Discover TÜV-certified GoogleTest with Agentic AI for C/C++ testing!
Get the Details »
Jump to Section
Parasoft Blog
Open Web Application Security Project (OWASP) has helped to provide answers through training and forums to critical IT issues. Read through to find the answers to pressing OWASP Top 10 questions.
Jump to Section
Released: The OWASP Top 10:2025 was announced in November 2025 at the OWASP Global AppSec Conference in Washington, D.C. The final version was released in January 2026.
Previous edition: OWASP Top 10:2021
What’s new: Two new categories (Software Supply Chain Failures and Mishandling of Exceptional Conditions), four significant re-rankings, three renames, and SSRF absorbed into Broken Access Control.
Data behind the list: 175,000+ CVEs analyzed, 248 CWEs mapped across the 10 categories, and practitioner surveys across thousands of organizations.
In November 2025, the OWASP Foundation released the OWASP Top 10:2025 at the Global AppSec Conference in Washington, D.C.—the first update to the list since 2021. The update reflects four years of evolving threat data, practitioner input, and industry change.
For the development and security teams responsible for keeping applications secure, the 2025 list isn’t just a refresh. It signals meaningful shifts in where attacks are landing and where defenses need to go.
This guide covers what changed in the 2025 list, why those changes matter, and what development and security teams should do about it. Whether you’re a developer writing code, a security engineer setting policy, or an engineering leader allocating resources, understanding the 2025 update is essential groundwork for a modern application security program—and the foundation for any OWASP compliance program.
The OWASP Top 10 is a widely recognized awareness document published by the Open Web Application Security Project (OWASP). It identifies the ten most critical security risks to web applications.
Based on real-world data and consensus from security experts worldwide, the list serves as the recognized industry standard for developers, security teams, and organizations to understand, prioritize, and address the most common and dangerous application vulnerabilities.
Updated roughly every two to four years—with the latest being the 2025 edition—the list focuses on risks like broken access control, cryptographic failures, and software supply chain issues, helping teams shift from reactive patching to proactive, risk-driven security practices.
The 2025 list was built on a larger and more rigorous dataset than any previous edition. OWASP analyzed over 175,000 CVE records, conducted practitioner surveys across thousands of organizations, and incorporated input from security vendors, bug bounty programs, and community contributors.
Each of the 10 categories now maps to specific CWEs—248 in total—providing more precise guidance for detection and remediation than prior versions.
The ranking reflects the following:
Two categories were retired or merged. Two entirely new categories were added for the first time.
The table below shows the full mapping between the 2021 and 2025 lists. Two new categories appear in 2025 as indicated below. And one 2021 category (SSRF) was absorbed into A01.
| Rank | OWASP Top 10:2021 | OWASP Top 10:2025 | Change |
|---|---|---|---|
| #1 | Broken Access Control | Broken Access Control | No change |
| #2 | Cryptographic Failures | Security Misconfiguration | ↑ from #5 |
| #3 | Injection | Software Supply Chain Failures | ★ NEW |
| #4 | Insecure Design | Cryptographic Failures | ↓ from #2 |
| #5 | Security Misconfiguration | Injection | ↓ from #3 |
| #6 | Vulnerable & Outdated Components | Insecure Design | ↓ from #4 |
| #7 | Identification & Auth Failures | Authentication Failures | Renamed |
| #8 | Software & Data Integrity Failures | Software or Data Integrity Failures | Minor rename |
| #9 | Security Logging & Monitoring Failures | Security Logging & Alerting Failures | Renamed |
| #10 | Server-Side Request Forgery (SSRF) | Mishandling of Exceptional Conditions | ★ NEW / SSRF → A01 |
★ Two brand-new categories in 2025. SSRF (A10:2021) has been absorbed into A01:2025 Broken Access Control.
Sensitive Data Exposure was the name used in the OWASP Top 10:2017 list. In the 2021 update, OWASP renamed it to Cryptographic Failures to better identify the root cause—weak or absent cryptography—rather than the symptom.
In the 2025 list, Cryptographic Failures remains a top-tier risk at #4 (down from #2 in 2021, reflecting improved TLS adoption and stronger default cipher suites across the industry). See the A04:2025 — Cryptographic Failures section below for the current scope, CWE mappings, and remediation guidance.
The most significant additions to the 2025 list are the two brand-new categories. They don’t represent newly discovered vulnerability classes — they represent attack surfaces that the security community agreed had grown too important to remain embedded in broader categories.
The SolarWinds attack, Log4Shell, and a surge in dependency confusion attacks demonstrated that compromising the supply chain is often easier than attacking the application directly.
Software Supply Chain Failures addresses risks that arise when the components, libraries, build tools, and distribution mechanisms that modern applications depend on are themselves compromised or untrustworthy. Unlike traditional vulnerability categories that focus on flaws in code you write, this category focuses on the integrity of everything that flows into your build.
The category maps to 5 CWEs and encompasses scenarios including: packages sourced from untrusted or typosquatted registries, build pipelines without integrity verification, unsigned or unverified artifacts, and dependency confusion attacks where internal package names are hijacked by public registry entries.
Implement software bill of materials (SBOM) generation for all builds. Enforce artifact signing and verification. Use dependency pinning and monitor registries for typosquatting. Audit CI/CD pipeline permissions and restrict what can trigger builds or deployments.
50% of OWASP survey respondents ranked this as their #1 emerging security concern — yet it rarely appears in CVE databases because it manifests under stress, not standard operation.
Mishandling of Exceptional Conditions captures a long-underappreciated class of vulnerability: what happens when your application encounters something it didn’t expect. Resource exhaustion, malformed inputs, timeout conditions, downstream service failures — applications that handle these scenarios unsafely can leak sensitive data through verbose error messages, bypass access controls through fail-open logic, or become vectors for denial-of-service.
The category consolidates 24 CWEs including CWE-209 (generation of error messages containing sensitive information), CWE-476 (NULL pointer dereference), and CWE-636 (not failing securely). These flaws are often invisible to standard SAST and DAST scans because they only surface under conditions that aren’t part of normal test runs.
Define explicit failure modes for every system boundary. Implement a centralized exception-handling framework that logs detailed error context internally while returning only generic messages externally. Test under stress and fault-injection conditions, not just happy-path scenarios. Apply the principle of fail-closed: when in doubt, deny access.
Beyond the two new categories, four existing categories shifted substantially in rank. These movements reflect real changes in the threat landscape — where the data shows attackers are succeeding.
Security Misconfiguration jumps three places to #2, the largest upward movement in the 2025 list. The rise reflects the dramatic expansion of cloud infrastructure, containerized workloads, and microservices architecture — each of which introduces new configuration surfaces that teams often fail to harden.
Cloud misconfigurations remain one of the leading causes of enterprise data breaches. As infrastructure-as-code and auto-provisioning become standard, misconfiguration errors can propagate silently across hundreds of resources.
Spans 20 CWEs. Common examples: default credentials left unchanged, unnecessary features enabled, missing security headers, overly permissive cloud storage policies, verbose error messages in production.
See the dedicated section above.
Injection drops two places — continuing a multi-edition decline from its decade-long position at #1. This reflects genuine industry progress: parameterized queries are now standard, modern frameworks sanitize inputs by default, and developer awareness of SQL injection is near-universal. The category remains highly dangerous and still maps to 274,000 detected flaws in OWASP’s dataset.
Don’t let the rank drop create complacency. Injection remains one of the most exploited vulnerability classes in active attacks. The drop reflects better prevention upstream, not lower attacker interest.
Spans 33 CWEs. Key examples: SQL injection (CWE-89), Cross-Site Scripting (CWE-79), OS command injection (CWE-78).
Cryptographic Failures drops from #2 to #4, reflecting improved industry adoption of TLS by default, stronger cipher suite standards, and broader awareness of the category (which was renamed from "Sensitive Data Exposure" in 2021 to better identify root causes). It remains a critical risk—the drop signals progress, not resolution.
Weak or absent cryptography continues to underpin some of the largest data breaches on record. The category encompasses not just encryption algorithm choices, but key management practices, certificate handling, and data-in-transit protection.
Spans 29 CWEs. Key examples: weak algorithm selection, hardcoded keys, missing HSTS, transmission of sensitive data in clear text.
Three categories received name changes in 2025. These aren’t cosmetic—each rename sharpens the definition of the problem and, importantly, affects how tools map rules to categories.
The shorter name drops "Identification" to focus squarely on authentication mechanisms—credential handling, session management, and multi-factor authentication gaps. This aligns the category more precisely with the CWEs it maps to.
A single word change—"and" to "or"—but a meaningful one. It clarifies that software integrity and data integrity are independent concerns: a failure in either is sufficient to trigger this category. This matters for tools and compliance frameworks that use the category name to scope coverage.
"Alerting" replaces "Monitoring" to emphasize that passive logging without active alerting and incident response is insufficient. You can log everything and still miss an attack if no one is triggered when anomalies occur.
Broken Access Control remains at #1 for the fourth consecutive assessment cycle, cementing its status as the most pervasive application security failure. The 2025 update expands its CWE coverage from 34 to 40—and notably absorbs Server-Side Request Forgery (SSRF), previously its own category. OWASP recognized SSRF as a specific manifestation of improper access control rather than a distinct class, reflecting how the two are often exploited together in cloud environments.
The persistence of Broken Access Control at #1 is a signal: this is not a problem the industry is solving. Authorization logic remains one of the hardest things to get right at scale, and one of the most rewarding targets for attackers.
The 2025 list isn’t just a reference document—it’s a prioritization framework. Here’s how different roles should interpret the update:
The emergence of Software Supply Chain Failures as a top-3 category means that secure coding now extends beyond the code you write. The provenance, integrity, and trust of your dependencies are now explicitly in scope. Review your dependency management practices, understand what your CI/CD pipeline trusts implicitly, and start treating build artifact integrity with the same rigor as input validation.
Two categories that previously sat in gray areas—supply chain integrity and exception handling—now have clear OWASP definitions, CWE mappings, and community documentation. This gives you the language and framework to formalize coverage requirements, update rule configurations in static analysis tools, and build testing criteria that weren’t previously standardized.
The upward movement of Security Misconfiguration to #2 is a resource allocation signal. If your organization runs significant cloud infrastructure and you haven’t invested proportionally in configuration management, policy-as-code, and infrastructure security posture tooling, the 2025 data suggests that’s where your risk is concentrating. Similarly, the new Mishandling of Exceptional Conditions category points to the need for fault-injection and chaos engineering practices in your test strategy—not just functional and security testing under normal conditions.
Parasoft’s static analysis tools—C/C++test, Jtest, and dotTEST—are updated to reflect the OWASP Top 10:2025 categorization. Each product ships with preconfigured compliance packs that map analysis rules directly to the 2025 categories, including the two new ones.
The 2025 release introduces two new categories and reorders eight others. Parasoft’s compliance packs reflect these changes automatically—rules that previously mapped to A10:2021 (SSRF) now map to A01:2025 (Broken Access Control), and new checker sets cover the Software Supply Chain Failures and Mishandling of Exceptional Conditions categories specifically.
Adapting to a new list version can surface a large initial volume of findings. Parasoft’s AI-powered triage helps teams prioritize which violations to address first based on exploitability, severity, and code context. For supported rule types, automated fix suggestions reduce the manual burden of remediation—allowing developers to review and accept fixes without leaving their IDE.
For organizations running multiple codebases or languages, Parasoft’s Development Testing Platform (DTP) provides a centralized view of OWASP compliance across all projects. Teams can track coverage against the 2025 list, identify which categories are most exposed across the portfolio, and generate compliance reports tied directly to OWASP category IDs and CWE mappings.
Parasoft integrates into IDE environments and CI/CD pipelines, enabling real-time feedback as code is written. Developers see OWASP category violations—including which 2025 category applies—inline, before code is committed. This approach catches issues at the point where they are least expensive to fix and reduces the compliance burden on security review stages downstream.
Dig Deeper
If your organization has existing OWASP Top 10:2021 compliance processes in place, the transition to 2025 is manageable—but it requires deliberate action, not just a version number update in your documentation. For teams starting from scratch, our guide to getting started with OWASP compliance covers the foundational practices before the 2025-specific updates below.
A03 (Software Supply Chain Failures) and A10 (Mishandling of Exceptional Conditions) have no direct 2021 predecessors. Assess your current coverage for each: do your static analysis configurations include rules for supply chain integrity? Do your test suites include fault-injection scenarios?
If you use static application security testing (SAST), confirm they have been updated to reflect 2025 category mappings. Rules that mapped to A10:2021 (SSRF) should now map to A01:2025. New rules for the supply chain and exception handling should be enabled.
Developer security training tied to the OWASP Top 10 needs updating. The ranking changes are significant enough that priority order in training content matters—developers should understand that Supply Chain Failures is now a top-3 concern, not a secondary one.
Broken Access Control at #1 for four consecutive editions is not background noise—it’s a persistent failure mode. The consistency of its position should inform where design reviews, threat modeling, and testing efforts are concentrated.
