Discover TÜV-certified GoogleTest with Agentic AI for C/C++ testing!
Get the Details »
OWASP compliance is critical to maintaining secure software in today’s digital landscape. The OWASP Top 10:2025 reflects the latest threat data, introducing two new categories and significant re-rankings based on analysis of over 175,000 CVE records and input from security practitioners worldwide.
The nonprofit group Open Web Application Security Project® (OWASP) seeks to enhance software security. Development teams around the world and across industries turn to the OWASP Foundation for tools, resources, and training to protect their web applications from cyberattacks. Projects with community-driven initiatives are open for anybody to join.
Build Security Into Your DevOps Strategy
Periodically, OWASP releases a list of the most pressing problems for the development community at large. These issues affect the overall security of projects, and the list illuminates the biggest threats.
The OWASP Top 10:2025 introduces two entirely new categories and consolidates one existing category, reflecting the modern threat landscape. Based on analysis of over 175,000 CVE records, practitioner surveys, security vendor counsel, bug bounties, and community input, OWASP created its 2025 list with #1 being the most frequent and impactful issue. Ranked by severity and frequency, each item represents multiple common weakness enumerations (CWEs)—248 in total across the 10 categories.
The OWASP Top 10 helps teams focus on the most critical and likely problems before moving on to other issues.
All of these potential vulnerabilities pose significant threats to any development team but keep in mind that this is not an exhaustive list of everything that can go wrong during development. While the Top 10 isn’t a comprehensive strategy or the only method for identifying vulnerabilities, it is an excellent way to get started.
The Top 10 is most powerful when it works at both ends of development: teach developers to write secure code from the start and then use it to verify they did so.
With the development of APIs on the rise, OWASP also has a dedicated project focused solely on API security and its top ten concerning vulnerabilities. The OWASP API Security Top 10 was introduced in 2019 and updated in 2023.
Broken Access Control remains #1 for the fourth consecutive assessment cycle. In its findings, OWASP reported that 100% of applications tested (up from 94%) contained this issue, now spanning 40 CWEs (up from 34 in 2021). In 2025, OWASP also absorbed server-side request forgery (SSRF) into this category, recognizing SSRF as a specific manifestation of improper access control.
The biggest CWEs related to this vulnerability are:
This security vulnerability allows access to private resources for unauthorized users. Attackers can go around any security protocols in place to access sensitive systems and information.
It remains the most common vulnerability on the OWASP Top 10. Weak authorization and authentication methods allow for this security risk. Broken access control encompasses 40 CWEs (expanded from 34 in 2021), including SSRF scenarios. It accounts for more issues in the OWASP survey than any other category.
Security Misconfiguration climbs to #2 in 2025, up from #5 in 2021, reflecting the explosion of cloud and containerized environments where configuration errors are increasingly common. 100% of the applications tested have some form of this problem.
Security misconfiguration happens when important security settings are missing, incorrect, misconfigured, or left as defaults, such as not resetting default passwords, enabling unnecessary features, or failing to harden cloud storage.
Misconfigured systems, cloud services, and containers contribute to a large proportion of breaches. A notable example is the 2023 FAA NOTAM outage, linked to misconfiguration. Keeping configurations hardened, removing unused features, and regularly auditing infrastructure are critical countermeasures.
Software Supply Chain Failures is a new category in 2025, addressing risks from third-party components, open-source libraries, build pipelines, and distribution mechanisms. It’s a challenge to identify and represents a rapidly growing attack surface with five CWEs, including things like:
These failures occur when software components, build pipelines, or delivery mechanisms are compromised or tampered with. Examples include packages from untrusted sources, insecure build scripts, and absent code signing or integrity verification.
Attackers who compromise a supply chain component can affect thousands of downstream applications simultaneously. Notable examples include the SolarWinds attack. Supply chain attacks often evade CVE-based detection entirely—they are trust failures in processes, not bugs in code.
Prevention guidance:
Cryptographic Failures moves to #4 in 2025, down from #2 in 2021, reflecting growing industry awareness—though it remains a critical risk. The name was updated from “Sensitive Data Exposure” in 2021 to emphasize root causes over symptoms.
A cryptographic failure is any situation where sensitive data is exposed because cryptography is missing, weak, misconfigured, or incorrectly implemented. Cryptographic failures often lead to data breaches. Examples include missing HTTP Strict Transport Security headers, weak algorithms, transmitting data in clear text, or poor key management.
They can cause sensitive data breaches and system compromises. A public example of a cryptographic failure is the LinkedIn 2012 breach, where an unsalted SHA 1 password hashing allowed attackers to trivially crack millions of credentials after the database was stolen. Preventing such failures requires proper cryptographic design, secure code, thorough testing, and integrating security into DevSecOps workflows.
Injection drops to #5 in 2025, down from #3 in 2021—a continued decline from its decade-long reign as the #1 risk, reflecting industry progress in input validation. It remains highly dangerous and widespread.
Injection flaws occur when attackers send crafted data that forces an application to run unintended commands. For example, SQL injection can extract or alter entire databases. This includes cross-site scripting (XSS) and other injection types.
Injection remains one of the most common and preventable vulnerability classes. OWASP testing data shows over 1.4 million observed injection occurrences across applications. Strict input validation, parameterized queries, and the use of safe APIs that separate data from commands can largely prevent these flaws. Common CWEs include CWE 79 (Cross Site Scripting) and CWE 89 (SQL Injection), with additional injection risks appearing in areas such as command, path, and expression handling.
Insecure Design slides from #4 to #6 in 2025, reflecting gradual adoption of secure design principles—though design-level flaws remain a significant and often underappreciated risk.
Insecure design happens when teams fail to anticipate threats during the architecture phase. Unlike implementation bugs, it reflects broader design flaws. For example, missing authorization steps in a workflow or weak password-reset flows.
Insecure design makes applications vulnerable even when implementations seem secure. OWASP recommends integrating threat modeling, secure design patterns, and paved-road libraries early in the SDLC before writing a single line of code.
Authentication Failures remains at #7 in 2025. The name is streamlined from “Identification and Authentication Failures” (2021) to “Authentication Failures,” sharpening the focus on credential and session security.
These failures occur when login credentials, session IDs, or permissions aren’t handled securely—for instance, storing passwords in plain text or hard-coding credentials.
The impact of A07:2025 failures is account takeover and identity impersonation, allowing attackers to bypass all downstream security controls, leading to data breaches, fraud, privilege escalation, and full system compromise. Multi-factor authentication and stronger password policies can mitigate risks.
A08:2025 covers failures where applications trust software updates, code, or data without verifying their integrity, allowing untrusted or tampered artifacts—such as updates, dependencies, CI/CD artifacts, or serialized data—to be treated as legitimate and executed. The name updates from “and” to “or” reflect that software or data integrity may each be compromised independently.
Examples include insecure software updates, unprotected CI/CD pipelines, and unvalidated auto-updates.
They open the door to attackers inserting malicious code. Notable concerns include insecure deserialization, a common path for denial-of-service and remote code execution. Large A08 failures include CCleaner’s signed malware update, malicious open source package takeovers like event stream, and insecure deserialization exploits, where tampered software or data was trusted and executed without integrity verification.
Security Logging and Alerting Failures remains at #9 in 2025. The name updates from “Monitoring Failures” to “Alerting Failures. Inadequate logging and alerting prevent timely detection, response, or investigation of security incidents.
These failures occur when systems don’t properly detect, alert on, or respond to threats. As environments grow more complex (microservices, containers, and cloud), integrated alerting is critical, not just passive logging.
Without proper alerting, security incidents go undetected for extended periods, leading to breaches. Regulations like HIPAA and PCI DSS require proper logging. Poor alerting also amplifies other vulnerabilities, like broken access control, by removing the ability to detect and respond quickly. Notable failures include the Target and Equifax breaches, where inadequate logging, monitoring, or alerting allowed attackers to operate undetected for extended periods, dramatically increasing impact.
Mishandling of Exceptional Conditions is a new category in 2025. It highlights a long-overlooked class of risk: applications that fail unsafely when faced with unexpected inputs, resource shortages, timeouts, or internal errors.
Note: Server-Side Request Forgery (SSRF), previously A10:2021, has been absorbed into A01:2025 Broken Access Control.
Poor exception handling can leak sensitive data like stack traces or API keys, bypass access controls through fail-open logic, or trigger denial-of-service. These flaws often evade standard vulnerability scans because they manifest only under stress conditions. The category consolidates 24 CWEs, including CWE-209 (error messages exposing sensitive data), CWE-476 (NULL pointer dereference), and CWE-636 (fail-open logic).
50% of OWASP survey respondents ranked this as their #1 emerging security concern. Applications should define secure failure modes (fail closed, deny access on error) and use consistent error-handling frameworks that log details internally while returning generic messages externally.
Key CWEs and prevention:
Parasoft’s comprehensive support for OWASP, including the OWASP Top 10:2025, helps users achieve DevSecOps by enforcing security-oriented development practices from the start of project development.
With the Parasoft solution, you get:
Out-of-the-box policy/test configurations that are fully configurable.
Standards-native reporting based on OWASP or CWE ID numbers.
Guidance on how to fix vulnerabilities with supported documentation and training content.
Unique real-time feedback that gives users a continuous view of compliance with OWASP and remediation support to better identify and eliminate threat vectors.
Execution from within the IDE and via the CI/CD process to help quickly locate the vulnerability earlier in the SDLC.
Interactive reports and customizable dashboards, which include exploitability, the prevalence in the field, detectability, and the impact of failure with AI-enhanced automation to help users prioritize and minimize manual triage.
