Hello, security enthusiasts! π After approximately four years since 2021, the OWASP Top 10 2025 (Release Candidate) was officially announced in November.
This 2025 version goes beyond simple ranking changes, notably reflecting the recent surge in Supply Chain Attacks and the complexity of Cloud/IaC environments. There are many points to emphasize when teaching Terraform or Kubernetes!
From the newly changed #1 to #10, we’ve extracted and summarized only the key points. π
π OWASP Top 10 2025: What Has Changed?
The most notable changes are the rise of ‘Supply Chain Security’ and the introduction of a new category, ‘Mishandling of Exceptional Conditions’. SSRF (Server-Side Request Forgery) has been absorbed into other items, and more fundamental software robustness issues have taken its place.
π₯ #1 ~ #3: The Big Three Absolute Threats
π₯ A01:2025 β Broken Access Control
- No Change (Undisputed #1) π
- Still the most commonly found and most critical vulnerability.
- This includes cases where IAM permissions are overly broad in cloud environments (Over-privileged), or where vertical/horizontal privilege escalation is not prevented. (Note: SSRF, which was #10 in 2021, has been merged into this item.)
π₯ A02:2025 β Security Misconfiguration
- Rank Soars (5th β‘οΈ 2nd) π
- This is due to the increasing complexity of configuration files (YAML, HCL, etc.) with the spread of cloud-native environments.
- Includes using default accounts, opening unnecessary ports, and public cloud storage configurations. The IaC (Terraform) security that instructors emphasize must shine here!
π₯ A03:2025 β Software Supply Chain Failures
- Major Overhaul (Replaces existing ‘Vulnerable and Outdated Components’) π
- It’s not just about “using old libraries”.
- It has expanded into a much more comprehensive concept, including CI/CD pipeline contamination, malicious packages (Typosquatting), and build tool integrity. Recent incidents like the xz backdoor crisis are major reasons for its rise in rank.
π‘οΈ #4 ~ #6: Flaws in Design and Implementation
4οΈβ£ A04:2025 β Cryptographic Failures
- Rank Drop (2nd β‘οΈ 4th) π
- Although the rank has dropped, its importance remains. This includes sensitive data exposure, use of weak cryptographic algorithms, and inadequate certificate management.
5οΈβ£ A05:2025 β Injection
- Rank Drop (3rd β‘οΈ 5th) π
- Includes SQL Injection, OS Command Injection, etc.
- While its frequency has decreased with the recent use of ORMs and advancements in frameworks, it remains a threat in legacy systems. (LLM Prompt Injection is sometimes treated as a separate category, but broadly speaking, it can be included here.)
6οΈβ£ A06:2025 β Insecure Design
- Rank Drop (4th β‘οΈ 6th) π
- This is a case where “the design was flawed from the start, not just the coding”.
- Includes lack of Threat Modeling, flaws in business logic, etc.
β οΈ #7 ~ #10: Blind Spots in Authentication and Operations
7οΈβ£ A07:2025 β Authentication Failures
- The name has been slightly simplified. (Identification omitted)
- All login-related issues, such as weak password policies, lack of MFA implementation, and inadequate session management.
8οΈβ£ A08:2025 β Software or Data Integrity Failures
- Deals with issues such as fetching code from untrusted sources, failed firmware update verification, and insecure deserialization problems.
- Closely related to A03 (Supply Chain).
9οΈβ£ A09:2025 β Logging & Alerting Failures
- This is an issue where attacks go unlogged or alarms aren’t triggered, leading to delayed responses.
- An essential item from a Security Operations (SecOps) perspective.
π A10:2025 β Mishandling of Exceptional Conditions
- π NEW! A completely new category π
- It consolidates previously scattered error handling issues.
- Covers cases where sensitive information like stack traces is exposed in error messages, or where security procedures are bypassed (Fail Open) instead of the system failing safely when an error occurs.
π‘ Key Takeaways for Instructors
- Supply Chain Security (A03) is the key keyword: Beyond simply running
npm audit, CI/CD pipeline security and SBOM (Software Bill of Materials) management are now essential. - Elevation of Configuration Errors (A02): When teaching cloud/Kubernetes, emphasize the importance of automation tools (OPA, Kyverno, etc.) to prevent Misconfiguration.
- New Category for Exceptional Conditions (A10): Developers must be educated that “elegant error handling” is as directly linked to security as “feature implementation”.
The OWASP Top 10 2025 reflects modern development trends very well. It would be beneficial to update your curriculum based on these changes! π
Leave a Reply