The OWASP Top 10 is the de facto standard reference for web application security. Every few years, OWASP revisits the list based on real-world data from thousands of organizations. The 2025 edition brings several meaningful shifts that every developer and security engineer should understand.
What Is the OWASP Top 10?
The Open Web Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. Their Top 10 list identifies the most critical security risks to web applications, ranked by prevalence, detectability, and business impact.
The 2025 Top 10 at a Glance
- Broken Access Control — Still the #1 risk. Moving from data to logic flaws.
- Cryptographic Failures — Weak encryption, exposed secrets, and TLS misconfigurations.
- Injection — SQL, NoSQL, OS command, and now LLM prompt injection.
- Insecure Design — Architecture-level flaws that patches cannot fix.
- Security Misconfiguration — Default credentials, open cloud storage, verbose errors.
- Vulnerable and Outdated Components — Unpatched dependencies in your supply chain.
- Identification and Authentication Failures — Weak passwords, missing MFA, broken session management.
- Software and Data Integrity Failures — CI/CD poisoning, unsigned updates.
- Security Logging and Monitoring Failures — Breaches that go undetected for months.
- Server-Side Request Forgery (SSRF) — Attackers pivoting through your server to internal resources.
What Changed in 2025
The most notable addition is the explicit recognition of AI/LLM prompt injection under the Injection category. As language models become integrated into web applications, attackers have found ways to manipulate prompts to exfiltrate data or bypass business logic.
Insecure Design moved up significantly. The industry is recognizing that patching cannot compensate for architectural weaknesses — threat modeling during the design phase is now a baseline expectation, not a luxury.
Practical Hardening Steps
1. Broken Access Control
Implement a deny-by-default policy. Every route and resource should require explicit permission. Use middleware-level authorization checks, never rely solely on front-end role hiding. Regularly audit your permission matrix with automated tools.
2. Cryptographic Failures
Audit your data classification: identify what is sensitive, then ensure it is encrypted at rest (AES-256) and in transit (TLS 1.3). Never store passwords in plain text — use bcrypt, Argon2, or scrypt with appropriate work factors. Rotate secrets regularly and use a vault like HashiCorp Vault or AWS Secrets Manager.
3. Injection
Use parameterized queries without exception. Never concatenate user input into SQL, shell commands, or LDAP queries. For LLM integrations, treat all user input as untrusted and apply input sanitization before including it in prompts.
4. Security Misconfiguration
Automate your configuration baselines. Use infrastructure-as-code (Terraform, Pulumi) to enforce secure defaults. Disable directory listing, remove unused features, and ensure error messages do not leak stack traces to clients.
Conclusion
The OWASP Top 10 is not a checklist to complete once — it is a living document that reflects the evolving threat landscape. Building security into your development process, rather than bolting it on afterward, is the only sustainable approach. Review your application against each category quarterly and invest in developer security training.