OWASP Top 10 2025

The OWASP Top 10 has long been recognised as the global benchmark for understanding and tackling the most critical web application security challenges. Updated every few years, it adapts to highlight the latest attack trends, technological shifts, and insights from real‑world incidents.

The 2025 edition marks one of the most meaningful updates in recent years. By introducing two new categories and consolidating existing ones, OWASP shifts its focus toward root causes rather than isolated symptoms—making this version more aligned with how today’s threats actually unfold.

What’s New in OWASP Top 10 2025?

The updated list now includes ten refined categories:

  1. Broken Access Control
    When users can see or do things they shouldn’t be able to—often one of the biggest causes of data breaches.
  2. Security Misconfiguration
    Simple setup mistakes in servers, cloud services, or frameworks that leave doors open to attackers.
  3. Software Supply Chain Failures (new)
    Risks that come from third-party tools, libraries, and components your software relies on—an increasing target for attackers.
  4. Cryptographic Failures
    Problems with how sensitive data is protected, including outdated or incorrectly used encryption.
  5. Injection
    Situations where attackers slip harmful code or commands into an application because inputs weren’t checked properly
  6. Insecure Design
    Security gaps built in from the start, often because threat modelling or secure design practices were skipped.
  7. Authentication Failures
    Weak login processes or broken identity checks that allow attackers to impersonate real users.
  8. Software or Data Integrity Failures
    When systems trust the wrong data or update sources, giving attackers a chance to interfere with key components.
  9. Logging & Alerting Failures
    Ineffective (or lack of) monitoring that leaves attacks unnoticed until real damage is done.
  10. Mishandling of Exceptional Conditions (new)
    When applications don’t cope well with unexpected situations—like timeouts, overloads, or strange inputs—creating openings for attackers.

Practical Guide for Developers, CISOs, and Compliance Teams

The OWASP Top 10 is a practical guide for developers, CISOs, and compliance teams to prioritise risks and strengthen defences. With the addition of supply chain security and error handling, the 2025 update highlights the evolving threat landscape and the need for proactive resilience.

We’re designing a series of content and resources to help organisations understand and address each of these risks, to be rolled out in the new financial year. The goal of these resources is to give business leaders and their teams actionable insights and training to stay ahead of evolving risks.

To stay on top of the latest security trends, visit our resources page.

Frequently Asked Questions About OWASP Top 10 2025

What is OWASP?

OWASP (Open Web Application Security Project) is a global non-profit organisation dedicated to improving web application security. It provides best practices, tools, and resources to help organisations identify and mitigate cybersecurity risks.