Let’s correct a common misconception. There is no “OWASP Top 10 2024.” The official update to the 2021 list is the 2025 release. This is the definitive guide to those changes.
Security professionals, information security architects, and CISOs must understand these shifts. This is not just a list of changes.
It is an analysis of the “why” behind them and the practical actions you must take to protect your organization. We will give you a clear and strategic breakdown of the new OWASP Top 10.
The Evolution of the OWASP Top 10: A Quick Recap
The OWASP Top 10 is a standard awareness document. Its purpose is to identify the ten most critical security risks to web applications.
The 2021 list focused on well-understood issues like Broken Access Control and Cryptographic Failures, setting a baseline for security programs. The 2025 update is not arbitrary.
It is the result of a data-driven process, analyzing information from numerous organizations and security experts, combined with community feedback. This process gives the list its credibility and makes it a reliable indicator of the threat environment.
Key Changes in the 2025 List
Here we have a breakdown of the direct comparison to visualize the changes from the 2021 standard to the 2025 release candidate.
| OWASP Top 10 2021 | OWASP Top 10 2025 | Key Change |
| A01: Broken Access Control | A01: Broken Access Control | Unchanged |
| A02: Cryptographic Failures | A02: Cryptographic Failures | Unchanged |
| A03: Injection | A03: Injection | Unchanged |
| A04: Insecure Design | A04: Insecure Design | Unchanged |
| A05: Security Misconfiguration | A05: Security Misconfiguration | Unchanged |
| A06: Vulnerable and Outdated Components | A06: Software Supply Chain Failures | Evolved/New |
| A07: Identification and Authentication Failures | A07: Identification and Authentication Failures | Unchanged |
| A08: Software and Data Integrity Failures | A08: Mishandling of Exceptional Conditions | New |
| A09: Security Logging and Monitoring Failures | A09: Security Logging and Monitoring Failures | Unchanged |
| A10: Server-Side Request Forgery (SSRF) | A10: Unsafe Direct Object Consumption | New/Replaced |
Let’s Dive into the OWASP 2025 Additions
A06:2025 – Software Supply Chain Failures:
What it is: This new category is a significant expansion of the old “Vulnerable and Outdated Components.” It now covers the entire software supply chain. This includes compromised build tools, malicious dependencies, and insecure CI/CD pipelines.
Why it matters: Attacks on the software supply chain, like the SolarWinds incident, have proven to be highly effective and damaging. Organizations depend on a vast network of third-party code, and a single weak link can compromise the entire structure.
Actionable Insights: Security leaders must act. Implement Software Bill of Materials (SBOMs) to know what is in your code. Use software composition analysis (SCA) tools continuously. Most importantly, secure the CI/CD pipeline itself as a critical piece of infrastructure.
A08:2025 – Mishandling of Exceptional Conditions:
What it is: This category addresses failures in how an application handles errors and other unexpected situations. It covers everything from revealing sensitive information in error messages to improper state management after a fault.
Why it matters: These are not minor bugs. An attacker can intentionally trigger errors to map out an application’s internal workings, cause a denial-of-service, or bypass security controls. Proper error handling is a security function.
Actionable Insights: Institute “fail-safe” as a design principle. All error handling must result in a secure state. Implement robust, generic error messages that reveal no internal details. Your testing and QA must include a focus on edge cases and fault injection to find these weaknesses before an attacker does.
What’s Unchanged – A05:2025 – Security Misconfiguration:
- The Shift: This category remains a critical issue. Its importance is magnified by the complexity of modern environments. The widespread adoption of cloud services and Infrastructure as Code (IaC) creates more opportunities for misconfiguration at scale.
- Strategic Implications: You need continuous security posture management (CSPM) tools. Your team must have deep cloud security expertise. A misconfigured S3 bucket is no longer a small mistake. It is a critical failure.
The Consolidation of SSRF:
The Change: Server-Side Request Forgery (SSRF) is no longer a standalone category. It has been merged into A01: Broken Access Control.
The Rationale: This decision reflects a more profound understanding of the root cause. SSRF is fundamentally a problem of an application having too much authority to access internal resources.
It is a failure of access control, not a unique flaw. This forces a more direct approach to fixing the underlying trust issue.
Other Notable Shifts:
The movement of other categories is also significant. The continued high ranking of Injection and Cryptographic Failures shows that even with new threats, foundational security practices are still not being applied consistently. These are solved problems that continue to cause breaches.
A Strategic Roadmap for Security Leaders
The OWASP Top 10 is a starting point. It is not a complete security strategy. Use the 2025 list to drive meaningful change.
- “Shift Left” and Secure by Design: The 2025 list proves that security must be integrated from the very beginning of the software development lifecycle. It cannot be an afterthought. Secure by Design is the only viable path forward.
- The Role of Automation: You cannot manually secure a modern application portfolio. Automated security testing tools (SAST, DAST, IAST, SCA) are necessary to identify the risks outlined in the Top 10 at the speed of development.
- Building a Culture of Security: Use the new Top 10 as a training tool. Educate developers on the “why” behind these risks. When your team understands the threat, they become your most important security asset.
Conclusion
The OWASP Top 10 2025 makes three things clear. Software supply chain security is now critical. Error handling is a security control. And foundational vulnerabilities persist.
If you’re building or securing applications, you need specific skills.
The Certified DevSecOps Professional (CDP) course teaches CI/CD security, automated testing integration, and Infrastructure as Code security. You’ll implement SAST, DAST, and SCA tools in real pipelines.
Certified API Security Professional
Secure REST, GraphQL & SOAP APIs: OWASP Top 10 + hands-on testing.
The Certified API Security Professional (CASP) course covers securing REST, GraphQL, and SOAP architectures; preventing BOLA attacks; and automating API security testing.
Review the official OWASP Top 10 2025 release. Then ask, does your team have the skills to address these risks?
