OWASP Top 10:2025 — The Global Standard for Web Application Security Risks
OWASP (Open Worldwide Application Security Project) has officially released the latest version of its list of the most critical web application security risks — OWASP Top 10:2025. This list serves as the global reference for developers, security engineers, ISO 27001 auditors, and CISOs when identifying and mitigating application security risks.
The 2025 edition introduces significant changes compared to OWASP Top 10:2021, with two new categories reflecting the modern threat landscape and one important consolidation.
What Changed from OWASP Top 10:2021 to 2025
The 2025 edition introduces two new risk categories: A03 — Software Supply Chain Failures (expanded from 'Vulnerable and Outdated Components' to cover the entire dependency ecosystem and build pipeline) and A10 — Mishandling of Exceptional Conditions (a new category focusing on exception paths, fallback logic, and fail-open behavior).
One consolidation occurred: Server-Side Request Forgery (SSRF) has been merged into Broken Access Control (A01), because SSRF is increasingly exploited as a vector for bypassing internal access controls, making the consolidation logical.
| Position | OWASP Top 10:2021 | OWASP Top 10:2025 | Change |
|---|---|---|---|
| A01 | Broken Access Control | Broken Access Control | Same |
| A02 | Cryptographic Failures | Security Misconfiguration | Moved up |
| A03 | Injection | Software Supply Chain Failures | New |
| A04 | Insecure Design | Cryptographic Failures | Moved down |
| A05 | Security Misconfiguration | Injection | Moved down |
| A06 | Vulnerable & Outdated Components | Insecure Design | Same |
| A07 | Identification & Authentication Failures | Authentication Failures | Same |
| A08 | Software & Data Integrity Failures | Software or Data Integrity Failures | Same |
| A09 | Security Logging & Monitoring Failures | Logging & Alerting Failures | Same |
| A10 | Server-Side Request Forgery (SSRF) | Mishandling of Exceptional Conditions | New |
The Ten OWASP Top 10:2025 Risk Categories
Each category represents a class of security weakness frequently found in real-world applications. Understanding all ten — their root causes, context, and detection checkpoints — is essential for building a comprehensive application security program.
A01:2025 — Broken Access Control
34 CWEsOccurs when users — or attackers — can perform actions or access resources they should not be permitted to. Includes bypassing authorization checks, exploiting direct object references (IDOR), and SSRF (now merged here). Remains #1 because authorization logic is fragile across frameworks, APIs, microservices, and cloud systems. Affects ~3.73% of tested applications.
A02:2025 — Security Misconfiguration
16 CWEsMisconfigurations in software stacks, frameworks, platforms, containers, cloud environments, or application settings that leave systems exposed. Moved up to #2 as modern applications rely heavily on configuration. A single incorrect setting — a public bucket, default credentials, or a missing security header — can cause massive data exposure.
A03:2025 — Software Supply Chain Failures
NewNew category expanded from 'Vulnerable and Outdated Components.' Covers failures across the software ecosystem: dependencies, build systems, distribution infrastructure, package management, and trust in third-party components. Impact of exploitation is high as attackers increasingly target supply chains for scalable, wide-reach compromise.
A04:2025 — Cryptographic Failures
32 CWEsFailures around encryption, key management, use of secure channels, or cryptographic algorithms. The attack surface continues to grow across cloud, mobile, and IoT environments. Weak or misused cryptography leads directly to data exposure or system compromise — from hardcoded keys and weak algorithms to missing TLS enforcement.
A05:2025 — Injection
38 CWEsInjection vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query, enabling attackers to execute unintended commands. Covers SQL injection, XSS (reflected, stored, DOM-based), OS command injection, LDAP injection, and NoSQL injection. Still frequently exploited despite dropping to #5.
A06:2025 — Insecure Design
Shift-Left RiskFocuses on architectural and design flaws when threats, abuse cases, or business logic are not addressed during early development. Retained from the 2021 edition. Fixing design flaws late in the development cycle is extremely costly. Requires threat modeling, trust boundary definitions, and security requirements from the start.
A07:2025 — Authentication Failures
Identity RiskRelates to vulnerabilities in authentication mechanisms, session management, identity lifecycle, and improper credential handling. Formerly 'Identification & Authentication Failures.' Despite improving frameworks, custom code and integration gaps still produce authentication vulnerabilities enabling account takeover, impersonation, or session hijacking.
A08:2025 — Software or Data Integrity Failures
Integrity RiskFocuses on failures to verify the integrity of code, libraries, data, or configuration within systems. Distinct from supply chain risks (A03). Even if dependencies are trusted, absent integrity checks — unsigned updates, unverified deserialization — allow attackers to insert malicious code or corrupt data flows.
A09:2025 — Logging & Alerting Failures
Detection GapEmphasizes not only logging but the alerting and monitoring side of security — because logs without alerting and action have very limited value. As environments grow more complex (microservices, cloud, containers), detecting incidents requires integrated, actionable logging and monitoring. Underrepresented in test data but high in community concern.
A10:2025 — Mishandling of Exceptional Conditions
NewNew category for 2025. Focuses on system behavior under abnormal conditions: exceptions, unexpected input, fail-open logic, and error handling vulnerabilities. Attackers exploit edge cases and exception paths not covered by design or testing. A system that fails open instead of failing safely is a growing attack surface.
OWASP Top 10:2025 Quick Reference
The table below provides a concise reference mapping each OWASP 2025 category to its primary focus area and key security checks to implement.
| Category | Focus Area | Key Checks |
|---|---|---|
| Broken Access Control | Authorization logic & access | Role enforcement, SSRF, object reference validation |
| Security Misconfiguration | Deployment/configuration stack | Default credentials, cloud config, IaC review |
| Supply Chain Failures | Dependencies & trust chain | SBOM, pipeline integrity, third-party risk |
| Cryptographic Failures | Encryption / key management | Algorithm selection, key lifecycle, TLS enforcement |
| Injection | Interpreter abuse via untrusted input | Parameterized queries, output escaping, input validation |
| Insecure Design | Architectural / business logic flaws | Threat modeling, misuse cases, design review |
| Authentication Failures | Identity & session management | MFA, session invalidation, credential storage |
| Software/Data Integrity Failures | Unverified code/data integrity | Signed updates, plugin verification, safe deserialization |
| Logging & Alerting Failures | Actionable logging + alerting | Event coverage, SIEM/monitoring, alert rules |
| Mishandling of Exceptional Conditions | Error paths, fail-open logic | Exception flows, fallback logic, chaos/fault testing |
Implications for Organizations
OWASP Top 10:2025 is not merely a list — it is a reflection of the real threat landscape facing business applications today. For organizations pursuing ISO 27001 certification or operating in regulated sectors (banking, fintech, healthcare), a deep understanding of OWASP 2025 is directly relevant.
ISO 27001:2022 Annex A control requirements — particularly A.8 (Application Security in Development & Support) — are directly connected to OWASP categories. A comprehensive risk assessment must consider all ten categories as potential threats to information assets.
Practical steps that can be taken immediately: conduct a gap analysis against OWASP Top 10:2025, prioritize findings based on your business context and applicable regulations, integrate the results into your annual VAPT program, and ensure all findings are addressed with a structured remediation plan.
OWASP vulnerabilities don't wait — they're being exploited right now. CloudSphere's Security Assessment team tests your applications against all OWASP Top 10 categories, giving you a clear remediation roadmap.
Share Article
Related Topics
Related Articles
IT Asset Management
Manajemen Aset IT (ITAM): Fondasi Keamanan Siber yang Sering Diabaikan Organisasi
30 Juni 2026
Endpoint Security
Implementasi Endpoint Security di Organisasi: Dari Dasar hingga Strategi Berlapis
29 Juni 2026
VAPT
Panduan VAPT & Penetration Testing: Cara Menguji Keamanan Sebelum Penyerang Melakukannya
29 Juni 2026
