What Changed in OWASP Top 10 2025 and Recommendations for Each Category
OWASP releases Top 10 Web Application Security Risks 2025 with new categories.
Summary
The OWASP Foundation has updated its Top 10 Web Application Security Risks for 2025, introducing two new categories: Software Supply Chain Failures and Mishandling of Exceptional Conditions. This update, based on analysis of over 175,000 CVE records, sees Security Misconfiguration rise to #2 and Broken Access Control remain #1, now explicitly including API authorization failures like BOLA and BFLA.
Full text
Table of ContentsOWASP Top 10 2025VS. 2021 Category MappingOWASP Top 10 2021 vs 2025at a GlanceThe Full Breakdown of WhatChangedinOWASPTop 10 2025Reading OWASPs Recommendations is theEasyPartQualysTotalAppSecHelpsAddress TheseOperationalChallengesWhat Your Program Does Next MattersFrequently Asked Questions Key Takeaways The 2025 list introduces two new categories – Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10) – reflecting attacks already happening in production. Security Misconfiguration jumping from #5 to #2 signals that continuous deployment without continuous scanning creates active exposure windows. Broken Access Control (A01) now explicitly covers BOLA and BFLA API authorization failures – the most exploited patterns in modern API-heavy applications. OWASP recommendations are sound, but assume unified tooling, continuous coverage, and mature SDLC discipline that most AppSec programs still lack. A03 (Software Supply Chain Failures) has the highest incidence rate (5.19%), but very low CVE coverage – attacks are happening while scanners lack signatures. Programs that close operational gaps category-by-category will enter the next audit cycle with a defensible posture. The OWASP Foundation has released the eighth edition of its Top 10 Web Application Security Risks. This is the first major update since 2021, and was built on analysis of more than 175,000 CVE records and 589 Common Weakness Enumerations. Two entirely new OWASP Top 10 2025 categories entered the list, and several rankings shifted significantly. One category was consolidated into another. The complete breakdown of OWASP Top 10 changes 2025 follows below, category by category. But the more important aspect is what those changes say about where attacks are happening right now, and what your AppSec program should do about each one. This post breaks down every category in the 2025 list, what OWASP recommends for addressing each, and the operational realities that make those recommendations harder to apply than they look. OWASP Top 10 2025 VS. 2021 Category Mapping OWASP Top 10 2021 vs 2025 at a Glance Key shifts include: A02 Security Misconfiguration surged from #5 to #2 A03 Software Supply Chain Failures — new category at #3 with highest incidence rate A10 Mishandling of Exceptional Conditions — new category A01 Broken Access Control remains #1 and now explicitly includes BOLA and BFLA The Full Breakdown of What Changed in OWASP Top 10 2025 A01: Broken Access Control – Remains #1, Now Explicitly Covers BOLA and BFLA Broken Access Control retains the top spot, with a significantly expanded scope. It now includes Server-Side Request Forgery (SSRF), privilege escalation, account takeover, and unauthorized data access across API endpoints. Two authorization failure patterns now fall squarely within this category: Broken Object Level Authorization (BOLA), which lets attackers access another user’s data by manipulating object references in API calls, and Broken Function Level Authorization (BFLA), where lower-privileged users invoke admin-level API functions by calling endpoints directly. These aren’t edge cases. They’re among the most exploited patterns in API-heavy applications, and exactly the surface most traditional DAST tools weren’t built to test. Open banking mandates (PSD2 in the EU, the UK’s FCA-governed Open Banking Standard, and RBI’s Account Aggregator framework in India) have multiplied API endpoints across financial services without proportional testing coverage. That’s exactly the surface this category exploits. In healthcare, patient portal APIs that weren’t threat-modeled at design grant unauthorized access through endpoints periodic web scans never reach. Any detection scope, compliance report, or audit documentation still treating SSRF as a separate category is now out of date. OWASP Recommends: Run access control checks in server-side code that an attacker can’t tamper with, never in the browser or client. Deny by default, with exceptions only for resources meant to be public. Build a single, reusable access control layer rather than scattering checks across the codebase and keep cross-origin sharing tightly scoped. Your access control model should enforce that users can only act on records they own, instead of allowing actions on any record they can reference. Log every access control failure and trigger alerts when failures cluster on a single account or endpoint. Rate-limit your APIs and controllers. After logging out, invalidate session identifiers on the server; for stateless JWTs, keep token lifetimes short. Treat functional access control as a first-class test case in your unit and integration suites. A02: Security Misconfiguration – Surges from #5 to #2 Security Misconfiguration is the OWASP 2025 category with the most striking data point: 100% of tested applications showed some form of misconfiguration, with an average incidence rate of 3.00%. The category covers insecure default settings, open cloud storage buckets, misconfigured HTTP headers, and verbose error responses exposing stack traces, environment variables, and internal architecture. The jump reflects deployment reality more than developer behavior. In retail and e-commerce, misconfigured cloud storage buckets have exposed millions of customer records without a single line of malicious code written. In SaaS and technology companies, every CI/CD-provisioned service is a potential misconfiguration surface, and most teams scan intermittently while continuously deploying. The gap between scans isn’t a compliance footnote. It’s an active exposure window. OWASP Recommends: Build a hardening process that is repeatable, scripted, and identical across development, QA, and production. Only the credentials should differ. Ship a minimal platform: strip out unused features, components, sample apps, and documentation. Fold configuration review into your patch management cycle, including cloud storage permissions. Use network segmentation, containerization, or cloud security groups to keep components and tenants isolated. Enforce security through HTTP headers. For credentials, lean on identity federation, short-lived tokens, or platform-native role-based access rather than embedding static keys or secrets inside code, config files, or pipelines. A03: Software Supply Chain Failures – New, Highest Incidence Rate, Lowest CVE Coverage Software Supply Chain Failures is OWASP’s new A03 category, addressing the full software supply chain: third-party dependencies, build systems, CI/CD pipelines, and update and delivery mechanisms. It carries the highest average incidence rate of any category at 5.19%, but only 11 CVEs map to related CWEs. That gap (attacks happening in production, while scanners lack the signatures to flag them) is what makes it dangerous. The 2020 SolarWinds breach reached thousands of downstream organizations through a compromised build update, arriving via a legitimate, signed software update that bypassed signature-based detection. Magecart-style attacks inject malicious JavaScript into checkout pages through compromised third-party scripts. A03 entering the list with the highest incidence rate isn’t a warning about future risk; it’s a finding about current exposure. OWASP Recommends: Centrally generate and manage an SBOM, tracking direct and transitive dependencies. Remove unused dependencies. Continuously monitor CVE, NVD, and OSV sources for component vulnerabilities. Only obtain components from official, trusted sources; prefer signed packages. Monitor unmaintained libraries; consider migration or virtual patching where patches aren’t available. Use staged rollouts or canary deployments to limit blast radius. Harden code repositories, developer workstations, build servers, and artifact repositories. Enable MFA, sign artifacts, and ensure immutable builds. A04: Cryptographic Failures – Drops from #2 to #4 Covers weak or absent encryption for data in transit and