The OWASP 2025 list has just been announced – risks you never thought of are at the top!
Overview
The year 2025 marked a significant turning point in how we perceive cybersecurity in general and application security in particular. The OWASP Top 10—a list considered the "guiding light" for every AppSec program worldwide—has just officially updated to the latest version. Unlike previous updates, OWASP no longer focuses solely on classic programming errors like SQL Injection or XSS. Instead, they emphasize a clear message: security is not just in the code, but throughout the entire software lifecycle—from the supply chain, design, to how the system responds to errors.
Compared to the 2021 version, OWASP 2025 brings many notable changes: two entirely new categories have appeared, several risk groups have been redefined, and the focus has shifted entirely to “secure design” and “system integrity”. Notably, the inclusion of “Software Supply Chain Failures” and “Mishandling of Exceptional Conditions” indicates that the security industry is entering a phase where a flaw in a third-party library or a mishandled exception can also open the door for attackers.
Details of OWASP Top 10
This analysis will only focus on the changes compared to previous versions. It can be said that the most recent change in 2025 is likely Mishandling of Exceptional Conditions (A10), which is a completely new category. Why did security experts add this category to the list?
Simply put, Mishandling of Exceptional Conditions occurs when an application does not properly handle unusual situations (exceptions, runtime errors, I/O errors, timeouts, network errors, backend service failures, invalid input, etc.), leading to:
Disclosure of sensitive information (stack traces, error content),
Skipping authorization checks or authentication steps,
Entering a fail-open state (open when errors occur) instead of fail-secure (locked tight),
Causing unexpected behavior that can be exploited.
To better understand, let's go through a simple example: an API /user receives an id from the query string and uses string concatenation to create an SQL query (not using a parameterized query). The issue here is that the id input is not parameterized, which can lead to SQL injection.
At that point, the attacker will send a value that causes an error (for example, entering an invalid character where a number is expected), and the database engine will return an error with information. From there, the attacker can obtain sensitive information from the database and sell it on black markets, posing significant risks to both individuals and businesses.
Another new trend highlighted by OWASP in this update is: A03 - Software Supply Chain Failures. A03 is not just about "faulty libraries" or "outdated components" but includes the entire software supply chain: source code (proprietary & OSS), dependencies, build processes (CI/CD), artifacts (containers/images, packages), distribution systems (registries, mirrors), and even operational pipelines (GitHub Actions, runners, secrets).
In fact, there have been three cases related to Software Supply Chain Failures with very serious consequences:
SolarWinds / Sunburst: A backdoor was embedded in the official release of Orion, leading to attacks on thousands of organizations. The unimaginable consequence was that attackers could access government systems and large companies.
event-stream (npm): An attacker was transferred maintainer rights and then added a malicious dependency (flatmap-stream), spreading to many projects.
"Shai-Hulud" Campaign (2025, npm): A worm-like campaign targeting npm packages, self-replicating, attempting to steal tokens/credentials in CI to expand its influence.
Let's analyze an example to better understand this trend: a company developing an internal payment application using Node.js with over 200 npm packages. Among them is a popular package called fast-logger – which helps with high-performance logging. However, every time code is merged into the main branch, the following issues occur:
There is no step to check the signature or hash of the dependency.
Always downloading the “latest version” from the npm registry during the build process (
npm install fast-logger).No SBOM or mechanism to check for maintainer changes.
When the maintainer account of fast-logger is leaked from some forum or the account is brute-forced, the attacker will release a version 4.2.3 containing hidden code in the postinstall.js file as follows:
And of course, when the DevOps team downloads the code, the infection chain is executed, and the attacker obtains the GITHUB_TOKEN. From here, they can easily:
Push additional malicious code into an internal repo (
finpay-utils).Create a fake Pull Request from a legitimate account.
Above are the most notable changes in this trend; meanwhile, the other categories only change in order and level of danger.
A01: Broken Access Control: Attackers can access data, functions, or resources they are not allowed to, leading to data leaks, account takeover, or full system control.
A02: Security Misconfiguration: Misconfigurations (server, framework, container, cloud, HTTP headers, etc.) are the most common cause of attacks today. Hackers can exploit open ports, leftover test services, or weak headers to attack.
A04: Cryptographic Failures: Sensitive information can be exposed or forged if weak algorithms, short keys, or unencrypted data storage are used.
A05: Injection: Attackers can inject malicious code into SQL statements, shell systems, LDAP, NoSQL, etc., to execute unauthorized commands or extract data.
A06: Insecure Design: An application with "clean code" can still be attacked if the overall design is flawed—for example, forgetting to re-authenticate on secondary APIs or allowing users to guess URLs to gain access.
A07: Authentication Failures: If authentication is weak, hackers can take over user accounts, bypass logins, or exploit tokens to access the system.
A08: Software or Data Integrity Failures: Software or data can be modified or have malicious code inserted during updates or synchronization. This directly affects the system's reliability and safety.
A09: Logging & Alerting Failures: If the system does not log correctly or alert in time, attacks can occur silently without being detected.
Recommendations
Use strong and unique passwords for each account
Avoid using duplicate passwords.
Combine uppercase, lowercase, numbers, and special characters.
Consider using a password manager like 1Password or Bitwarden.
Enable two-factor authentication (2FA/MFA) when possible
Helps prevent attackers from accessing even if the password is exposed.
Use apps like Google Authenticator, Authy, or security keys (YubiKey).
Be cautious when downloading software and applications
Only download from official sources (App Store, Google Play, reputable websites).
Check signatures, ratings, and reviews before installing.
Update software and operating systems regularly
New patches help fix security vulnerabilities.
This includes browsers, plugins, and mobile apps that need updating.
Be cautious with links and attachments
Do not click on strange links, phishing emails, or download files from unknown sources.
Check the URL before logging in or entering sensitive information.
Manage app permissions
Do not grant excessive permissions to apps (e.g., access to contacts, camera, location if not necessary).
Regularly review and revoke permissions.
Back up important personal data
Helps restore data in case of incidents, ransomware, or software errors.
Use both offline backup and secure cloud backup.
Monitor account activity
Keep an eye on email, banking, social media, etc., to detect unusual activity.
Enable login alerts or notifications for access from unfamiliar devices.
Security Awareness
Learn to recognize phishing, scams, or fake websites.
Do not share sensitive information via email, chat, or public social networks.
Use Secure Browsers and Tools
Enable HTTPS Everywhere or advanced security mode in your browser.
Use plugins to block malicious scripts or ads containing malware.
Conclusion
The 2025 version of the OWASP Top 10 clearly shows that application security is not just about writing correct code but also about managing the environment, the software supply chain, and how applications behave when errors occur. "Failing safely," "monitoring," and "system defense" have become very important. For organizations looking to enhance their AppSec posture, updating according to this list is a necessary step to prepare for a future where software is increasingly complex, interconnected, and vulnerable to attacks from multiple directions.
