← All toolsSecurity

OWASP Top 10 (2025)

The ten web-application risks that matter most, ranked, with what changed in the 2025 refresh. A deck you can read in a minute and hand to your team.

OWASP Foundation (CC BY-SA)

The OWASP Top 10 is the industry’s shared list of the web risks that matter most, referenced by PCI DSS, contracts, and training everywhere. The 2025 edition is the first full refresh since 2021: two new categories, and the supply chain finally promoted to where it belongs.

A01,

Broken Access Control

Users doing things they shouldn’t. Still the most common serious flaw, and SSRF now folds in here.

A02↑ up

Security Misconfiguration

Defaults left on, permissions too loose, debug endpoints exposed. Rose from #5 as systems got more configurable.

A03NEW

Software Supply Chain Failures

Your dependencies, build pipeline, and the code you didn’t write. Broader than the old “vulnerable components.”

A04,

Cryptographic Failures

Sensitive data not protected in transit or at rest, weak, misused, or missing crypto.

A05↓ down

Injection

Untrusted input treated as code or query. SQL, command, and friends. Well understood, still everywhere.

A06,

Insecure Design

Flaws baked in before a line of code, the threat you never modelled. No amount of clean code fixes a bad design.

A07,

Authentication Failures

Weak login, session, and identity handling that lets attackers become someone else.

A08,

Software & Data Integrity Failures

Trusting code, updates, or data that could be tampered with, insecure deserialization and CI/CD included.

A09,

Security Logging & Alerting Failures

You can’t respond to what you can’t see. Missing logs and alerts turn a small breach into a long one.

A10NEW

Mishandling of Exceptional Conditions

What your system does when things go wrong, error handling and edge cases that leak or fail open.

Two new entries this cycle: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions. If you only fix one thing, start at the top, broken access control has led this list for years for a reason. Published by the OWASP Foundation under CC BY-SA.

Based on the OWASP Top 10 (2025), published by the OWASP Foundation under CC BY-SA. Category names are OWASP’s; the summaries are written in plain language for a leadership audience.

Want the version tuned to your actual situation?

Book a call
← Back to all tools