OWASP Top 10:2025 (Release Candidate 1) — What Changed, Why It Matters, and What Your Security Team Should Do Next
OWASP has released the Release Candidate 1 (RC1) of the OWASP Top 10:2025, offering a preview of how application security risk priorities are shifting. The final version may contain some minor adjustments but RC1 provides a stable foundation which many experts agree suits planning and training and policy development needs.
https://owasp.org/Top10/2025/0x00_2025-Introduction/
Release Status
This version is not yet the final release. OWASP is accepting feedback, issue reports, and pull requests until November 20, 2025. The final release will come out in early 2026 and small changes may occur, but the overall structure and rankings are expected to remain the same.
The community review process needs your input so please submit your suggestions through this link:
https://github.com/OWASP/Top10/issues
The OWASP Top 10 is more than a technical reference. It directly impacts:
- Secure coding standards
- Architecture review practices
- Procurement and vendor assessment
- Internal & external audit readiness
- Regulatory and compliance mapping (e.g., SEBI, RBI, CERT-In)
The 2025 update reflects a strategic shift:
from fixing individual vulnerabilities → to securing the application ecosystem, including supply chains, configurations, and operational resilience.
OWASP Top 10:2025 (RC1)
Rank | Category |
A01 | Broken Access Control |
A02 | Security Misconfiguration |
A03 | Software Supply Chain Failures (New) |
A04 | Cryptographic Failures |
A05 | Injection |
A06 | Insecure Design |
A07 | Authentication Failures |
A08 | Software or Data Integrity Failures |
A09 | Logging & Alerting Failures |
A10 | Mishandling of Exceptional Conditions (New) |
What has Changed Compared to OWASP Top 10:2021
Side-by-Side Comparison
2021 Rank | OWASP Top 10 (2021) | 2025 Rank | OWASP Top 10 (2025 RC1) | Key Change & Insight |
A01 | Broken Access Control | A01 | Broken Access Control | Still the #1 risk. Authorization issues remain widespread, and SSRF is now treated as a symptom of broken access control. |
A02 | Cryptographic Failures | A04 | Cryptographic Failures | Still important, but not growing as fast as misconfigurations or supply-chain risks. |
A03 | Injection | A05 | Injection | Modern frameworks reduce many injection flaws, but high-impact cases like SQLi and RCE still matter. |
A04 | Insecure Design | A06 | Insecure Design | “Secure by design” is no longer aspirational — it’s now expected as a baseline engineering practice. |
A05 | Security Misconfiguration | A02 | Security Misconfiguration | Now a top-tier risk (#2). Misconfigurations in web applications, cloud environments, containers, and APIs drift easily — and continue to cause real-world breaches. |
A06 | Vulnerable & Outdated Components | — → Replaced by → | A03 — Software Supply Chain Failures (New) | Much broader scope now: includes dependency trust, package integrity, CI/CD pipeline security, and distribution chain risks. |
A07 | Identification & Authentication Failures | A07 | Authentication Failures | Renamed for clarity. Credential-stuffing, weak session handling, and token misuse remain common. |
A08 | Software & Data Integrity Failures | A08 | Software or Data Integrity Failures | Emphasizes verifying integrity of code, data, files, and artifacts. Same category, clearer focus. |
A09 | Logging & Monitoring Failures | A09 | Logging & Alerting Failures | Logging alone isn’t enough — lack of actionable alerts remains a major detection weakness. |
A10 | SSRF | Merged into | A01 & A02 | SSRF is now viewed as a by-product of poor access control and insecure configuration. |
— | — | A03 (New) | Software Supply Chain Failures | Captures modern attack patterns (SolarWinds, dependency poisoning, artifact tampering). A major new focus area. |
— | — | A10 (New) | Mishandling of Exceptional Conditions | Addresses failure modes: error handling, fail-open behaviour, degradation handling, and operational resilience. |
Why These Changes Are Happening
Applications today are:
- Modern application development is built from open-source packages and third-party dependencies
- Automated CI/CD pipelines handle the deployment of applications.
- Distributed across APIs, cloud, and microservices
- Continuously configured instead of using a fixed design approach.
This creates new classes of failures:
- A breach can originate in the supply chain, not the application code.
- A misconfigured reverse proxy or API gateway can expose internal systems.
- Systems often fail insecurely under load, outage, or error conditions.
The 2025 list outlines the current operational methods which attackers use in their attacks.
Sector Impact (BFSI, FinTech, NBFCs, Healthcare, Government)
The 2025 RC1 aligns directly with regulatory trends in India:
- SEBI CSCRF: Configuration & continuous monitoring expectations
- RBI: WAF, supply chain integrity, authentication protections
- CERT-In Directives: Logging, alerting, incident visibility
This gives security teams a strong justification for proactive controls and budget alignment.
Where a Modern SiteWALL WAF Fits
Risk Category | How a WAF Helps |
A01 – Broken Access Control | Detects abnormal access patterns, blocks forced browsing, authorization bypass attempts, and SSRF-like traffic flows. |
A02 – Security Misconfiguration | Enforces secure headers, strict TLS policies, sane defaults, and prevents exposure from misconfigured web apps, APIs, and gateways. |
A03 – Software Supply Chain Failures | Monitors runtime anomalies from compromised components, malicious libraries, or unexpected behaviour injected into the app. |
A05 – Injection | Blocks payloads for SQLi, XSS, NoSQLi, command injection (RCE), template injection, and deserialization attacks. |
A07 – Authentication Failures | Detects credential stuffing, brute-force login attempts, session manipulation, and MFA bypass attempts. |
A09 – Logging & Alerting Failures | Sends enriched events to SIEM/SOAR, enabling timely incident detection and automated responses. |
A10 – Mishandling of Exceptional Conditions | Prevents applications from leaking data or failing open when backends crash or misbehave (e.g., 500/502/503 scenarios). |
The WAF is no longer just a perimeter control — it is a runtime integrity, anomaly detection and operational resilience layer.
Action Plan for Security Teams (2025 – aligned)
Step | Action |
1 | Audit access-control logic and privilege boundaries — especially across APIs, microservices, and backend integrations. |
2 | Strengthen configuration governance for cloud, container, proxy, gateway, and WAF layers. |
3 | Inventory third-party dependencies and enforce SBOM + integrity checks across build pipelines. |
4 | Validate cryptographic configurations, key rotation, and certificate lifecycle management. |
5 | Enable WAF behavioural detection and runtime protection modes for layered defense. |
6 | Ensure logs trigger alerts, tickets, or automated actions — not just storage. |
7 | Test system behaviour under failure, not just under normal load — resilience is now a security requirement. |
Conclusion
OWASP Top 10:2025 RC1 signals a clear transformation:
Application security now demands ecosystem-level trust, not patch-by-patch vulnerability fixes.
Organizations that start aligning now will be:
- Better protected against modern supply-chain & cloud-native attacks
- Better positioned for compliance and audits
- Better equipped to justify proactive security investments
And importantly:
For India’s digital economy, this is a pivotal moment.
As a proud Make-in-India cybersecurity product, SiteWALL is built to meet these new OWASP expectations while supporting Indian enterprises with world-class application defense.
Want to contribute to the final OWASP 2025 list?
OWASP is still accepting feedback until November 20, 2025.
You can contribute, discuss, or propose improvements here: https://github.com/OWASP/Top10/issues
Staying engaged ensures your security practices evolve along with the industry.