OWASP Top 10 2025: Supply Chain Attacks, Cloud Misconfigurations, and the Vulnerability List That Refuses to Change
The OWASP Top 10 is application security’s equivalent of a physical exam. Every three to four years, the Open Worldwide Application Security Project gathers real-world vulnerability data from testing organizations and security vendors, combines it with a community survey of practitioners, and produces a ranked list of the most critical web application security risks.
The 2025 edition has arrived. Based on analysis of more than 175,000 CVE records covering nearly 2.8 million applications, plus a survey of 221 security experts, it reveals a landscape that has evolved in important ways — and in others, has barely moved at all.
Software supply chain failures have debuted at number three. Security misconfiguration jumped from fifth to second. Mishandling of exceptional conditions entered at number ten. AI-generated code risks earned a spot in a “next steps” section. And broken access control holds number one — for the 22nd consecutive year.
Five Key Takeaways
- Broken Access Control Has Topped the List Since 2003. Broken access control has held number one on the OWASP Top 10 since the list was first published over two decades ago. On average, 3.73% of applications tested had one or more of the 40 CWEs mapped to this category. Organizations keep building custom access control mechanisms that are error-prone, inconsistently tested, and riddled with privilege escalation paths. If the most critical web application vulnerability has persisted for 22 years, the industry has a systemic problem — not a patching problem.
- Software Supply Chain Failures Debut at Number Three. The biggest structural change is the arrival of Software Supply Chain Failures at number three. This replaces and expands the old “Vulnerable and Outdated Components” category to cover attacks against the entire software supply chain: compromised open-source libraries, breached vendor-update mechanisms, tampered CI/CD pipelines, and direct attacks on developer workstations. As OWASP lead author Tanya Janca put it, “Developers have become a primary target for many online attacks now.”
- Security Misconfiguration Jumps from Fifth to Second. Cloud adoption has made misconfiguration a pervasive and catastrophic vulnerability. Default credentials left unchanged, publicly accessible cloud storage buckets, and unnecessary features left enabled are commonplace. Every application tested in the data showed some form of misconfiguration. This is not a niche risk. It is a near-universal one.
- AI-Generated Code Risks Land on OWASP’s Radar. AI did not crack the top ten, but it earned a mention in a “next steps” section. Titled “Inappropriate Trust in AI Generated Code” and colloquially known as the “vibe coding” problem, this category acknowledges that developers are shipping AI-generated code without fully reviewing it. The trajectory is clear: AI-generated code risks are on a path to future inclusion.
- Two New Categories Reflect a Shift Toward Root Causes. The 2025 edition introduces Software Supply Chain Failures at number three and Mishandling of Exceptional Conditions at number ten. SSRF was absorbed into Broken Access Control. These changes signal OWASP’s deliberate move toward identifying root causes rather than symptoms — and toward recognizing that secure software must also fail safely.
Broken Access Control: 22 Years at Number One
Broken access control is the vulnerability that refuses to go away. It now maps to 40 CWEs — the most of any category — and covers privilege escalation, insecure direct object references, CORS misconfigurations, and token manipulation. SSRF was folded in as well, reflecting the view that many SSRF vulnerabilities are fundamentally access control problems.
Jeff Williams, who created the original OWASP Top 10, explained the persistence: “Everyone tries to craft their own authentication and access control mechanisms.” A typical web application might have a hundred endpoints accessible by twenty different roles. “Most people do a scan of their application with one role in mind,” Williams said. “It’s very difficult to verify.”
The takeaway is uncomfortable: this is not a problem the industry is solving. Organizations that rely on custom access control mechanisms are inheriting a risk that has persisted for two decades because they keep building it from scratch rather than adopting tested, purpose-built frameworks like RBAC and ABAC.
You Trust Your Organization is Secure. But Can You Verify It?
Security Misconfiguration Climbs to Number Two
Security misconfiguration jumped from fifth to second because cloud adoption has made systems dramatically more configurable — and more configurable means more opportunities to get settings wrong.
The category covers default credentials never changed, unnecessary features left enabled, verbose error messages revealing system architecture, and cloud storage buckets left publicly accessible. These are not sophisticated attack vectors. They are configuration oversights that hand attackers the keys.
As cloud environments grow more complex — spanning multiple providers, regions, and services — the surface area for misconfiguration expands with them. Organizations need to treat configuration as a security discipline: secure-by-default settings, automated validation, and forced credential changes should be baseline expectations.
Software Supply Chain Failures Debut at Number Three
This is the most consequential structural change in the 2025 list. Software Supply Chain Failures replaces the narrower “Vulnerable and Outdated Components” category and expands scope to cover the entire build, distribution, and update pipeline.
Tanya Janca described the shift: “It is no longer a problem of including a library that has a questionable dependency.” There are now active attacks against the IDE, the CI/CD pipeline, plugins, repositories, and developer workstations. “The entire software supply chain is currently a focus for attackers.”
Fifty percent of surveyed security experts ranked supply chain risks as their top concern — the highest consensus across any category. Defending against these failures requires software bills of materials, code signing, hardened build environments, vulnerability scanning of transitive dependencies, and secure update mechanisms with integrity verification.
What Else Moved — and What Is New
Cryptographic Failures (Number Four) dropped from second place — not because encryption problems are less prevalent, but because other risks have grown faster. Transmitting sensitive data in clear text, weak algorithms, and poor certificate validation remain widespread. FIPS-validated cryptography and TLS 1.3 represent the current baseline for defensible encryption practices.
Injection (Number Five) continues its gradual descent. Modern frameworks with parameterized queries and output encoding have helped reduce incidence, though the risk is far from eliminated.
Insecure Design (Number Six) has moved down slightly, reflecting industry improvements in threat modeling. The category remains a reminder that security bolted on after development cannot fix a system never designed to be secure.
Authentication Failures (Number Seven) covers brute force, weak passwords, exposed session IDs, and missing MFA. In an era of AI-powered phishing, the absence of multi-factor authentication for sensitive functions is an increasingly indefensible gap.
Software or Data Integrity Failures (Number Eight) focuses on trust without verification — unsigned updates, unvetted plugins, and CI/CD pipelines that accept artifacts without integrity checks.
Security Logging and Alerting Failures (Number Nine) retains its position with a critical update: “alerting” was explicitly added to the category name. OWASP is sending a clear message that logging without alerting provides minimal value. Organizations need audit logs paired with real-time alerting and SIEM integration to turn data collection into actionable detection.
Mishandling of Exceptional Conditions (Number Ten) is entirely new. It covers failures in error handling and edge cases that lead to information disclosure or security bypasses. OWASP project leader Brian Glas noted it had hovered just outside the top ten for years. “If it was purely data-driven,” he said, “we would not have an accurate list as it would only be looking into the past.”
The “Vibe Coding” Warning
AI did not make the top ten. But OWASP’s dedicated “next steps” entry — “Inappropriate Trust in AI Generated Code” — is a signal worth taking seriously.
Tanya Janca was candid: “Although we didn’t have data to support the fact that AI-generated code is causing significantly more risk than human-written code, thanks to community feedback, professional experience, and constant online sharing of such data, we felt it prudent to add a section.”
Her advice: read and fully understand AI-generated code before committing it. If AI code generation adoption continues to accelerate, this category is likely to move into the top ten in a future edition. Organizations that establish review practices for AI-generated code now will be ahead of the curve.
Kiteworks: Purpose-Built Security for the Vulnerabilities That Persist
The OWASP Top 10 reveals a persistent pattern: most web applications are built with functionality first and security second. Kiteworks addresses this by design.
For broken access control, Kiteworks provides zero-trust verification on every request, role-based and attribute-based access controls, least-privilege enforcement by default, and complete audit trails. Unlike applications that build custom access control, Kiteworks delivers pre-built, tested controls for sensitive data communications — eliminating the number one OWASP vulnerability by architecture.
For supply chain failures, Kiteworks operates a hardened SDLC with isolated CI/CD pipelines, code signing, SBOMs, and continuous vulnerability scanning — and governs third-party data exchange through time-limited, scoped permissions.
For misconfiguration, the platform ships secure-by-default with automated validation and forced credential changes. For cryptographic failures, it provides FIPS 140-3 validated cryptography and TLS 1.3. For authentication, it enforces MFA, strong password policies, and enterprise SSO. For logging, it delivers tamper-proof audit trails with SIEM integration, real-time alerting, and pre-built compliance reporting for GDPR, HIPAA, CMMC, and other frameworks.
Consumer file sharing platforms expose shared links that bypass access controls and offer limited audit trails. Email platforms remain vulnerable to forwarding that circumvents governance and AI-powered phishing. Legacy MFT solutions carry complex configurations that increase misconfiguration risk. Kiteworks provides the security-by-design architecture that the OWASP Top 10 has been telling the industry it needs — for 22 years and counting.
To learn how Kiteworks can help, schedule a custom demo today.
Frequently Asked Questions
The OWASP Top 10 2025 identifies broken access control as the most critical web application vulnerability — a position it has held since 2003. Security misconfiguration climbed to number two, and software supply chain failures debuted at number three. Together these three categories account for the majority of real-world breaches. Organizations that don’t implement purpose-built access controls and secure-by-default configurations remain exposed to the same risks that have dominated the list for two decades.
Software supply chain attacks compromise the build, distribution, or update process rather than targeting applications directly. Attackers inject malicious code into open-source libraries, tamper with CI/CD pipelines, or breach developer workstations. Fifty percent of security experts now rank supply chain risk as their top concern. Defense requires software bills of materials, code signing, hardened build environments, and rigorous third-party risk management for every dependency — not just direct ones.
Security misconfiguration appears in virtually every application tested because cloud adoption has made systems dramatically more configurable — and more opportunities to configure things incorrectly. Default credentials left unchanged, publicly accessible storage buckets, and verbose error messages revealing system architecture are common culprits. The problem compounds as organizations span multiple cloud providers and infrastructure-as-code environments. Secure-by-default platform settings and automated configuration validation are the only scalable defenses at this level of complexity.
OWASP’s 2025 “next steps” section flags “Inappropriate Trust in AI Generated Code” — colloquially called the “vibe coding” problem — as an emerging risk on a path to top-ten inclusion. Developers are committing AI-generated code without fully reviewing it, introducing vulnerabilities that no automated scanner caught because a human never understood the logic. The fix is straightforward: treat AI-generated code like any untrusted input. Read it, understand it, and test it before it ships. Audit trails that capture code provenance will increasingly matter as this risk matures.
Mapping security controls to the OWASP Top 10 starts with the top three: enforce least-privilege access controls using tested frameworks rather than custom implementations, validate configurations against secure-by-default baselines, and inventory every third-party dependency in your build pipeline. Address cryptographic failures by standardizing on FIPS-validated cryptography and TLS 1.3. Enforce MFA across all authentication flows. And close the logging gap by pairing audit logs with real-time alerting and SIEM integration — logging without alerting is not a detection capability.
Additional Resources
- Blog Post Zero Trust Architecture: Never Trust, Always Verify
- Video Microsoft GCC High: Disadvantages Driving Defense Contractors Toward Smarter Advantages
- Blog Post How to Secure Classified Data Once DSPM Flags It
- Blog Post Building Trust in Generative AI with a Zero Trust Approach
- Video The Definitive Guide to Secure Sensitive Data Storage for IT Leaders