OWASP Top 10: Broken access control still tops app security list

The Open Worldwide Application Security Project (OWASP) just published its top 10 categories of application risks for 2025, its first list since 2021. It found that while broken access control remains the top issue, security misconfiguration is a strong second, and software supply chain issues are still prominent.

The update was presented at the organization's Global AppSec USA event. The list is final but the official write-up is in preview, according to OWASP Top 10 co-leads Neil Smithline and Tanya Janca.

The top 10, they said, is "a data-driven awareness document to help organizations prioritize." It is based on data from organizations and survey respondents.

The categories are inevitably imprecise and have been updated for 2025. Software supply chain failures is new, replacing one called "vulnerable and outdated components." Server-side request forgery (SSRF) has been merged with broken ...