The OWASP Foundation has revealed the first Release Candidate for the 2025 OWASP Top 10 list, which ranks the most critical security concerns developers should be thinking about.
The top 10 security concerns on the updated list are:
- Broken Access Control
- Security Misconfiguration
- Software Supply Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software or Data Integrity Failures
- Logging and Alerting Failures
- Mishandling of Exceptional Conditions
This list features many of the same concerns from the 2021 versions, with a few notable changes, such as Server-Side Request Forgery, which was in last place in 2021, being rolled into the Broken Access Control category.
Additionally, a new category, Software Supply Chain Failures, was added and includes Vulnerable and Outdated Components (#6 in 2021), and Mishandling of Exceptional Conditions made the list for the first time, containing CWEs related to improper error handling, logical errors, failing open, and other related scenarios.
“Mishandling of Exceptional Conditions is a category that has been just outside the Top 10 for several years. In this iteration, there was enough data and support from the community survey to push it over the line and into the Top 10,” said Brian Glas, one of the lead authors of the report.
Broken Access Control maintained its position as the top concern, with 3.74% of applications OWASP tested including one or more of the 40 CWEs in this category.
Cryptographic Failures, Injection, and Insecure Design dropped down in the list, while Security Misconfiguration rose to number two.
The OWASP Top 10 is decided based on two main data collection methods. The primary way is that companies contributed their findings from SAST, DAST, IAST, and other security testing from 2020 to 2024. This data included over 2.8 million applications that were tested. The second method is a community survey to account for new categories of vulnerabilities that the industry may not have developed adequate tests for yet.
“It’s essential to understand why we construct the Top 10 in this manner,” said Glas. “If it were purely data-driven, we would not have an accurate list, as it would only be looking into the past. The community survey is crucial in enabling people on the ground to share what they perceive as important risks that require visibility and attention, which may not be reflected in the data.”
Glas concluded that this updated OWASP Top 10 highlights the fact that software development is becoming more complex, and developers are being asked to be responsible for more things. He cited the rise of Software Supply Chain Failures and Security Misconfiguration as evidence for this change.
The OWASP Top 10 2025 will be open for comments until November 20th.
