459/68 Wednesday, November 12, 2025
OWASP (Open Web Application Security Project) has announced the 2025 edition of the Top 10 Web Application Security Risks, marking a significant update since the 2021 release. The changes reflect a major shift in the threat landscape: the new list emphasizes risks arising from software supply chains and system design/configuration failures, rather than just traditional coding errors. This signals to security professionals that application security must be integrated with supply chain oversight and operational resilience.
One of the most notable changes is the elevation of “Software Supply Chain Failures” to the #3 position, expanding the scope beyond the original category of “Using Vulnerable and Out-of-date Components” to cover broader service-and-process-level failures. At the same time, “Security Misconfiguration” has jumped from #5 to #2, reflecting its increasing role in successful attacks. Conversely, classic vulnerabilities such as Injection and Cryptographic Failures have dropped in ranking, suggesting that many organizations have improved their defenses against these traditional issues.
From the perspective of experts at Keeper Security, the updated ranking shows that modern security failures often don’t stem purely from software bugs, but from the complexity of large systems and the pace of technology development. Organizations therefore need to shift from a reactive “patch-and-fix” mindset to a proactive risk-management approach, securing the full software lifecycle – from design and code-management through to operational environment – in order to defend against threats embedded in the structure of modern technology.
Source https://www.darkreading.com/application-security/owasp-highlights-supply-chain-risks-new-top-10
