The OWASP Top 10 2025 has officially arrived, bringing two big updates. It reflects how software security has shifted toward complex, interconnected risks like supply chain integrity and error handling. For developers and security teams, understanding these changes is essential to keeping applications resilient.
OWASP emphasizes that the Top 10 is an awareness document, not a full standard. It’s designed to highlight the most critical risks, not to serve as a complete security framework. For organizations looking to go further, OWASP recommends using maturity and verification models such as SAMM (Software Assurance Maturity Model), DSOMM (DevSecOps Maturity Model), and ASVS (Application Security Verification Standard).
For more on what the OWASP Top 10 is all about, check out this article.
What’s Changed in the OWASP Top 10 for 2025
The 2025 edition introduces two new categories and one consolidation.
- A03: Software Supply Chain Failures expands on the 2021 category “Vulnerable and Outdated Components,” covering the full software ecosystem including dependencies, build systems, and distribution infrastructure.
- A10: Mishandling of Exceptional Conditions is completely new, highlighting the importance of secure error handling and resilience.
- What was A10:2021: Server-Side Request Forgery (SSRF) has been consolidated into A01:2025 - Broken Access Control
- Meanwhile, A01: Broken Access Control and A02: Security Misconfiguration retain their top positions, showing that foundational security practices remain critical.
In short, OWASP 2025 shifts focus from isolated code flaws to systemic weaknesses that span the entire development lifecycle.
The OWASP Top 10 2025
Below is the full list of categories in the OWASP Top 10 2025, along with a short summary of each.
A03:2025 – Software Supply Chain Failures
The OWASP Top 10 2025 highlights Software Supply Chain Failures as one of the most urgent risks in modern software security. OWASP now explicitly calls out malware in software ecosystems, including malicious packages, compromised maintainers, and tampered build processes, as leading threats to application security.
These attacks rarely start in production. They begin on the developer workstation. By compromising dependencies or injecting malware into widely used packages, attackers can gain access to environments that are inherently trusted. Once inside, a single malicious dependency can move through CI systems, containers, and cloud environments in hours, often without triggering traditional scanners.
Aikido Security has seen this shift up close. Throughout 2025, we identified and analyzed several of the largest supply chain compromises, each a clear example of A03 in practice:
- Shai Hulud, a stealthy malware campaign hidden in npm packages that exfiltrated credentials and tokens through transitive dependencies.
- S1ngularity, a dependency confusion operation that exploited naming collisions and internal mirrors to infiltrate developer workstations and CI.
- The September npm malware outbreak, where popular libraries such as chalk, debug, and ansi-regex were poisoned and downloaded millions of times before Aikido detected and escalated the compromise.
- The React-Native-Aria trojan, which inserted a remote access payload into legitimate npm releases and was caught early through Aikido Intel anomaly detection.
During these incidents, many organizations turned to Aikido for accurate intelligence and guidance, using our updates to determine exposure, validate dependencies, and respond before the damage spread.
This expansion in OWASP’s scope mirrors what many security leaders are already experiencing. Aikido’s State of AI in Security & Development 2026 report found that 1 in 3 security leaders have missed risks due to poor integration between tools, and 38% report gaps in visibility across the development or deployment lifecycle. The result is a visibility gap that attackers exploit through trusted supply chains.
Aikido helps close that gap. With Aikido Intel for live threat feeds, Safe Chain for pre-install package verification, and a unified dependency graph across code, containers, and cloud, teams can see exactly where vulnerabilities intersect with real exposure. Aikido not only detects compromised packages but also blocks them before they ever reach production.
For many organizations, A03 is the most relevant category in the OWASP Top 10 2025 because it reflects how software is actually built and attacked today. The supply chain has become the new perimeter, and Aikido gives teams the visibility, automation, and intelligence to defend it.
A10:2025 – Mishandling of Exceptional Conditions
The newest category, A10: Mishandling of Exceptional Conditions, focuses on how systems fail. Poor error handling, logical flaws, and insecure failure states can all lead to exposure of sensitive data or denial-of-service conditions.
OWASP notes that many of these weaknesses used to be grouped under “poor code quality,” but now deserve a dedicated category.
Common issues include:
- Error messages revealing sensitive details
- Privilege-handling logic that fails open
- Inconsistent exception handling
- Unhandled memory or input errors
This category reinforces the idea that secure software isn’t only about preventing attacks, but also about failing safely and predictably when something goes wrong.
OWASP’s focus on resilience and safe failure also touches on a broader cultural issue. The same Aikido report found that developers and security teams frequently disagree on who’s responsible for secure coding practices. That lack of clarity often leads to inconsistent error handling or incomplete testing, the kinds of breakdowns A10 aims to prevent.
OWASP also recommends that organizations measure the maturity of their application security programs using frameworks like SAMM or DSOMM. The goal isn’t to meet every requirement, but to identify where visibility, automation, and consistency can make the biggest impact.
How Aikido Can Help
The OWASP Top 10 2025 highlights the need for visibility across every layer of software development. Aikido gives teams that clarity by unifying signals from code, dependencies, containers, and cloud infrastructure.
- Aikido Intel provides real-time threat intelligence, flagging compromised packages and CVEs as they appear.
- Safe Chain, Aikido’s open-source package verifier, checks npm, yarn, and pnpm dependencies before install, blocking malicious versions.
- Unified dependency graphs connect your code, containers, and cloud to show how transitive dependencies interact with your production systems, cutting false positives and revealing real exploit paths.
- SBOM generation helps teams instantly view their full software supply chain, improving transparency and compliance.
- OWASP Top 10 scoring gives you a clear view of how your environment measures up against each category, with practical guidance to improve.
Aikido helps you manage the risks that the OWASP Top 10 2025 calls out, giving you context on what matters and automation to act on it.
Building a Modern Application Security Program
To establish a strong AppSec foundation, OWASP recommends taking a risk-based approach to your software portfolio, creating reusable security controls and policies, integrating security into every SDLC phase, investing in developer education, and tracking progress with metrics. Together, these steps build a culture where secure development is part of everyday practice rather than a separate process.
Why the OWASP Top 10 2025 Still Matters
The OWASP Top 10 remains one of the most valuable resources for development and security teams. It’s not just a checklist but a reflection of where real-world risks are emerging. By aligning your security processes with it, you can strengthen your software supply chain, improve code quality, and make security a natural part of development. For organizations that want a measurable, testable standard, OWASP recommends pairing the Top 10 with the Application Security Verification Standard (ASVS), which translates awareness into verifiable security practices. Aikido makes that easier by mapping your OWASP coverage automatically, detecting critical vulnerabilities, and helping you fix them faster.
Scan your environment with Aikido Security today to see how your stack measures up against the OWASP Top 10 2025 and where to focus next.
.avif)
