Why this update matters now
The OWASP Top 10 is one of the most widely used baselines for web application security. The 2025 edition is worth paying attention to because it does more than reshuffle familiar risks: it adds new categories, expands the scope of software supply chain risk, and puts more emphasis on configuration and failure handling in real production systems.
For teams building modern web apps with frameworks, cloud services, CI/CD pipelines, and large dependency graphs, the changes are practical. They point to the places where secure development programs need to mature in 2026.
What changed in OWASP Top 10 2025
OWASP says the 2025 release includes two new categories and one consolidation, with a stronger focus on root causes instead of symptoms.
- A03:2025 Software Supply Chain Failures expands the old “vulnerable and outdated components” framing into a broader view of dependency, build, tooling, and distribution risk.
- A10:2025 Mishandling of Exceptional Conditions is a new category focused on error handling, failing open, resource exhaustion, and broken responses to abnormal states.
- Server-Side Request Forgery is now folded into A01:2025 Broken Access Control.
- A02:2025 Security Misconfiguration moved up to the number two spot, reflecting how configuration complexity keeps growing across modern stacks.
1. Supply chain risk is now bigger than dependency patching
One of the most important changes is the expansion of supply chain risk. OWASP now frames it as failures in the process of building, distributing, or updating software, not just the presence of outdated packages.
That matters because web teams increasingly rely on package registries, transitive dependencies, CI/CD pipelines, artifact stores, IDE extensions, cloud build systems, and automated releases. A secure npm install alone is not enough if the rest of the delivery chain is weak.
OWASP recommends practical controls that many teams can act on immediately:
- maintain a software bill of materials (SBOM)
- track transitive dependencies, not only direct ones
- monitor vulnerability feeds and supplier advisories continuously
- lock down CI/CD, repositories, artifact registries, and developer workstations
- use staged rollouts instead of shipping updates everywhere at once
If your current process treats supply chain security as a monthly dependency update task, the 2025 guidance is a sign that the scope is too narrow.
2. Error handling is now explicitly a top-10 security concern
The new category around exceptional conditions is especially relevant for web apps that coordinate APIs, queues, payments, and external services. OWASP highlights issues like uncaught exceptions, poor rollback behavior, leaking sensitive error details, and systems that fail open under stress.
This is a useful shift because these problems often hide in ordinary application code. They can look like “quality” defects until they become security incidents, data leaks, or integrity failures.
For developers, this turns a few engineering habits into security controls:
- handle failures close to where they occur
- fail closed during partial or interrupted transactions
- avoid exposing stack traces and internal state to users
- centralize logging, alerting, and exception handling patterns
- add rate limits, quotas, and safe defaults to prevent cascading failures
If you have ever treated error handling as something to “clean up later,” OWASP is now telling you that it belongs in your security checklist.
3. Misconfiguration keeps climbing because stacks keep getting more configurable
Security Misconfiguration moved from fifth place in 2021 to second in 2025. That should not be surprising. Modern web systems are assembled from frameworks, cloud services, reverse proxies, edge settings, feature flags, containers, secrets, and platform policies. More power usually means more ways to ship an insecure default.
OWASP calls out common examples such as unnecessary services, default accounts, insecure framework settings, weak headers, open storage permissions, and overly verbose error responses. In practice, this means hardening cannot live only in documentation. Teams need repeatable setup, automated verification, and environment parity.
A practical 2026 checklist for web teams
If you want to turn the 2025 update into action, start with a short review that touches both application code and delivery infrastructure:
- Inventory your stack: dependencies, transitive packages, build tools, registries, and deployment targets.
- Review trust boundaries: who can change code, secrets, builds, and production releases.
- Audit configuration baselines: remove unused features, verify secure headers, and check cloud permissions.
- Exercise failure paths: test timeouts, partial writes, retries, rollbacks, and user-facing error behavior.
- Improve observability: ensure important security events create alerts, not just logs.
- Stage updates safely: use canaries or phased rollouts for dependency and platform changes.
Even a lightweight pass through this list will usually reveal gaps that are not visible in normal happy-path testing.
Final thought
OWASP Top 10 2025 is a useful reminder that web security is not only about classic input validation bugs. The modern attack surface also includes build systems, configuration drift, and the way applications behave when something goes wrong. Teams that respond to this update well will not just patch faster. They will build delivery pipelines and runtime behavior that are harder to break in the first place.