Struggling to keep your applications secure? The latest OWASP Top 10 list reveals that the same threats continue to plague us, with 'Broken Access Control' still reigning supreme. Let's dive into what this means for you and your applications.
The Open Worldwide Application Security Project (OWASP) has just released its updated list of the top 10 application security risks for 2025, the first update since 2021. This list, presented at the Global AppSec USA event, serves as a crucial data-driven resource for organizations to prioritize their security efforts. While the official write-up is still in preview, the core findings are clear.
Broken Access Control: The Undisputed Champion
It's not surprising that 'Broken Access Control' remains the number one threat. This vulnerability impacts a significant 3.73% of tested applications. But what does this really mean? Essentially, it involves flaws that allow unauthorized users to access sensitive data or perform actions they shouldn't. This can include anything from manipulating URLs to bypass access restrictions, exploiting APIs with missing controls, guessing URLs to privileged pages, or violating the principle of least privilege.
But here's where it gets controversial...
Security Misconfiguration: A Strong Contender
Coming in at a close second is 'Security Misconfiguration'. This category has climbed the ranks, reflecting a shift in how security is approached – relying more on configuration than other methods. This highlights the importance of properly configuring your systems to prevent vulnerabilities.
Supply Chain Failures: The Rising Threat
Software supply chain issues have secured the third spot, despite having fewer occurrences. This is because these issues often have the highest average exploit and impact scores, according to OWASP. This underscores the need to carefully vet the components you use in your applications.
Changes Between 2021 and 2025
The categories have been refined for 2025. Notably, 'Software Supply Chain Failures' replaces 'Vulnerable and Outdated Components.' Also, Server-Side Request Forgery (SSRF) has been merged into 'Broken Access Control,' and a new category, 'Mishandling of Exceptional Conditions,' has been added.
What's New and Why?
The new category, 'Mishandling of Exceptional Conditions,' addresses code that doesn't handle unusual situations correctly. This includes race conditions, attacks on partially completed transactions, or revealing sensitive information in error messages. This change reflects the need for more robust error handling in modern applications.
The Bottom Line
Injection has fallen from third to fifth place, thanks to being one of the most tested categories. Injection issues include SQL injection and cross-site scripting.
Large Language Models and Gen AI Applications
A separate OWASP project covering the top 10 risks for LLM (large language model) and Gen AI applications ranks prompt injection, where model responses are manipulated via prompt input to bypass security checks, as the top risk.
Prevention is Key
The top tip for preventing broken access control is simple: "Except for public resources, deny by default." This means you should explicitly define what users can access, rather than what they can't.
Are We Making Progress?
And this is the part most people miss...
One developer lamented that the security situation feels unchanged, echoing the sentiment that the same issues persist year after year. Another pointed out that secure coding is often an afterthought, with management prioritizing new features until a security breach occurs.
Controversy & Comment Hooks:
Do you agree with the OWASP Top 10? Are these the most pressing security concerns in your experience? Share your thoughts in the comments below! What steps is your organization taking to address these vulnerabilities? Do you think the focus on configuration is a good approach, or does it create new challenges? Let's discuss!
