OWASP Top 10, 2025
OWASP Foundation
ISO 27001, SOC 2, PCI DSS
What Is the OWASP Top 10?
The OWASP Top 10 is a regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project. It is consensus-based, data-driven, and updated to reflect the real-world vulnerability landscape across thousands of applications.
For developers, it is a secure coding reference. For security teams, it is a penetration testing and code review framework. For compliance officers, it is referenced directly by ISO 27001 Annex A.8, SOC 2 CC8.1, and PCI DSS Requirement 6 as the benchmark for secure application development practices.
"Understanding the OWASP Top 10 is not optional for any team building or securing web applications. It is the minimum baseline. Everything else builds on top of it."
All 10 Categories -2025 Edition
The number one vulnerability since 2021. Found in 94% of tested applications. Access control enforces that users cannot act outside their intended permissions. Broken access control includes IDOR (insecure direct object references), missing function-level access control, privilege escalation from user to admin, CORS misconfigurations that allow unauthorised API access, and JWT token manipulation to elevate privileges.
Previously called "Sensitive Data Exposure" -renamed to focus on the root cause rather than the symptom. Cryptographic failures cover: transmitting sensitive data in clear text (HTTP, SMTP without TLS), using weak or deprecated algorithms (MD5, SHA1, DES), hardcoded cryptographic keys, missing encryption at rest for sensitive data, and improper certificate validation.
SQL injection, OS command injection, LDAP injection, and Cross-Site Scripting (XSS) are all included here. Injection occurs when an application sends untrusted data to an interpreter as part of a command or query. SQL injection remains one of the most destructive vulnerabilities -a single injectable endpoint can lead to full database exfiltration. XSS allows attackers to execute scripts in victims' browsers, enabling session hijacking and credential theft.
New in the 2021 list and reinforced in 2025, insecure design focuses on design-level flaws rather than implementation bugs -missing security controls by design rather than misconfigured ones. An application that never implemented rate limiting on authentication endpoints has an insecure design flaw. No amount of patching fixes a design problem -it requires redesign. This is why threat modeling at the design phase is critical.
Found in 90% of tested applications. Security misconfiguration covers default credentials left unchanged, unnecessary features enabled, verbose error messages exposing stack traces, missing security headers (CSP, HSTS, X-Frame-Options), overly permissive CORS policies, and cloud storage buckets left publicly accessible. As applications increasingly run on cloud infrastructure, misconfiguration has become the dominant attack vector.
Applications using components -libraries, frameworks, operating systems -with known vulnerabilities are directly exploitable. Log4Shell was the most prominent example: a critical vulnerability in a logging library used by hundreds of thousands of applications globally. The 2025 edition adds explicit SBOM (Software Bill of Materials) requirements, reflecting regulatory pressure and the widespread adoption of SBOM as a supply chain security control.
Authentication failures include: permitting weak or default passwords, missing or ineffective MFA, exposing session IDs in URLs, not invalidating sessions on logout, credential stuffing enabled by missing rate limiting, and insecure password reset flows. In 2025, the category specifically calls out authentication bypass vulnerabilities in AI-powered chatbots and LLM-integrated applications as an emerging concern.
This category covers insecure deserialization and CI/CD pipeline integrity failures. An application that automatically updates without verifying the integrity of the update -using a compromised package registry, a tampered npm package, or a supply chain poisoning attack -falls here. The SolarWinds attack is the canonical example. The 2025 edition strengthens the connection to software supply chain attacks and adds guidance on securing AI model pipelines.
Without adequate logging and monitoring, breaches go undetected. The average dwell time -time between initial compromise and detection -is 197 days globally. Logging failures include: no logging of authentication events or high-value transactions, logs not monitored for suspicious activity, log tampering possible (logs stored on the same system as the application), and no incident response procedures triggered by log alerts.
SSRF vulnerabilities allow attackers to induce the server-side application to make HTTP requests to an arbitrary domain -including internal services that are not publicly accessible. In cloud environments, SSRF is particularly dangerous because it can be used to access instance metadata endpoints (AWS IMDSv1) and retrieve IAM credentials. SSRF is elevated to a standalone category in 2025 reflecting its increasing prevalence in cloud-native applications and its role in several high-profile breaches.
Addressing OWASP Top 10 vulnerabilities requires both developer education and automated tooling integrated into the CI/CD pipeline -one without the other is insufficient.
OWASP Top 10 and Compliance Frameworks
The OWASP Top 10 is not just a security reference -it is a compliance requirement. Here is how it maps to the frameworks most commonly required by enterprise customers and regulators:
| Framework | Reference to OWASP | What It Requires |
|---|---|---|
| ISO 27001 | Annex A.8.25-A.8.31 | Secure development lifecycle, secure coding, application security testing -OWASP Top 10 is the accepted technical reference for all three |
| SOC 2 | CC8.1 -Change management | Software development follows secure coding practices. OWASP compliance evidence (SAST results, penetration test reports mapped to Top 10) satisfies this criterion |
| PCI DSS | Requirement 6.2 and 6.3 | Explicitly references OWASP as the standard for identifying and addressing common vulnerabilities. Requirement 6.2.4 requires protection against all OWASP Top 10 categories |
| HIPAA | 164.312(c) -Integrity controls | Protecting ePHI integrity from improper alteration -OWASP Top 10 addresses the primary attack vectors against integrity |
| GDPR / DPDP | Article 32 / Section 8(5) | Appropriate technical measures to protect personal data -OWASP Top 10 remediation directly addresses the technical requirements |
Implementing OWASP Top 10 in Your SDLC
Knowing the Top 10 categories is the starting point. Operationalising them across your development lifecycle is where the work actually happens.
SAST (Semgrep, SonarQube, Checkmarx) -catches A03 Injection, A02 Cryptographic Failures, A07 Auth issues in code before commit. SCA (Snyk, OWASP Dependency-Check) -catches A06 Vulnerable Components. DAST (OWASP ZAP, Burp Suite) -catches A01 Broken Access Control, A05 Misconfiguration, A10 SSRF at runtime. Penetration testing -validates all 10 categories in your specific environment. No single tool covers all 10 -you need the full stack.
The 2025 edition adds specific guidance on AI-generated code security. LLM coding assistants generate code that frequently contains A03 Injection patterns, A07 Authentication failures, and A02 Cryptographic weaknesses -because they are trained on historical code repositories that predate modern security practices. Every line of AI-generated code must pass the same SAST review as human-written code. No exceptions.
Frequently Asked Questions
The OWASP Top 10 is a regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project. It is the most widely cited web application security standard in the world and is referenced by ISO 27001, SOC 2, PCI DSS, and HIPAA as a framework for secure development practices.
Broken Access Control (A01) has been the number one OWASP vulnerability since the 2021 edition and remains at the top in 2025. It was found in 94% of applications tested. It includes IDOR, missing function-level access control, privilege escalation, and CORS misconfigurations.
The 2025 OWASP Top 10 elevates Server-Side Request Forgery (SSRF) to a standalone A10 category, adds SBOM requirements to the Vulnerable and Outdated Components category, and introduces specific guidance on AI-generated code security risks for the first time, reflecting the widespread adoption of LLM coding assistants.
ISO 27001 Annex A.8.25-A.8.31 requires secure application development practices -OWASP provides the technical reference. SOC 2 CC8.1 requires secure coding practices. PCI DSS Requirement 6.2 explicitly references OWASP as a source of secure coding guidelines. Demonstrating that your SDLC addresses OWASP Top 10 categories is strong evidence for all three frameworks.
Start by scanning existing applications with SAST tools and DAST tools to identify which OWASP categories are present. Prioritise by exploitability and business impact. Establish secure coding guidelines mapped to OWASP categories. Train developers on vulnerabilities most common in your stack. Integrate SAST into your CI/CD pipeline so new code is continuously scanned before merge.