OWASP Top 10 2025 report
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP Top 10 report educates developers, designers, architects, and managers about the most critical web application security risks. The report provides basic guidance on how to mitigate these risks.
AppScan Enterprise version 10.11.0 and later supports the OWASP Top 10 2025 report.
What changed from OWASP Top 10 2021 to 2025
The 2025 update introduces a new category, consolidates previous vulnerabilities, and adjusts category names to focus on root causes.
| OWASP Top 10 2025 vulnerability category | Description and changes from OWASP Top 10 2021 |
|---|---|
| A01 Broken Access Control | Remains the most critical security risk. This category now includes Server-Side Request Forgery (SSRF). |
| A02 Security Misconfiguration ⇧ | Moves up from position 5. This change reflects the increasing reliance on configurations for application behavior. |
| A03 Software Supply Chain Failures ⇧ | Expands the previous Vulnerable and Outdated Components category. It now includes compromises across the software dependency ecosystem, build systems, and distribution infrastructure. |
| A04 Cryptographic Failures ⇩ | Falls from position 2. These failures frequently lead to sensitive data exposure and system compromise. |
| A05 Injection ⇩ | Falls from position 3. This category includes vulnerabilities ranging from cross-site scripting to SQL injection. |
| A06 Insecure Design ⇩ | Falls from position 4. This drop reflects industry improvements in threat modeling and secure design. |
| A07 Authentication Failures | Maintains position 7. The name was updated from Identification and Authentication Failures to better reflect its scope. |
| A08 Software or Data Integrity Failures | Maintains position 8. Focuses on failures to verify the integrity of software, code, and data artifacts, and to maintain trust boundaries. |
| A09 Security Logging and Alerting Failures | Maintains position 9. The name was updated from Security Logging and Monitoring Failures to emphasize the importance of alerting functionality. |
| A10 Mishandling of Exceptional Conditions (New) | A newly added category. Focuses on improper error handling, logical errors, failing open, and abnormal system conditions. |
| ⇧ ⇩ Indicates a change in position (A01–A10) relative to the 2021 report. | |