"The Open Worldwide Application Security Project (OWASP) just published its top 10 categories of application risks for 2025, its first list since 2021. It found that while broken access control remains the top issue, security misconfiguration is a strong second, and software supply chain issues are still prominent. The update was presented at the organization's Global AppSec USA event. The list is final but the official write-up is in preview, according to OWASP Top 10 co-leads Neil Smithline and Tanya Janca."
"Broken access control is "hands down the #1 category for web apps, APIs, and many other digital systems," according to Smithline and Janca. It impacts 3.73 percent of applications tested. Errors in this category include bypassing access control through URL tampering, APIs with missing access controls, guessing URLs to privileged pages as a standard user, or any violation of the principle of least privilege. "Except for public resources, deny by default" is the top tip for prevention."
The Open Worldwide Application Security Project updated its top 10 application risk categories for 2025, the first list since 2021. The list is final and was presented at the Global AppSec USA event while the official write-up remains in preview. The top 10 serves as a data-driven awareness document based on organizational data and survey responses to help prioritize risks. Categories were revised: software supply chain failures replaced vulnerable and outdated components; server-side request forgery merged with broken access control; a new category covers mishandling of exceptional conditions. Security misconfiguration rose to second and supply chain failures ranked third due to high exploit and impact scores.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]