In the software field, one of the most commonly referred to and leveraged resources is the Top Ten list from OWASP. This is for good reason — OWASP stands as a platform- and vendor-agnostic voice that can highlight application security risks in a potentially more meaningful way than the litany of whitepapers and reports issued by for-profit corporations with a specific bias or directional lean.

Recently, OWASP released its updated Top Ten list for 2025 — and it includes some quite meaningful revisions and updates. Today, we’ll review this edition of the Top Ten list, how it has changed, and what these changes mean for the broader security and API space.

About OWASP’s Top Ten List

Briefly, let’s set the stage as to why you should care about this list. The Open Worldwide Application Security Project (OWASP) is a non-profit foundation that is entirely concerned with application security. This focus is of prime importance for API practitioners, as its security research and observations represent a sort of Rosetta Stone, converting the chaos and noise of day-to-day operations into practical guidelines.

OWASP’s Top Ten list details the most common web application security vulnerabilities observed in the wild. The list has been consistently updated over the years, with the most recent edition marking the eighth version. On the side, OWASP also maintains lists for specific areas, like APIs and LLMs.

The bulk of OWASP’s findings are based on data provided by large organizations like Bugcrowd, Orca Security, Accenture, and others, which provided OWASP with data covering more than 2.8 million applications. This gives the research a strong empirical foundation.

That said, the data presented by OWASP is not purely raw partner data. Instead, it reflects a combined effort that includes incidence detection across the data set as well as survey results from major security and vulnerability researchers. As OWASP notes, this combined methodology is required to keep pace with the rapid evolution of new vulnerabilities.

The OWASP Top Ten 2025 List

Notably, this edition of the Top Ten list includes several significant changes. OWASP states that it intends to focus more specifically on root causes rather than symptoms. As a result, the categories have been updated to better reflect underlying issues. With that in mind, let’s look at the core category changes, along with the ordering and prevalence observed within each.

A01:2025: Broken Access Control

The first major change is that Server-Side Request Forgery (SSRF) has been rolled into the broader Broken Access Control category, A01:2025. This reflects the reality that these areas have always had significant overlap. Unfortunately, this category remains a top issue — 3.73% of tested applications exhibited one or more of the forty common weakness enumerations (CWEs).

A02:2025: Security Misconfiguration

Security Misconfiguration is a particularly disappointing category. Previously ranked fifth, it now sits at number two in 2025. Security misconfigurations were present in 3% of tested applications, appearing in the form of one or more of sixteen CWEs. This is a frustrating metric, as security misconfiguration should be relatively straightforward to address with proper attention. Yet its prevalence continues to rise.

A03:2025: Software Supply Chain Failures

This brand new category expands on 2021’s A06:2021 — Vulnerable and Outdated Components. It represents a broader set of supply chain failures spanning software dependencies, build systems, and distribution infrastructure. While OWASP acknowledges that testing in this area is difficult and that incidence appears low in the data, the associated CWEs and common vulnerabilities and exposures (CVEs) carry the highest average exploitability and impact scores. This suggests a testing gap rather than an absence of real-world risk.

A04:2025: Cryptographic Failures

Cryptographic failures remain a common issue, where weak or incorrect encryption practices expose sensitive data. In total, 3.8% of applications still exhibited one or more of the thirty-two CWEs in this category. Although its movement from second to fourth place is encouraging, any occurrence of cryptographic failure can result in significant — and sometimes catastrophic — exposure of data and systems.

A05:2025: Injection

Injection remains a broad category, encompassing thirty-eight CWEs that range from cross-site scripting to SQL injection. The challenge here is the wide disparity between frequency and impact. Some injection issues are relatively common but low impact, while others, such as SQL injection, can undermine entire systems. As a result, this remains a somewhat bloated and heterogeneous category.

A06:2025: Insecure Design

Introduced in 2021, Insecure Design has declined from fourth to sixth place, reflecting gradual improvements across the industry. OWASP notes “noticeable improvements in the industry related to threat modeling and a greater emphasis on secure design.” This is an important development, as insecure design is an issue where the resulting threats are entirely self-inflicted. Improvements here suggest growing maturity and awareness among API and application teams.

A07:2025: Authentication Failures

Previously titled A07:2021 — Identification and Authentication Failures, this category has been renamed to better capture the broader range of authentication issues it encompasses. It includes thirty-six CWEs in total. OWASP observes that increased adoption of standardized authentication frameworks appears to be having a positive effect. Even so, authentication failures remain a prominent and persistent issue in the data.

A08:2025: Software or Data Integrity Failures

Another persistently frustrating entry, A08:2025 — Software or Data Integrity Failures, covers issues related to code integrity, data artifacts, and cross-platform trust. These failures exist below the software supply chain layer and represent deeper, more intrinsic weaknesses within codebases and development processes.

A09:2025: Logging and Alerting Failures

Formerly known as Security Logging and Monitoring Failures, this category reflects community survey input and captures failures in logging, alerting, or both. OWASP notes that this area is consistently underrepresented, primarily because logging and alerting failures often manifest as other issues. In some cases, these failures can even prevent the detection of the underlying problem entirely.

A10:2025: Mishandling of Exceptional Conditions

The list concludes with another new category focused on improper error handling and its downstream effects. When errors are mishandled and systems fail open, critical vulnerabilities can emerge. In this sense, the category represents both a collection of specific issues and a broader pattern of failure around abnormal but high-risk conditions.

Looking Forward: Strategic Alignment

The 2025 edition of the OWASP Top Ten reflects a clear shift toward better representing the underlying causes of security failures, as well as their downstream effects. The emphasis has moved away from isolated exploit classes and toward foundational design decisions, supply chain exposures, and operational missteps that allow vulnerabilities to take root long before code reaches production systems.

The message is clear: security can no longer be reactive. Organizations must embed security considerations from design through deployment. The prominence of authentication failures, logging and alerting gaps, mishandled errors, and insecure design highlights a systemic challenge. As API adoption accelerates, many organizations are still learning, or relearning, fundamental security practices.

Simply put, investing in secure design early in the lifecycle is essential. APIs built without strong identity primitives, consistent error handling, and intentional observability are effectively opaque once deployed. This makes misuse harder to detect and failures easier to exploit — a pattern that is increasingly reflected in the data. Threat modeling, secure architecture reviews, identity design, and related practices must be treated as first-class development activities, not afterthoughts.

The list also surfaces ongoing issues with supply chains and dependency management. While many of these risks can be mitigated through signed artifacts, automated dependency tracking, validation, and continuous provenance checks, these measures must be integrated into the core development pipeline to be effective.

Finally, familiar best practices remain as relevant as ever. Standardized authentication and access control, proper encryption, careful vendor trust, and disciplined configuration management continue to matter. It’s frustrating that these issues persist at the top of the OWASP list, but they remain easy to get wrong and carry both immediate and long-term consequences.

With that, the OWASP 2025 list is ready to be digested and applied. Get it right, and you set the foundation for a more secure and resilient API future. Get it wrong, and you risk the integrity of your systems — if not immediately, then inevitably over time.