惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Scott Helme
Scott Helme
N
Netflix TechBlog - Medium
AI
AI
Security Latest
Security Latest
GbyAI
GbyAI
P
Proofpoint News Feed
Y
Y Combinator Blog
A
Arctic Wolf
G
Google Developers Blog
U
Unit 42
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
Cisco Talos Blog
Cisco Talos Blog
T
Tor Project blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
T
Threatpost
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
C
Check Point Blog
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
Microsoft Azure Blog
Microsoft Azure Blog
博客园 - 【当耐特】
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
Latest news
Latest news
L
LINUX DO - 最新话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
WordPress大学
WordPress大学
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
Simon Willison's Weblog
Simon Willison's Weblog
V
V2EX
Project Zero
Project Zero
博客园_首页

Aikido Security's Blog

Axios CVE-2026-40175: a critical bug that’s… not exploitable GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know
2025-11-06 · via Aikido Security's Blog

The OWASP Top 10 2025 has officially arrived, bringing two big updates. It reflects how software security has shifted toward complex, interconnected risks like supply chain integrity and error handling. For developers and security teams, understanding these changes is essential to keeping applications resilient.

OWASP emphasizes that the Top 10 is an awareness document, not a full standard. It’s designed to highlight the most critical risks, not to serve as a complete security framework. For organizations looking to go further, OWASP recommends using maturity and verification models such as SAMM (Software Assurance Maturity Model), DSOMM (DevSecOps Maturity Model), and ASVS (Application Security Verification Standard).

For more on what the OWASP Top 10 is all about, check out this article.

What’s Changed in the OWASP Top 10 for 2025

The 2025 edition introduces two new categories and one consolidation.

  • A03: Software Supply Chain Failures expands on the 2021 category “Vulnerable and Outdated Components,” covering the full software ecosystem including dependencies, build systems, and distribution infrastructure.
  • A10: Mishandling of Exceptional Conditions is completely new, highlighting the importance of secure error handling and resilience.
  • What was A10:2021: Server-Side Request Forgery (SSRF) has been consolidated into A01:2025 - Broken Access Control

  • Meanwhile, A01: Broken Access Control and A02: Security Misconfiguration retain their top positions, showing that foundational security practices remain critical.

In short, OWASP 2025 shifts focus from isolated code flaws to systemic weaknesses that span the entire development lifecycle.

Below is the full list of categories in the OWASP Top 10 2025, along with a short summary of each.

Rank Category Summary
A01:2025 Broken Access Control Still the leading risk, covering flaws that allow attackers to bypass authorization or gain unauthorized access.
A02:2025 Security Misconfiguration Covers weak default settings, exposed services, and inconsistent security controls across environments.
A03:2025 Software Supply Chain Failures Expanded to include vulnerabilities in dependencies, CI/CD systems, and distribution infrastructure.
A04:2025 Cryptographic Failures Insecure or outdated encryption practices that expose sensitive data.
A05:2025 Injection Classic input-validation flaws such as SQL, OS, and template injection that remain common across stacks.
A06:2025 Insecure Design Risks introduced by poor architectural decisions or lack of threat modeling.
A07:2025 Authentication Failures Issues in login flows, weak password policies, or session handling that lead to unauthorized access.
A08:2025 Software or Data Integrity Failures Flaws where code or data can be modified or tampered with, often in update mechanisms or pipelines.
A09:2025 Logging & Alerting Failures Gaps in monitoring or alerting that allow attacks to go undetected.
A10:2025 Mishandling of Exceptional Conditions New for 2025, focused on unsafe error handling and system resilience when failures occur.

A03:2025 – Software Supply Chain Failures

The OWASP Top 10 2025 highlights Software Supply Chain Failures as one of the most urgent risks in modern software security. OWASP now explicitly calls out malware in software ecosystems, including malicious packages, compromised maintainers, and tampered build processes, as leading threats to application security.

These attacks rarely start in production. They begin on the developer workstation. By compromising dependencies or injecting malware into widely used packages, attackers can gain access to environments that are inherently trusted. Once inside, a single malicious dependency can move through CI systems, containers, and cloud environments in hours, often without triggering traditional scanners.

Aikido Security has seen this shift up close. Throughout 2025, we identified and analyzed several of the largest supply chain compromises, each a clear example of A03 in practice:

  • Shai Hulud, a stealthy malware campaign hidden in npm packages that exfiltrated credentials and tokens through transitive dependencies.
  • S1ngularity, a dependency confusion operation that exploited naming collisions and internal mirrors to infiltrate developer workstations and CI.
  • The September npm malware outbreak, where popular libraries such as chalk, debug, and ansi-regex were poisoned and downloaded millions of times before Aikido detected and escalated the compromise.
  • The React-Native-Aria trojan, which inserted a remote access payload into legitimate npm releases and was caught early through Aikido Intel anomaly detection.

During these incidents, many organizations turned to Aikido for accurate intelligence and guidance, using our updates to determine exposure, validate dependencies, and respond before the damage spread.

This expansion in OWASP’s scope mirrors what many security leaders are already experiencing. Aikido’s State of AI in Security & Development 2026 report found that 1 in 3 security leaders have missed risks due to poor integration between tools, and 38% report gaps in visibility across the development or deployment lifecycle. The result is a visibility gap that attackers exploit through trusted supply chains.

Aikido helps close that gap. With Aikido Intel for live threat feeds, Safe Chain for pre-install package verification, and a unified dependency graph across code, containers, and cloud, teams can see exactly where vulnerabilities intersect with real exposure. Aikido not only detects compromised packages but also blocks them before they ever reach production.

For many organizations, A03 is the most relevant category in the OWASP Top 10 2025 because it reflects how software is actually built and attacked today. The supply chain has become the new perimeter, and Aikido gives teams the visibility, automation, and intelligence to defend it.

A10:2025 – Mishandling of Exceptional Conditions

The newest category, A10: Mishandling of Exceptional Conditions, focuses on how systems fail. Poor error handling, logical flaws, and insecure failure states can all lead to exposure of sensitive data or denial-of-service conditions.

OWASP notes that many of these weaknesses used to be grouped under “poor code quality,” but now deserve a dedicated category.

Common issues include:

  • Error messages revealing sensitive details
  • Privilege-handling logic that fails open
  • Inconsistent exception handling
  • Unhandled memory or input errors

This category reinforces the idea that secure software isn’t only about preventing attacks, but also about failing safely and predictably when something goes wrong.

OWASP’s focus on resilience and safe failure also touches on a broader cultural issue. The same Aikido report found that developers and security teams frequently disagree on who’s responsible for secure coding practices. That lack of clarity often leads to inconsistent error handling or incomplete testing, the kinds of breakdowns A10 aims to prevent.

OWASP also recommends that organizations measure the maturity of their application security programs using frameworks like SAMM or DSOMM. The goal isn’t to meet every requirement, but to identify where visibility, automation, and consistency can make the biggest impact.

How Aikido Can Help

The OWASP Top 10 2025 highlights the need for visibility across every layer of software development. Aikido gives teams that clarity by unifying signals from code, dependencies, containers, and cloud infrastructure.

  • Aikido Intel provides real-time threat intelligence, flagging compromised packages and CVEs as they appear.
  • Safe Chain, Aikido’s open-source package verifier, checks npm, yarn, and pnpm dependencies before install, blocking malicious versions.
  • Unified dependency graphs connect your code, containers, and cloud to show how transitive dependencies interact with your production systems, cutting false positives and revealing real exploit paths.
  • SBOM generation helps teams instantly view their full software supply chain, improving transparency and compliance.
  • OWASP Top 10 scoring gives you a clear view of how your environment measures up against each category, with practical guidance to improve.

Aikido helps you manage the risks that the OWASP Top 10 2025 calls out, giving you context on what matters and automation to act on it.

Building a Modern Application Security Program

To establish a strong AppSec foundation, OWASP recommends taking a risk-based approach to your software portfolio, creating reusable security controls and policies, integrating security into every SDLC phase, investing in developer education, and tracking progress with metrics. Together, these steps build a culture where secure development is part of everyday practice rather than a separate process.

Why the OWASP Top 10 2025 Still Matters

The OWASP Top 10 remains one of the most valuable resources for development and security teams. It’s not just a checklist but a reflection of where real-world risks are emerging. By aligning your security processes with it, you can strengthen your software supply chain, improve code quality, and make security a natural part of development. For organizations that want a measurable, testable standard, OWASP recommends pairing the Top 10 with the Application Security Verification Standard (ASVS), which translates awareness into verifiable security practices. Aikido makes that easier by mapping your OWASP coverage automatically, detecting critical vulnerabilities, and helping you fix them faster.

Scan your environment with Aikido Security today to see how your stack measures up against the OWASP Top 10 2025 and where to focus next.