The OWASP Basis has revealed the primary Launch Candidate for the 2025 OWASP High 10 checklist, which ranks essentially the most essential safety issues builders needs to be enthusiastic about.
The highest 10 safety issues on the up to date checklist are:
- Damaged Entry Management
- Safety Misconfiguration
- Software program Provide Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software program or Information Integrity Failures
- Logging and Alerting Failures
- Mishandling of Distinctive Situations
This checklist options most of the similar issues from the 2021 variations, with a number of notable adjustments, corresponding to Server-Facet Request Forgery, which was in final place in 2021, being rolled into the Damaged Entry Management class.
Moreover, a brand new class, Software program Provide Chain Failures, was added and consists of Susceptible and Outdated Parts (#6 in 2021), and Mishandling of Distinctive Situations made the checklist for the primary time, containing CWEs associated to improper error dealing with, logical errors, failing open, and different associated situations.
“Mishandling of Distinctive Situations is a class that has been simply exterior the High 10 for a number of years. On this iteration, there was sufficient information and assist from the group survey to push it over the road and into the High 10,” stated Brian Glas, one of many lead authors of the report.
Damaged Entry Management maintained its place as the highest concern, with 3.74% of functions OWASP examined together with a number of of the 40 CWEs on this class.
Cryptographic Failures, Injection, and Insecure Design dropped down within the checklist, whereas Safety Misconfiguration rose to quantity two.
The OWASP High 10 is determined based mostly on two fundamental information assortment strategies. The first method is that firms contributed their findings from SAST, DAST, IAST, and different safety testing from 2020 to 2024. This information included over 2.8 million functions that had been examined. The second methodology is a group survey to account for brand new classes of vulnerabilities that the business might not have developed sufficient assessments for but.
“It’s important to know why we assemble the High 10 on this method,” stated Glas. “If it had been purely data-driven, we’d not have an correct checklist, as it could solely be wanting into the previous. The group survey is essential in enabling individuals on the bottom to share what they understand as necessary dangers that require visibility and a focus, which might not be mirrored within the information.”
Glas concluded that this up to date OWASP High 10 highlights the truth that software program improvement is changing into extra complicated, and builders are being requested to be liable for extra issues. He cited the rise of Software program Provide Chain Failures and Safety Misconfiguration as proof for this modification.
The OWASP High 10 2025 might be open for feedback till November twentieth.
