
























The OWASP Top 10 2025 has officially arrived, bringing two big updates. It reflects how software security has shifted toward complex, interconnected risks like supply chain integrity and error handling. For developers and security teams, understanding these changes is essential to keeping applications resilient.
OWASP emphasizes that the Top 10 is an awareness document, not a full standard. It’s designed to highlight the most critical risks, not to serve as a complete security framework. For organizations looking to go further, OWASP recommends using maturity and verification models such as SAMM (Software Assurance Maturity Model), DSOMM (DevSecOps Maturity Model), and ASVS (Application Security Verification Standard).
For more on what the OWASP Top 10 is all about, check out this article.
The 2025 edition introduces two new categories and one consolidation.
In short, OWASP 2025 shifts focus from isolated code flaws to systemic weaknesses that span the entire development lifecycle.
Below is the full list of categories in the OWASP Top 10 2025, along with a short summary of each.
| Rank | Category | Summary |
|---|---|---|
| A01:2025 | Broken Access Control | Still the leading risk, covering flaws that allow attackers to bypass authorization or gain unauthorized access. |
| A02:2025 | Security Misconfiguration | Covers weak default settings, exposed services, and inconsistent security controls across environments. |
| A03:2025 | Software Supply Chain Failures | Expanded to include vulnerabilities in dependencies, CI/CD systems, and distribution infrastructure. |
| A04:2025 | Cryptographic Failures | Insecure or outdated encryption practices that expose sensitive data. |
| A05:2025 | Injection | Classic input-validation flaws such as SQL, OS, and template injection that remain common across stacks. |
| A06:2025 | Insecure Design | Risks introduced by poor architectural decisions or lack of threat modeling. |
| A07:2025 | Authentication Failures | Issues in login flows, weak password policies, or session handling that lead to unauthorized access. |
| A08:2025 | Software or Data Integrity Failures | Flaws where code or data can be modified or tampered with, often in update mechanisms or pipelines. |
| A09:2025 | Logging & Alerting Failures | Gaps in monitoring or alerting that allow attacks to go undetected. |
| A10:2025 | Mishandling of Exceptional Conditions | New for 2025, focused on unsafe error handling and system resilience when failures occur. |
The OWASP Top 10 2025 highlights Software Supply Chain Failures as one of the most urgent risks in modern software security. OWASP now explicitly calls out malware in software ecosystems, including malicious packages, compromised maintainers, and tampered build processes, as leading threats to application security.
These attacks rarely start in production. They begin on the developer workstation. By compromising dependencies or injecting malware into widely used packages, attackers can gain access to environments that are inherently trusted. Once inside, a single malicious dependency can move through CI systems, containers, and cloud environments in hours, often without triggering traditional scanners.
Aikido Security has seen this shift up close. Throughout 2025, we identified and analyzed several of the largest supply chain compromises, each a clear example of A03 in practice:
During these incidents, many organizations turned to Aikido for accurate intelligence and guidance, using our updates to determine exposure, validate dependencies, and respond before the damage spread.
This expansion in OWASP’s scope mirrors what many security leaders are already experiencing. Aikido’s State of AI in Security & Development 2026 report found that 1 in 3 security leaders have missed risks due to poor integration between tools, and 38% report gaps in visibility across the development or deployment lifecycle. The result is a visibility gap that attackers exploit through trusted supply chains.
Aikido helps close that gap. With Aikido Intel for live threat feeds, Safe Chain for pre-install package verification, and a unified dependency graph across code, containers, and cloud, teams can see exactly where vulnerabilities intersect with real exposure. Aikido not only detects compromised packages but also blocks them before they ever reach production.
For many organizations, A03 is the most relevant category in the OWASP Top 10 2025 because it reflects how software is actually built and attacked today. The supply chain has become the new perimeter, and Aikido gives teams the visibility, automation, and intelligence to defend it.
The newest category, A10: Mishandling of Exceptional Conditions, focuses on how systems fail. Poor error handling, logical flaws, and insecure failure states can all lead to exposure of sensitive data or denial-of-service conditions.
OWASP notes that many of these weaknesses used to be grouped under “poor code quality,” but now deserve a dedicated category.
Common issues include:
This category reinforces the idea that secure software isn’t only about preventing attacks, but also about failing safely and predictably when something goes wrong.
OWASP’s focus on resilience and safe failure also touches on a broader cultural issue. The same Aikido report found that developers and security teams frequently disagree on who’s responsible for secure coding practices. That lack of clarity often leads to inconsistent error handling or incomplete testing, the kinds of breakdowns A10 aims to prevent.
OWASP also recommends that organizations measure the maturity of their application security programs using frameworks like SAMM or DSOMM. The goal isn’t to meet every requirement, but to identify where visibility, automation, and consistency can make the biggest impact.
The OWASP Top 10 2025 highlights the need for visibility across every layer of software development. Aikido gives teams that clarity by unifying signals from code, dependencies, containers, and cloud infrastructure.
Aikido helps you manage the risks that the OWASP Top 10 2025 calls out, giving you context on what matters and automation to act on it.
To establish a strong AppSec foundation, OWASP recommends taking a risk-based approach to your software portfolio, creating reusable security controls and policies, integrating security into every SDLC phase, investing in developer education, and tracking progress with metrics. Together, these steps build a culture where secure development is part of everyday practice rather than a separate process.
The OWASP Top 10 remains one of the most valuable resources for development and security teams. It’s not just a checklist but a reflection of where real-world risks are emerging. By aligning your security processes with it, you can strengthen your software supply chain, improve code quality, and make security a natural part of development. For organizations that want a measurable, testable standard, OWASP recommends pairing the Top 10 with the Application Security Verification Standard (ASVS), which translates awareness into verifiable security practices. Aikido makes that easier by mapping your OWASP coverage automatically, detecting critical vulnerabilities, and helping you fix them faster.
Scan your environment with Aikido Security today to see how your stack measures up against the OWASP Top 10 2025 and where to focus next.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。