OWASP Highlights Supply Chain Risks in New Top 10 TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesGlassWorm Returns, Slices Back into VS Code ExtensionsGlassWorm Returns, Slices Back into VS Code ExtensionsbyAlexander CulafiNov 10, 20253 Min ReadApplication Security'Ransomvibing' Infests Visual Studio Extension Market'Ransomvibing' Infests Visual Studio Extension MarketbyAlexander CulafiNov 7, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityCyber RiskVulnerabilities & ThreatsThreat IntelligenceNewsOWASP Highlights Supply Chain Risks in New Top 10Security misconfiguration jumped to second place while injection vulnerabilities dropped, as organizations improve defenses against traditional coding flaws.Jai Vijayan, Contributing WriterNovember 10, 20255 Min ReadConcept illustration of software supply chainSource: A9 STUDIO via ShutterstockOWASP has updated its list of Top 10 software vulnerabilities to align it better with the current threat landscape and modern development practices.The Nov. 6 release is OWASP's first major Top 10 update since 2021 and is notable for its emphasis on supply chain risks and systemic design weakness rather than just common software coding errors. For defenders, the key takeaway is the need to integrate application security, software supply chain oversight, and operational resilience practices more tightly together.The Real Nature of Security Risk"The 2025 OWASP Top 10 highlights how far the industry has come in understanding the real nature of risk," says Shane Barney, chief information security officer (CISO) at Keeper Security. "It’s not just about patching bugs anymore. It’s about recognizing that vulnerabilities often stem from the complexity of our systems and the pace at which technology moves. Security teams are no longer chasing flaws; they’re managing the conditions that allow them to form in the first place," he says.OWASP assembled its updated list based on community feedback and analysis of data related to some 220,000 CVEs mapped to 589 Common Weakness Enumeration (CWE) identifiers, compared to 400 CWEs in 2021. A CWE is an identifier for a specific type or category of software or hardware vulnerability.Related:'Ransomvibing' Infests Visual Studio Extension MarketTwo of the biggest changes in OWASP's list is the introduction of a new "Mishandling of Exceptional Conditions" category and the retitling and redefition of 2021s "Vulnerable and Outdated Components" into a much broader "Software Supply Chain Failures" category. OWASP listed the supply chain category third on its Top 10 list based on feedback from the community, which overwhelmingly voted it a top concern. "This category has 5 CWEs and a limited presence in the collected data, but we believe this is due to challenges in testing and hope that testing catches up in this area," OWASP said in the latest Top 10 list. "This category has the fewest occurrences in the data, but also the highest average exploit and impact scores from CVEs."Mishandling of exceptional conditions ranked 10th in OWASP's list and covers security issues tied to error-handling, logic flaws and other related scenarios tied to abnormal system conditions.Security misconfiguration errors moved up three spots, from #5 in the previous Top 10 list to the second spot in the new one, because of how much more prevalent they have become as a source of security compromises. Three percent of the nearly 2.8 million applications that OWASP analyzed had one or more of 16 common CWEs in the category. "This is not surprising, as software engineering is continuing to increase the amount of an application’s behavior that is based on configurations," OWASP said.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredOWASP ranked Cryptographic Failures, Injection, and Insecure Design lower on the new list compared to 2021, reflecting improvements many organizations have made in addressing these issues. The remaining categories — Authentication Failures, Software or Data Integrity Failures ,and Logging and Alerting failures retained their previous seventh, eighth, and ninth spots on the list, respectively.It's Not Just About Coding ErrorsOne of the biggest takeaways from the update is OWASP's recognition that security failures often stem less from individual software bugs than from inherent weaknesses across the software lifecycle, including development pipelines, cloud configurations, and supply chain dependencies."The 2025 OWASP Top 10 broadens the defender’s lens from code correctness to systemic assurance across the full software lifecycle," says Gary Schwartz, go-to-market lead at NetRise. "This reflects a more realistic understanding of how attackers exploit systems — not just through injection or logic bugs, but through silent failures and missed alerts."Related:Multiple ChatGPT Security Bugs Allow Rampant Data TheftOverall, OWASP's 2025 list portrays security as a continuum of design, implementation, and operations rather than a static snapshot of the code. There's broader recognition of the need to address root causes of security failures rather than just the symptoms, he says.For security leaders, this list reinforces the fact that prevention and resilience must work hand in hand, Barney adds. It reflects how security has evolved from being a one-time project or a compliance checkbox to a continuous process, built into every stage of design and deployment. "The updated OWASP framework is a reminder that our defenses are only as strong as the consistency of our engineering, the clarity of our processes and the discipline of our teams," he says.OWASP's revisions highlight that many breaches stem from inherited weaknesses such as vulnerable open source components, outdated crypto libraries, or insecure defaults, rather than novel exploits, Schwartz notes. By explicitly naming supply chain and design-stage issues, OWASP is seeking to reinforce the need for defense in depth. "For defenders, the message is to ensure visibility from the code repository through the CI/CD pipeline to production environments where those weaknesses actually manifest,"  Schwartz says.Not Going Far Enough?Some though, like Jeff Williams, chief technology officer (CTO) at Contrast Security, were underwhelmed by the update. He says it’s unfortunate that the OWASP team did not consider attacks in production, which is where a lot of attacks are happening."I'm glad to see them expand the [supply chain security] category from just libraries to the whole supply chain," Williams notes. But most organizations are already squarely focused on libraries and struggling to keep up with a tidal wave of CVEs as it is, he says. "I'm not sure this is going to make them expand the scope of their program."Also, the addition of exceptional conditions to OWASP's Top 10 list only brings what was previously the Improper Error Handling category from previous versions, Williams pointed out. It’s not entirely wrong to include the category in the list, as system exceptions can sometimes lead to security holes. "But the data shows that this is not very often the cause of significant vulnerabilities," he says." I wish they had stayed with items that are the most risky: that’s the mission of the T10."About the AuthorJai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai Vijayan, Contributing WriterMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe AI Security GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Open Web Application Security Project (OWASP) has released its updated 2025 Top 10 Software Vulnerabilities list, marking a significant shift in focus towards supply chain risks and systemic design weaknesses. This represents the first major revision since 2021 and reflects a deeper understanding of security risks beyond traditional coding errors. The primary takeaway is the need for organizations to integrate application security, software supply chain oversight, and operational resilience practices more tightly.

The list highlights a move away from solely addressing individual vulnerabilities to managing systemic weaknesses across the entire software lifecycle. Previously, the focus was heavily on coding flaws, but the updated list emphasizes the importance of robust processes and oversight throughout development, deployment, and operations. Shane Barney, CISO at Keeper Security, notes that security is no longer simply about patching bugs; it's about recognizing the complexity of systems and the pace of technological change.

A key change is the introduction of “Mishandling of Exceptional Conditions” and the redefinition of “Vulnerable and Outdated Components” as “Software Supply Chain Failures.” These categories collectively represent 5 CWEs, indicating a relatively limited occurrence of data in the collected data, but OWASP acknowledges the critical nature of the challenges in testing for these issues. This expansion underscores the growing recognition that vulnerabilities often originate from poorly handled errors, misconfigured systems, or reliance on outdated components within the supply chain.

Several previously high-ranking vulnerabilities, such as Cryptographic Failures, Injection, and Insecure Design, have been downgraded. This reflects improvements made by many organizations in addressing these issues. However, the movement of Security Misconfiguration errors into second place demonstrates the continued prevalence of this problem. The surge in security misconfigurations stems from the increasing reliance on configurable systems and the expanding attack surface created by cloud environments.

The 2025 OWASP Top 10 list's broader lens incorporates not just code correctness but systemic assurance across the full software lifecycle. Gary Schwartz, go-to-market lead at NetRise, emphasizes that this reflects a more realistic understanding of how attackers exploit systems – not just through code bugs, but through silent failures and missed alerts. This comprehensive perspective emphasizes the importance of visibility throughout the entire software supply chain, from the code repository through the CI/CD pipeline to production environments.

Ultimately, the revised OWASP Top 10 is a reminder that security must be viewed as a continuous process, built into every stage of design and deployment, rather than a one-time project or a compliance checkbox. Jai Vijayan, a Contributing Writer, highlights that preventing and resilience must work hand in hand, reinforcing the evolution of security from a reactive to a proactive endeavor.

The list suggests that many breaches stem from inherited weaknesses—vulnerable open-source components, outdated crypto libraries, or insecure defaults—rather than novel exploits. By explicitly naming supply chain and design-stage issues, OWASP is seeking to reinforce the need for defense in depth. Visibility from the code repository through the CI/CD pipeline to production environments is now critical.

Despite some criticism – notably from Jeff Williams, CTO at Contrast Security – regarding the scope of the update, the inclusion of exceptional conditions and supply chain issues represents a significant step forward. However, addressing these risks requires greater investment in tools, processes, and expertise across the software lifecycle.