...

What Is OWASP Top 10?

TL;DR

  • The OWASP Top 10 is a ranked list of the ten most critical web application security risks, published by the non-profit OWASP Foundation.  
  • The current 2025 edition is led by Broken Access Control, Security Misconfiguration, and the new Software Supply Chain Failures category.  
  • Teams use the list to prioritize what to fix first, but a clean scan against it does not mean an application is fully secure, since it covers the most common risks, not every possible one.  
  • It gets updated every three to four years as new data comes in. 

What is OWASP

OWASP stands for the Open Worldwide Application Security Project. It is a non-profit foundation that publishes free, open resources to help people build safer software. It has no product to sell and no vendor to promote, which is a big reason its guidance is trusted across the industry. 

The organization runs many projects, but the Top 10 is by far its best known. It has been published since 2003 and updated periodically as new threats emerge and old ones fade. The newest version, OWASP Top 10:2025, is the eighth edition of the list. 

What the Top 10 List Measures

The OWASP Top 10 is a ranked list of the ten most critical risks facing web applications today. It is written for developers, testers, and security teams, and it is one of the most referenced documents in the security world.  

Each edition of the list is built from two sources. The first is real testing data, contributed by security vendors and companies, covering millions of applications and hundreds of thousands of known vulnerabilities. The second is a survey of security practitioners, asked what risks they see in the field that data alone might miss. 

OWASP groups related weaknesses into ten broad categories, ranks them by how common and how damaging they are, and writes plain guidance on how to spot and fix each one. The goal is not to list every possible flaw but to point teams at the risks that cause the most real-world damage, so limited time and budget go where they matter most. 

In simpler terms, the OWASP Top 10 is a prioritized checklist that tells a team where to look first, not everywhere to look. 

The OWASP Top 10: 2025 List

Here is the full 2025 list, in order, with each risk described 

A01: Broken Access Control

This happens when an application does not properly check what a user is allowed to do. A shopper might view another customer’s order, or a regular user might reach an admin page just by changing a web address. This is the most common and most serious risk on the list, and it now also covers a related flaw called server-side request forgery, where an attacker tricks a server into making requests it should never make. 

A02: Security Misconfiguration

This covers systems set up in a way that leaves them exposed. Examples include default passwords that were never changed, cloud storage left open to the public, or error messages that reveal too much about how the system works. It jumped from fifth place in 2021 to second place in 2025, largely because modern software has far more settings that can be gotten wrong. 

A03: Software Supply Chain Failures

Modern applications are built from many third-party pieces: open-source libraries, build tools, and outside services. This risk covers cases where one of those pieces is compromised, outdated, or malicious, and that problem quietly spreads into the final product. It replaces and broadens the older “vulnerable and outdated components” category. 

A04: Cryptographic Failures

This is about data that should be protected but is not, such as passwords, health records, or payment details stored or sent without proper encryption. It often leads directly to data breaches once an attacker gets access to the underlying storage or network traffic. 

A05: Injection

Injection happens when untrusted input from a user is treated as a command instead of plain data. SQL injection, where a form field is used to manipulate a database, is the classic example. Cross-site scripting, where malicious script runs in another user’s browser, also falls under this category. It has dropped in rank as tools have gotten better at catching it, but it remains one of the most dangerous risks when it does slip through. 

A06: Insecure Design 

This is different from a coding mistake. It is a flaw baked into the plan before any code was written, such as a checkout flow with no limit on failed payment attempts. Fixing it usually means rethinking the design, not just patching the code. 

A07: Authentication Failures

This covers weaknesses in how an application confirms who a user is, including weak password rules, missing multi-factor authentication, and session tokens that do not expire properly. It was previously named “identification and authentication failures,” and the shorter name reflects the same core issue. 

A08: Software or Data Integrity Failures

This risk covers code or data that is trusted without being verified, such as an automatic update installed without checking its source, or a deserialized object that is not validated before use. It sits closer to the code level than the broader supply chain category above it. 

A09: Security Logging and Alerting Failures

When something goes wrong, a team needs to know quickly. This risk covers systems that fail to record suspicious activity, or that record it but never alert anyone. Without this, a breach can go unnoticed for months. 

A10: Mishandling of Exceptional Conditions

This covers what happens when something unexpected occurs, such as a service timing out, running out of memory, or receiving malformed data. Poor handling of these moments can leak sensitive details in an error message, or worse, cause the system to fail open and skip its own security checks. 

Why OWASP Top 10 Matters to Security Teams

The list has stayed relevant for over two decades because it solves a practical problem. Application security is a huge field, and no team has time to check everything at once. The Top 10 gives a shared, evidence-based starting point. 

For developers

It works as a checklist while writing and reviewing code, helping catch the mistakes that cause the most breaches before the code ever ships. 

For security teams

It shapes what automated scanners and manual testers look for first, and gives a common language to describe findings to engineering teams. 

For organizations

It is often referenced in security policies, vendor questionnaires, and compliance frameworks as a recognized baseline for what “secure enough” looks like.

Book a demo to learn how AppSentinels detects and blocks these risks in real time.

Frequently Asked Questions

Is the OWASP Top 10 a law or a technical standard? +

No. It is an awareness document, not a law or a formal technical standard. Some industry rules and contracts reference it as a baseline, but OWASP itself does not enforce it. Teams adopt it voluntarily because it reflects real-world data on where applications get breached.

How often does OWASP update the Top 10? +

Roughly every three to four years. The list moved from 2017 to 2021 and then to 2025, the eighth edition. Updates happen when enough new data and community feedback justify reordering or replacing categories, not on a fixed yearly schedule.

Does passing an OWASP Top 10 scan mean an application is secure? +

No. The list covers the ten broadest and most common risk categories, not every possible flaw. A clean scan against these ten categories lowers the most likely risks but does not guarantee the application is free of vulnerabilities outside the list.

What changed the most between the 2021 and 2025 OWASP Top 10? +

Two new categories appeared: Software Supply Chain Failures and Mishandling of Exceptional Conditions. Server-Side Request Forgery was folded into Broken Access Control, Security Misconfiguration jumped from fifth to second place, and several other categories shifted rank as new data came in.

Who should actually use the OWASP Top 10? +

Developers, security engineers, QA testers, DevOps teams, and engineering managers all benefit from it. Developers use it to avoid common mistakes while writing code, security teams use it to prioritize testing and training, and managers use it to set a shared baseline across projects.

Table of Contents

Recommended Articles