InfoSecBulletin Cybersecurity for mankind
OWASP has released an updated Top 10 list of key web application risks, adding two new categories and rearranging the order. This 2025 release candidate, which is a near-final draft of the flagship OWASP Top 10 list, is open for comment until November 20.
Broken Access Control remains the top issue on the 2025 OWASP Top 10 list, having risen to that position in 2021. This category now includes server-side request forgery (SSRF), which was previously listed as a separate issue at number ten.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Security Misconfiguration has risen to second place from fifth in the 2021 OWASP Top 10. It is now followed by Software Supply Chain Failures, which expands on Vulnerable and Outdated Components that were previously sixth.
The expanded category includes “a broader scope of compromises occurring within or across the entire ecosystem of software dependencies, build systems, and distribution infrastructure,” OWASP notes, pointing out that it emerged as a top concern in the community survey.
The categories of Cryptographic Failures, Injection (including XSS and SQL Injection), and Insecure Design have each dropped two spots, now ranking fourth, fifth, and sixth.
Authentication Failures, Software or Data Integrity Failures, and Logging & Alerting Failures kept their seventh, eighth, and ninth positions from the 2021 OWASP Top 10.
The Mishandling of Exceptional Conditions category is now in tenth place. It covers issues like failing open, poor error handling, logical errors, and other abnormal scenarios that systems may face.
OWASP updated some categories in this list compared to 2021, mainly because of a different approach.
“In this iteration, we asked for data, with no restriction on CWEs like we did for the 2021 edition. We asked for the number of applications tested for a given year (starting in 2021), and the number of applications with at least one instance of a CWE found in testing. This format allows us to track how prevalent each CWE is within the population of applications,” OWASP explains.
The organization targeted the root cause and overlooked how often CWEs appeared in the application, analyzing 589 CWEs instead of 30 in 2017 and nearly 400 in 2021.
“We plan to do additional data analysis as a supplement in the future. This significant increase in the number of CWEs necessitates changes to how the categories are structured,” OWASP notes.
The team analyzed CVE data for exploitability and impact, calculating average scores by grouping CVEs with CVSS scores. They also examined the percentage of applications with CVSSv3 and CVSSv2 scores.
Only eight categories were chosen from the incomplete data due to automated testing limitations. The other two come from a Top 10 community survey where practitioners vote on the highest risks.
