The OWASP Basis has revealed the primary Launch Candidate for the 2025 OWASP Prime 10 listing, which ranks probably the most crucial safety issues builders must be fascinated by.
The highest 10 safety issues on the up to date listing are:
- Damaged Entry Management
- Safety Misconfiguration
- Software program Provide Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software program or Knowledge Integrity Failures
- Logging and Alerting Failures
- Mishandling of Distinctive Situations
This listing options most of the similar issues from the 2021 variations, with just a few notable modifications, resembling Server-Facet Request Forgery, which was in final place in 2021, being rolled into the Damaged Entry Management class.
Moreover, a brand new class, Software program Provide Chain Failures, was added and contains Weak and Outdated Parts (#6 in 2021), and Mishandling of Distinctive Situations made the listing for the primary time, containing CWEs associated to improper error dealing with, logical errors, failing open, and different associated situations.
“Mishandling of Distinctive Situations is a class that has been simply outdoors the Prime 10 for a number of years. On this iteration, there was sufficient knowledge and help from the neighborhood survey to push it over the road and into the Prime 10,” mentioned Brian Glas, one of many lead authors of the report.
Damaged Entry Management maintained its place as the highest concern, with 3.74% of purposes OWASP examined together with a number of of the 40 CWEs on this class.
Cryptographic Failures, Injection, and Insecure Design dropped down within the listing, whereas Safety Misconfiguration rose to quantity two.
The OWASP Prime 10 is set based mostly on two predominant knowledge assortment strategies. The first means is that corporations contributed their findings from SAST, DAST, IAST, and different safety testing from 2020 to 2024. This knowledge included over 2.8 million purposes that have been examined. The second methodology is a neighborhood survey to account for brand new classes of vulnerabilities that the business might not have developed sufficient assessments for but.
“It’s important to know why we assemble the Prime 10 on this method,” mentioned Glas. “If it have been purely data-driven, we might not have an correct listing, as it could solely be trying into the previous. The neighborhood survey is essential in enabling individuals on the bottom to share what they understand as essential dangers that require visibility and a spotlight, which might not be mirrored within the knowledge.”
Glas concluded that this up to date OWASP Prime 10 highlights the truth that software program improvement is turning into extra complicated, and builders are being requested to be chargeable for extra issues. He cited the rise of Software program Provide Chain Failures and Safety Misconfiguration as proof for this modification.
The OWASP Prime 10 2025 can be open for feedback till November twentieth.