Simuna InfosecSIMUNA INFOSEC
Technical2026-07-05

OWASP Top 10:2025 โ€” What Changed and What It Means for Security Testing

The OWASP Top 10 was updated in 2025. Here's what changed, what's new, and what the shifts mean for your security testing program.

The OWASP Top 10 is the most widely referenced awareness document in web application security. The 2025 edition โ€” released at OWASP Global AppSec USA in late 2025 โ€” introduced notable changes from the 2021 edition. Understanding what changed helps organisations align their testing programs.

What Stayed at the Top

Broken Access Control remains the number-one risk, consistent with its position since the 2021 edition. This is not surprising โ€” authorisation flaws are the most prevalent critical vulnerability class in real-world applications, and they are precisely the category that automated scanners struggle most to detect because they require understanding of the intended access model.

Key Changes in the 2025 Edition

**Security Misconfiguration** climbed to the number-two position, reflecting the growing importance of cloud and infrastructure configuration security as attack surfaces expand.

**Software Supply Chain Failures** is a new entry, reflecting the industry recognition that attacks through compromised dependencies, build pipelines, and third-party components represent a distinct and growing threat category.

**Mishandling of Exceptional Conditions** is another new entry, addressing how applications handle errors, edge cases, and unexpected states โ€” situations that often reveal or create security vulnerabilities.

**Server-Side Request Forgery (SSRF)**, which appeared as a standalone category in the 2021 edition, has been absorbed into the Broken Access Control category in 2025.

What This Means for Testing

The 2025 shifts have practical implications for how organisations should approach security testing. The prominence of supply-chain risks means testing should consider not just the application code but its dependencies and build processes. The continued dominance of Broken Access Control reinforces the need for manual, human-led testing of authorisation logic โ€” the one category that automated tools consistently fail to assess effectively. The rise of misconfiguration reflects the need for cloud and infrastructure testing alongside application testing.

How Simuna Infosec Aligns

Our testing methodology covers the OWASP Top 10:2025 as a baseline and extends beyond it with proprietary test cases for business-logic abuse and transaction-level vulnerabilities. We test against the current standard โ€” not the 2021 edition โ€” ensuring our clients' assessments reflect the current threat landscape.

Related Articles

Methodology

The Human-Led VAPT Blueprint: Mapping the 16-Step Offensive Security Matrix

Thought Leadership

Why Automated Vulnerability Scanners Consistently Miss Critical Business Logic Flaws

Telecom

Securing Telecom Commerce: Preventing Revenue Leakage and Billing Bypass in BSS APIs