The OWASP Basis has revealed the primary Launch Candidate for the 2025 OWASP Prime 10 listing, which ranks probably the most important safety issues builders needs to be fascinated about.
The highest 10 safety issues on the up to date listing are:
- Damaged Entry Management
- Safety Misconfiguration
- Software program Provide Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software program or Knowledge Integrity Failures
- Logging and Alerting Failures
- Mishandling of Distinctive Situations
This listing options lots of the identical issues from the 2021 variations, with just a few notable adjustments, reminiscent of Server-Facet Request Forgery, which was in final place in 2021, being rolled into the Damaged Entry Management class.
Moreover, a brand new class, Software program Provide Chain Failures, was added and contains Susceptible and Outdated Parts (#6 in 2021), and Mishandling of Distinctive Situations made the listing for the primary time, containing CWEs associated to improper error dealing with, logical errors, failing open, and different associated eventualities.
“Mishandling of Distinctive Situations is a class that has been simply exterior the Prime 10 for a number of years. On this iteration, there was sufficient information and help from the group survey to push it over the road and into the Prime 10,” stated Brian Glas, one of many lead authors of the report.
Damaged Entry Management maintained its place as the highest concern, with 3.74% of functions OWASP examined together with a number of of the 40 CWEs on this class.
Cryptographic Failures, Injection, and Insecure Design dropped down within the listing, whereas Safety Misconfiguration rose to quantity two.
The OWASP Prime 10 is set based mostly on two primary information assortment strategies. The first approach is that corporations contributed their findings from SAST, DAST, IAST, and different safety testing from 2020 to 2024. This information included over 2.8 million functions that had been examined. The second methodology is a group survey to account for brand spanking new classes of vulnerabilities that the trade could not have developed enough checks for but.
“It’s important to know why we assemble the Prime 10 on this method,” stated Glas. “If it had been purely data-driven, we might not have an correct listing, as it will solely be trying into the previous. The group survey is essential in enabling individuals on the bottom to share what they understand as necessary dangers that require visibility and a focus, which might not be mirrored within the information.”
Glas concluded that this up to date OWASP Prime 10 highlights the truth that software program growth is changing into extra advanced, and builders are being requested to be answerable for extra issues. He cited the rise of Software program Provide Chain Failures and Safety Misconfiguration as proof for this transformation.
The OWASP Prime 10 2025 shall be open for feedback till November twentieth.
