For most security and engineering teams, the OWASP Top 10 is more than a vulnerability list. It is the curriculum that shapes secure coding training, the framework that guides code review checklists, and the structure auditors expect AppSec programmes to map against. So when the list updates, programmes need to update with it. The 2025 edition is not a radical departure, but it does shift priorities in ways that matter for how teams allocate effort.
Continuity: The Categories That Stay Central
Broken Access Control remains at the top, where it has been for a decade. The reasons are the same: access control bugs are common, hard to detect with automated tooling, and high-impact when exploited. Cryptographic Failures, Injection, and Insecure Design also retain prominence. If your AppSec programme has been built around these, the foundation is sound — the work in 2025 is incremental, not a rebuild.
Shift: Software and Data Integrity Moves Up
Supply chain attacks have moved from theoretical concern to weekly news story. The 2025 edition reflects that: Software and Data Integrity Failures get a more prominent treatment, with explicit attention to dependency confusion, compromised CI/CD pipelines, and unsigned update channels. This is the category most teams are least prepared for, because the controls live in build infrastructure rather than application code.
New Emphasis: SSRF and Server-Side Logic Flaws
Server-Side Request Forgery (SSRF) was previously a sub-category. The 2025 edition gives it (and related server-side logic flaws) more direct attention, partly because the rise of cloud metadata services has made SSRF impact catastrophic in ways it was not in 2017. An SSRF that lets an attacker reach a cloud metadata endpoint can hand them temporary credentials with broad permissions. The blast radius justifies the prominence.
A practical implication of the supply chain emphasis: most static analysis tooling does not catch supply chain failures. The risk lives in your build pipeline, your registry configuration, your dependency lockfile policy, and your image signing strategy. Update your AppSec programme to include build-pipeline review alongside the traditional code review.
Continuing Theme: Misconfiguration Is the Quiet Majority
Security misconfiguration is rarely glamorous, but it remains the source of a disproportionate share of real-world breaches. Default credentials, exposed admin interfaces, overly permissive S3 buckets, debug endpoints reachable in production. The 2025 list continues to call this out because it continues to be true. Teams running infrastructure-as-code with strong scanning catch most of these. Teams without are vulnerable to the same misconfigurations they have been vulnerable to for a decade.
How to Refresh Your Programme
- Map your existing training and review checklists against the 2025 categories — find the gaps
- Add explicit supply chain coverage if your current programme treated it as out of scope
- Audit your CI/CD pipeline against the integrity-failure category — most pipelines have one or more of these issues
- Refresh threat modelling templates to include SSRF and cloud-metadata exposure
- Update penetration test scoping to ensure new categories are within scope, not just the historical favourites
The Bigger Point
The 2025 update is less about new threats and more about which threats deserve more attention than they have been getting. Most of the categories have existed for years. What has changed is the frequency, severity, and exploitability — driven by cloud, supply chain ecosystems, and the maturation of attacker tooling. The point of refreshing the programme is not to chase the new list. It is to make sure the effort follows the actual risk distribution today rather than the one from 2017.