Advertise with Us
DevSecurityPro

OWASP’s 2025 Wake-Up Call: Why Broken Access Control Still Haunts Web Security

The OWASP Top 10 for 2025 reveals persistent vulnerabilities like broken access control and injection, while introducing risks in supply chains and AI. This update, based on millions of app tests, urges developers to bolster API security and adopt zero-trust models to combat evolving cyber threats.
OWASP’s 2025 Wake-Up Call: Why Broken Access Control Still Haunts Web Security
Written by Jill Joy
Monday, November 17, 2025

In the ever-evolving landscape of cybersecurity, the Open Web Application Security Project (OWASP) has unveiled its latest Top 10 list for 2025, marking the first major update in four years. This refresh, released on November 11, 2025, underscores persistent threats like broken access control and injection vulnerabilities, while introducing new risks tied to modern technologies such as AI and supply chains. Drawing from data on over 2.8 million applications, the list serves as a critical benchmark for developers and security professionals worldwide.

The update arrives amid a surge in sophisticated cyber threats, with OWASP emphasizing the need for proactive measures in API security and AI integration. According to Cyberpress, the list features two new security categories and substantial shifts in risk rankings based on contributed data and community feedback. This iteration highlights how vulnerabilities like misconfigurations and supply chain failures are climbing the ranks, reflecting real-world attack patterns.

Evolution of the OWASP Top 10

Since its inception in 2003, the OWASP Top 10 has been a cornerstone for identifying the most critical web application security risks. The 2025 version, the eighth edition, incorporates insights from extensive data analysis and community input, as detailed by GBHackers. Notable changes include the elevation of security misconfiguration to the second spot and the introduction of software supply chain failures as the third major risk.

Broken access control retains its top position, a vulnerability that allows unauthorized users to access sensitive data or functions. The Register reports that this issue highlights misconfigs, supply chain failures, and even prompt injection in AI apps, signaling a blend of traditional and emerging threats.

Persistent Threats: Broken Access Control and Injection

Injection flaws, now ranked fifth, continue to plague applications despite years of awareness. These vulnerabilities occur when untrusted data is sent to an interpreter as part of a command or query, potentially leading to data breaches or system compromise. The OWASP update notes that injection risks have evolved with modern APIs, making them a staple concern.

Broken access control, affecting nearly 94% of tested applications according to OWASP data, involves failures in enforcing proper authorization. As per Aikido, developers must focus on robust access controls to mitigate these risks, especially in cloud-native environments where misconfigurations are rampant.

New Entrants: Supply Chain and AI Risks

One of the most significant additions is A03: Software Supply Chain Failures, which addresses vulnerabilities introduced through third-party dependencies. SecurityBrief states that this category has become the third biggest concern worldwide, driven by high-profile incidents like the SolarWinds attack.

AI-specific risks are woven into the list, with prompt injection singled out under insecure design. Security Boulevard discusses how the update emphasizes the importance of secure AI integration, noting that 42% of AI-generated code contains hallucination failures, leading to insecure outputs.

Security Misconfiguration Climbs the Ranks

Security misconfiguration, now A02, involves improper setup of application components, exposing systems to exploits. This rise reflects the complexity of modern deployments, including containers and cloud services. Experts from Xage argue that zero-trust architectures are essential to contain such misconfigurations.

The OWASP report integrates data from vulnerability scanners and penetration testing, revealing that misconfigurations often stem from default settings or overlooked permissions. Industry insiders, as quoted in posts on X from users like TryHackMe, highlight how these flaws enable attackers to exploit excessive privileges.

Cryptographic Failures and Insecure Design

Cryptographic failures, ranked A04, encompass issues like weak encryption or improper key management, leading to data exposure. The 2025 list expands this to include failures in protecting sensitive data in transit and at rest, as explored in a Medium post walkthrough by Sle3pyHead on TryHackMe.

Insecure design, a new category at A10, focuses on fundamental flaws in application architecture. Cybersecurity News explains that this includes inadequate threat modeling, which can perpetuate vulnerabilities throughout the development lifecycle.

API Security in the Spotlight

With APIs powering much of modern software, the OWASP Top 10 stresses API-specific risks under categories like broken authentication (A07). Historical context from Cloudflare notes that APIs are prime targets for attacks due to their exposure.

Recent X posts from users such as Dhanush N underscore the wild rankings, with broken access control topping the list based on testing millions of apps. This aligns with OWASP’s data-driven approach, ensuring the list reflects current threats.

Implications for Developers and Enterprises

For developers, the update serves as a roadmap for secure coding practices. Mend advises integrating automated tools to detect these vulnerabilities early in the SDLC.

Enterprises face mounting pressure to address supply chain risks, with BizToc echoing The Register’s coverage on how these failures can cascade into widespread breaches. Industry sentiment on X, from accounts like zack0x01, emphasizes practical mitigations like role-based access controls.

Expert Perspectives on Mitigation Strategies

Security experts recommend comprehensive strategies, including regular audits and employee training. A post on X by Robert Youssef highlights the brutality of similar vulnerability reports, drawing parallels to AI and web development failures.

Veracode stresses the importance of dynamic application security testing (DAST) to uncover issues like injection and access control flaws in real-time.

The Road Ahead: Adapting to Emerging Threats

As AI and machine learning integrate deeper into applications, OWASP’s inclusion of prompt injection risks foreshadows future updates. X posts from Het Mehta discuss OWASP’s LLM vulnerabilities checklist, complementing the Top 10.

Ultimately, the 2025 list urges a shift toward proactive security, with community-driven insights ensuring its relevance. As noted in X updates from Gray Hats, the draft’s focus on supply chain and misconfigurations demands immediate action from the industry.

Subscribe for Updates

DevSecurityPro Newsletter

The DevSecurityPro Email Newsletter is essential for DevSecOps leaders, DevOps directors, application developers, and security engineers. Perfect for professionals focused on embedding security into the development pipeline and protecting applications at scale.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us
About Us

WebProNews is a leading publisher of business and technology email newsletters and websites.

Reach our audience
Publication Categories
WebProNews is an iEntry Publication
©2025 iEntry, Inc. All rights reserved. Privacy Policy | Legal | Contact Us |