The OWASP Basis has revealed the primary Launch Candidate for the 2025 OWASP High 10 listing, which ranks probably the most crucial safety issues builders needs to be serious about.
The highest 10 safety issues on the up to date listing are:
- Damaged Entry Management
- Safety Misconfiguration
- Software program Provide Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software program or Information Integrity Failures
- Logging and Alerting Failures
- Mishandling of Distinctive Circumstances
This listing options lots of the similar issues from the 2021 variations, with just a few notable modifications, similar to Server-Facet Request Forgery, which was in final place in 2021, being rolled into the Damaged Entry Management class.
Moreover, a brand new class, Software program Provide Chain Failures, was added and contains Weak and Outdated Elements (#6 in 2021), and Mishandling of Distinctive Circumstances made the listing for the primary time, containing CWEs associated to improper error dealing with, logical errors, failing open, and different associated situations.
“Mishandling of Distinctive Circumstances is a class that has been simply outdoors the High 10 for a number of years. On this iteration, there was sufficient knowledge and help from the neighborhood survey to push it over the road and into the High 10,” mentioned Brian Glas, one of many lead authors of the report.
Damaged Entry Management maintained its place as the highest concern, with 3.74% of functions OWASP examined together with a number of of the 40 CWEs on this class.
Cryptographic Failures, Injection, and Insecure Design dropped down within the listing, whereas Safety Misconfiguration rose to quantity two.
The OWASP High 10 is set based mostly on two most important knowledge assortment strategies. The first method is that firms contributed their findings from SAST, DAST, IAST, and different safety testing from 2020 to 2024. This knowledge included over 2.8 million functions that have been examined. The second methodology is a neighborhood survey to account for brand new classes of vulnerabilities that the business could not have developed ample exams for but.
“It’s important to grasp why we assemble the High 10 on this method,” mentioned Glas. “If it have been purely data-driven, we might not have an correct listing, as it could solely be trying into the previous. The neighborhood survey is essential in enabling folks on the bottom to share what they understand as necessary dangers that require visibility and a focus, which will not be mirrored within the knowledge.”
Glas concluded that this up to date OWASP High 10 highlights the truth that software program growth is turning into extra advanced, and builders are being requested to be answerable for extra issues. He cited the rise of Software program Provide Chain Failures and Safety Misconfiguration as proof for this transformation.
The OWASP High 10 2025 will likely be open for feedback till November twentieth.
