According to TheRegister.com, the Open Worldwide Application Security Project (OWASP) just published its 2025 Top 10 application security risks, the first major update since 2021. Broken access control remains the top issue affecting 3.73% of applications tested, while security misconfiguration jumped to second place and software supply chain failures debuted at number three. The list was presented at OWASP’s Global AppSec USA event by co-leads Neil Smithline and Tanya Janca, who described it as a “data-driven awareness document” based on organizational data and survey responses. New categories include mishandling of exceptional conditions, while server-side request forgery merged with broken access control. Separately, OWASP’s AI-specific top 10 ranks prompt injection as the leading risk for large language model applications.
Same Old Problems, Just More Obvious
Here’s the thing that really stands out: broken access control has been dominating these lists for years. We’re talking about basic stuff like URL tampering, missing API controls, and privilege escalation. These aren’t sophisticated zero-days – they’re fundamental design flaws that should have been solved decades ago. And yet they impact nearly 4% of all applications tested. That’s staggering when you think about it.
Security misconfiguration moving up to second place tells another story. Basically, as we’ve shifted to cloud-native and infrastructure-as-code approaches, we’ve traded one set of problems for another. Instead of hardcoding security, we’re configuring it – and apparently doing a pretty poor job. This is particularly relevant for industrial systems where industrial panel PCs and control systems increasingly rely on proper configuration rather than traditional perimeter security.
New Threats, Same Underlying Issues
The addition of software supply chain failures at number three is telling. While relatively rare, these incidents have “the highest average exploit and impact scores” according to OWASP. Translation: when supply chain attacks happen, they’re devastating. Think SolarWinds-scale consequences.
And then there’s the AI angle. OWASP’s separate LLM Top 10 puts prompt injection at the top, which makes perfect sense. We’re building these incredibly powerful AI systems that can be completely derailed by cleverly crafted text inputs. It’s like we learned nothing from SQL injection.
Community Reality Check
The Reddit discussions around this release are brutally honest. One developer pointed out that “the situation around security is the same as it was five years ago, and 10 years ago, and 15 years ago, and 20 years ago.” Ouch. But is he wrong?
Another comment from the software development subreddit highlights the management perspective: secure coding remains “very much an afterthought” until something bad happens. By then, of course, it’s too late. This perfectly explains why we keep seeing the same categories year after year.
So What Actually Changes?
The new category for mishandling exceptional conditions is interesting. Janca explained on Reddit that they originally considered “poor code quality” but realized that was too vague. Instead, they focused on specific failure modes like race conditions and information leakage in error messages. That’s actually useful guidance.
But here’s my question: if we know what the problems are, and we’ve known for years, why are we still failing so spectacularly? The OWASP guidance for broken access control suggests “deny by default” for non-public resources. That’s Security 101 stuff. Yet it remains our biggest problem.
Maybe the issue isn’t technical knowledge anymore. Maybe it’s about incentives, deadlines, and organizational culture. The tools have gotten better at finding problems, but the fundamental business pressures that lead to insecure code haven’t changed at all. And until they do, I suspect we’ll be reading a very similar OWASP Top 10 in 2029.
