a short checklist for security teams, in priority order:
- Access Review – Audit and restrict all privileges. Enforce “least privilege”, RBAC, and role separation.
- Configuration Baseline – Create golden configs for cloud, containers, IaaS. Run automated checks daily.
- Dependency Hygiene – Inventory all third-party libraries. Subscribe to vulnerability feeds. Deploy SBOMs (Software Bill of Materials).
- Architect Secure Design – Embed threat modelling in design sprints. Use secure patterns (zero-trust microservices, minimal exposure).
- Crypto & Data – Encrypt everything sensitive, rotate keys regularly, disable weak TLS versions.
- Integrity Monitoring – Sign binaries, validate containers, audit package sources.
- Logging & Alerts – Ensure full visibility: authentication, privilege changes, exceptions, configuration changes. Configure alert escalation.
- Edge-Case Testing – Run fuzzing, stress test error-paths, trap logical flaws, automate exception channel testing.
- Training & Culture – Educate developers about these new categories (especially A03, A10). Create shared ownership with DevOps and SecOps.
- Continuous Review – Set a recurring cadence (quarterly) to revisit these categories, track metrics like “% of modules with third-party vulnerability”, “% of endpoints with no auth”, etc.
Final Thoughts
The OWASP Top 10 2025 is more than a checklist — it’s a compass pointing to where web-app security is headed: from isolated code flaws to systemic architecture, supply-chain and operational weaknesses.
If you treat it as a tick-box exercise, you’ll fall behind. But if you use it to drive culture, tooling, architecture and ops, you’ll build resilience that matches the threats of today and tomorrow.
Stay ahead. Secure by design. Monitor always. Attackers are already exploiting the categories listed. The question is: Will you find the flaws first — or will they find you?