In the rapidly shifting digital landscape, application security is a necessity. One of the most effective ways to bolster your application’s security is by evaluating it with the OWASP Top 10. But what exactly is the OWASP Top 10, and why should it matter to you?
OWASP Top 10: a framework for web security
The Open Web Application Security Project (OWASP) is a nonprofit foundation that strives to make software on the web more secure. Their Top 10 is a widely recognized report that outlines the 10 most critical web application security risks. It’s essentially a checklist of the most common weaknesses that could make your application a target for cyber threats.
Why should you care about the OWASP Top 10?
The OWASP Top 10 is all about risk management. Addressing the vulnerabilities highlighted in the OWASP Top 10 helps you mitigate the risk of a security breach, develop safer code, and create a more secure application.
Following the OWASP Top 10 is also a smart move to adhere to regulatory standards and give users faith in your commitment to security best practices. If your application handles sensitive data, your users want to know that it is safe.
The OWASP checklist is updated about every three or four years and the last update was in 2025. Some consolidation, renaming, and rearranging occur each time, as vulnerabilities and threats rise and fall in severity. Being aware of current dangers can help you to know where to start and what critical risks need immediate attention.
Let’s take a look at the most recent checklist.
OWASP Top 10 Web Application Security Risks
Below is an overview of the current list. For the full breakdown of the changes and how it affects developers, read this blog.
A01: Broken Access Control
Broken access control remains the leading risk in web application security. It occurs when restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to bypass authorization, access other users’ data, modify or destroy records, or escalate privileges to gain administrative control.
In 2025, OWASP consolidated Server-Side Request Forgery into this category, reflecting how access control failures often enable broader network-level abuse. The core guidance remains unchanged: deny by default, and enforce authorization consistently on the server side.
A02: Security Misconfiguration
Security misconfiguration refers to weaknesses caused by insecure default settings, exposed services, missing patches, or inconsistent controls across environments. These issues can exist at any level of the stack, from application code to cloud infrastructure.
Mitigation starts with reducing the attack surface. Remove unnecessary features and components, disable default credentials, avoid overly verbose error messages, and keep systems properly configured and up to date.
A03: Software Supply Chain Failures
Expanded in 2025, software supply chain failures cover risks across the entire software ecosystem, including third-party dependencies, build systems, CI/CD pipelines, and distribution channels.
OWASP’s expansion reflects real-world attacks that Aikido Security identified and analyzed through its 2025 research. These include Shai Hulud, a stealthy npm malware campaign that exfiltrated credentials through transitive dependencies; S1ngularity, a dependency confusion operation targeting developer workstations and CI systems; the September npm malware outbreak that compromised widely used packages such as chalk, debug, and ansi-regex; and the React-Native-Aria trojan, which embedded a remote access payload into legitimate npm releases. These incidents show how a single compromised dependency can quickly propagate from developer machines into production environments.
A04: Cryptographic Failures
Cryptographic failures occur when sensitive data such as credentials, personal data, or financial information is not properly protected. This includes weak or outdated encryption, poor key management, or missing encryption for data in transit or at rest.
Organizations should assess data sensitivity, use modern cryptographic standards, and regularly review encryption protocols, algorithms, and key-handling practices.
A05: Injection
Injection vulnerabilities arise when untrusted input is interpreted as commands or queries by an application. This can lead to unauthorized data access, data corruption, or system compromise.
Despite being a long-standing risk, injection flaws remain common. Preventive measures include input validation, parameterized queries, safe APIs, and consistent application security testing before deployment.
A06: Insecure Design
Insecure design focuses on architectural weaknesses that exist even when code is implemented correctly. A lack of threat modeling, insecure design patterns, or failure to account for abuse cases can leave applications fundamentally vulnerable.
OWASP emphasizes shifting security earlier in the lifecycle through secure design principles, reference architectures, and risk-based decision-making aligned with business requirements.
A07: Authentication Failures
Authentication failures occur when login mechanisms, credential management, or session handling are implemented incorrectly. Attackers may exploit weak passwords, credential reuse, flawed recovery processes, or automated attacks to assume other users’ identities.
OWASP recommends strong authentication controls, including multi-factor authentication where possible, secure session management, and protections against brute-force and credential-stuffing attacks.
A08: Software or Data Integrity Failures
This category covers failures to ensure that software updates, configuration data, or critical application data have not been tampered with. Common risks include unsigned updates, insecure deserialization, and unverified data sources.
To reduce exposure, teams should use digital signatures, verify integrity before execution, secure CI/CD access, and avoid distributing unsigned or unvalidated code and data.
A09: Security Logging and Alerting Failures
Insufficient logging and alerting make it difficult to detect, investigate, and respond to attacks. Without proper visibility, attackers can remain undetected while moving laterally or extracting data.
OWASP recommends logging security-relevant events such as authentication attempts and access failures, protecting logs from tampering, centralizing monitoring, and integrating alerts with incident response processes.
A10: Mishandling of Exceptional Conditions
New in the 2025 list, mishandling of exceptional conditions highlights risks that arise when applications fail unsafely. Poor error handling, unhandled edge cases, or fail open logic can expose sensitive information or lead to denial-of-service conditions.
Secure applications should fail predictably, avoid leaking internal details through error messages, and handle unexpected states consistently across all execution paths.
OWASP Top 10 for Agentic AI (2026)
OWASP has introduced a separate OWASP Top 10 for Agentic Applications (2026) to address security risks unique to autonomous, tool-using AI systems. Unlike traditional applications, agentic systems can plan, delegate, and take actions across tools, workflows, and environments, creating new attack surfaces that do not map cleanly to the OWASP Top 10 2025.
The Agentic Top 10 highlights risks such as prompt-based goal hijacking, unsafe tool execution, privilege misuse, memory poisoning, and cascading failures across multiple agents. OWASP also introduces the principle of least agency, meaning agents should only be given the minimum autonomy and permissions required to perform clearly scoped tasks.
For teams already using the OWASP Top 10 to guide application and supply chain security, this list extends the same risk-based approach to AI-driven automation, copilots, and multi-agent systems increasingly used in production.
Why use OWASP Top 10?
The OWASP Top 10 is not just a list of problems; it’s a guide to solutions. Each item on the checklist includes a section on how to prevent the vulnerability and example attack scenarios that provide developers with practical steps to improve their application's security. Securing your application is an ongoing process and new threats emerge all the time. By staying vigilant and making security a priority, you can keep your application secure and your users safe.
And for companies, the OWASP Top 10 isn’t just a checklist, it's a conversation starter. It’s a tool that brings security to the forefront of the development process, fostering a culture of security awareness within your organization. By focusing on the OWASP Top 10, you’re not just enhancing your application’s security, you’re making security a core part of your development process.
Aikido makes it easy for you to scan your development environment for OWASP Top 10 coverage. Our testing tools and security reports give you a clear OWASP Top 10 score and an analysis of the measures taken to prevent each vulnerability. You can share the reports with stakeholders and use them to get a quick snapshot of what security practices you need to focus on.
Scan your environment with Aikido right now to get your OWASP Top 10 score.
Secure your software now
.jpg)
.avif)
