OWASP updates Top 10 list, supply chain risks now top concern

The Open Web Application Security Project (OWASP) has released an updated edition of its Top 10 list, a widely-referenced ranking of application security risks. The new list marks the first update in four years and reflects several changes informed by expanded data inputs and survey responses from application security professionals.

Key changes

"Software Supply Chain Failures" has risen to third place. This entry replaces and expands on the previous "Vulnerable and Outdated Components" category. According to a survey conducted for the update, this was the most frequently cited concern among over 220 security professionals. The list also introduces a completely new category: "Mishandling of Exceptional Conditions," now in the tenth slot. This reflects issues around improper error handling and responses to abnormal conditions. "Security Misconfiguration" now occupies the second position, highlighting ongoing concerns regarding the increasing configurability of systems and the risks associated with missteps.

Expert perspectives

"Mishandling of Exceptional Conditions is a category that has been just outside the Top 10 for several years. In this iteration, there was enough data and support from the community survey to push it over the line and into the Top 10. This is part of the goal of the Top 10 to raise the baseline on each iteration to help improve software security globally," said Brian Glas, Project Lead, OWASP Top 10.

Dr Aram Hovsepyan, Security Metrics Expert, OWASP, pointed out: "Based on more than 50 in-depth security assessments we conducted with Brian across Fortune 500 companies and beyond, we have rarely seen teams address this risk effectively. It is an area that demands close collaboration between development, operations, and incident management teams, which are often highly siloed, especially in large organizations."

Data-driven approach

The new ranking makes use of two main data collection methods. First, data submitted by organisations using security testing technologies-such as SAST, DAST, IAST, penetration testing, and bug bounty schemes-represented over 2.8 million applications tested between 2020 and 2024. Second, a community survey gathered perspectives from professionals across various AppSec roles and levels of seniority. The number of Common Weakness Enumerations (CWEs) considered expanded from 30 in prior editions to 686 in this update, broadening the range of security issues reviewed.

"It's essential to understand why we construct the Top 10 in this manner. If it were purely data-driven, we would not have an accurate list, as it would only be looking into the past. The community survey is crucial in enabling people on the ground to share what they perceive as important risks that require visibility and attention, which may not be reflected in the data," said Glas.

Changing risk landscape

There is a growing recognition that security issues now extend beyond just code, tying into supply chains, third-party components, and system configuration. As applications become more modular and configurable, the risk of introducing vulnerabilities through misconfiguration or external libraries increases.

"For better or worse, software 'development' is getting more complex, and the scope beyond code is continuing to grow rapidly. This is evident with the rise of Software Supply Chain Failures and Security Misconfiguration. The current models and methodologies are asking developers to be responsible for a lot more than just writing code," said Glas.

Dr Hovsepyan added: "I don't think the Top 10 measures the state of application security as opposed to other OWASP projects such as the OWASP SAMM Benchmarking Project."

Purpose and limitations

The OWASP Top 10 is often cited in compliance contexts, but this is not the intention behind the resource. It is designed as an educational tool and starting point for organisations aiming to improve software security practices.

"It's basically impossible to create a Top 10 that exactly matches everyone's experiences and perceptions. It's basically a model and a baseline. The goal is to highlight risks that are important to address to raise the minimum bar for secure development globally. Every organization has its own 'Top 10' (or Top 3) that they identify, focus on, and reduce as much as possible. You should update your own Top 10 more frequently. The OWASP Top 10 is updated every 3-4 years to provide stability and allow the industry time to focus," said Glas.

Dr Hovsepyan noted: "Many organizations tend to misuse the Top 10. I have often seen vendor onboarding questionnaires literally asking 'Is the product compliant with the OWASP Top 10?'. The Top 10 is an awareness tool. It is a starting point in your security journey. From a marketing perspective the Top 10 has the highest impact for the OWASP community, but from a real application security perspective it is the least interesting project to look at. It is like looking at statistics of mortality causes and using that information to create a healthy lifestyle."

Expanding the toolkit

The OWASP Top 10 is positioned as an entry point for security discussions. For a more comprehensive review of best practices, projects such as OWASP SAMM, ASVS, and DSOMM were highlighted as resources for organisations wishing to improve their security maturity beyond recurring risk categories.

"The scope of SAMM is much broader than the Top 10. That's why the name is 'Software Assurance'. SAMM covers the full scope, from Governance (strategy, policy, training) through the SDL to Operations (incident response, data management, lifecycle management)," said Glas.