OWASP Top 10: Broken access control still tops app security list

The Open Worldwide Application Security Project (OWASP) just published its top 10 categories of application risks for 2025, its first list since 2021. It found that while broken access control remains the top issue, security misconfiguration is a strong second, and software supply chain issues are still prominent.

The update was presented at the organization's Global AppSec USA event. The list is final but the official write-up is in preview, according to OWASP Top 10 co-leads Neil Smithline and Tanya Janca.

The top 10, they said, is "a data-driven awareness document to help organizations prioritize." It is based on data from organizations and survey respondents.

The categories are inevitably imprecise and have been updated for 2025. Software supply chain failures is new, replacing one called "vulnerable and outdated components." Server-side request forgery (SSRF) has been merged with broken access control. A new category has been added, for "mishandling of exceptional conditions."

Broken access control is "hands down the #1 category for web apps, APIs, and many other digital systems," according to Smithline and Janca. It impacts 3.73 percent of applications tested. Errors in this category include bypassing access control through URL tampering, APIs with missing access controls, guessing URLs to privileged pages as a standard user, or any violation of the principle of least privilege.

"Except for public resources, deny by default" is the top tip for prevention.

Security misconfiguration is second, and would be top for cloud and infrastructure security, Smithline and Janca said in their presentation. It has risen in the list because of an engineering trend to base security more on configuration than by other methods, OWASP states.

Supply chain failures are third, despite having relatively few occurrences, because issues of this kind have "the highest average exploit and impact scores from CVEs [Common Vulnerabilities and Exposures]", OWASP reports.

Injection has fallen from third to fifth place, thanks to being one of the most tested categories. Injection issues include SQL injection and cross-site scripting.

A separate OWASP project covering the top 10 risks for LLM (large language model) and Gen AI applications ranks prompt injection, where model responses are manipulated via prompt input to bypass security checks, as the top risk.

The new category for mishandling of exceptional conditions was added based on community feedback. It covers code that does not respond correctly to unusual situations, including race conditions, attacks on partially completed transactions, or revealing sensitive information in error messages.

"Originally we were looking at 'poor code quality' as a category, but that's way too wide. And how do you fix that? What would the advice be? ... 'your code is bad, do better', that's not helpful at all" said Janca on Reddit.

OWASP has plenty of good advice for improving application security but is any progress being made? "The situation around security is the same as it was five years ago, and 10 years ago, and 15 years ago, and 20 years ago," complained one developer in response to the new top 10, though acknowledging that more problems are being identified by tooling.

Another gave a small business perspective, saying that secure coding is still "very much an afterthought," and that management is more interested in new features until something bad happens, by which time it is too late. ®