Author: Roman Arutyunov, Co-Founder and SVP Products, Xage Security

The Open Worldwide Application Security Project (OWASP) has released its latest Top 10 Application Security Risks for 2025, the first major update since 2021. The new list reflects how modern software development, supply chains, and cloud environments have evolved, with some familiar threats persisting and new ones emerging.

Broken Access Control

Still ranked #1, as it was in 2021, Broken Access Control remains the most prevalent and damaging risk. OWASP notes that “100% of applications tested were found to have some form of broken access control.”

Access control ensures users can only perform actions permitted by their role or privileges. When these controls fail, attackers can view, modify, or delete data, or perform operations outside their authorization. Common vulnerabilities defined by OWASP include:

• Excessive permissions: Violating the principle of least privilege by granting too much access.
• Bypassing controls: Manipulating URLs, parameters, or API requests to access restricted areas.
• Insecure direct object references (IDOR): Changing an identifier to access another user’s data.
• Unprotected APIs: Missing access controls for critical methods such as POST, PUT, or DELETE.
• Privilege escalation: Acting as an admin or user without proper authentication.
• Token manipulation: Tampering with JSON Web Tokens, cookies, or other session data to elevate access.
• Cross-Origin Resource Sharing misconfiguration: Allowing unauthorized domains to access APIs.
• Force browsing: Guessing URLs to reach privileged or unauthenticated pages.

To prevent these vulnerabilities from being exploited, adopt a “deny by default” policy, granting access only when necessary. This aligns with Zero Trust principles, such as just-in-time and just-enough access, to minimize the potential impact of compromised credentials or misconfigurations.

Organizations should also implement Privileged Access Management (PAM) solutions to granularly control admin access and credentials, ensuring that elevated permissions are tightly managed, monitored, and limited to only what is required.

Security Misconfiguration

Rising from #5 in 2021 to #2 in 2025, Security Misconfiguration has overtaken cryptographic failures as a leading source of compromise. OWASP reports that “100% of tested applications contained at least one misconfiguration.”

A security misconfiguration occurs when systems, applications, or cloud environments are set up incorrectly, creating exploitable gaps for attackers. According to OWASP, common causes include:

• Missing or improper security hardening and permission settings.
• Unnecessary features left enabled, such as open ports, test accounts, or services.
• Default accounts or passwords still active.
• Overly verbose error messages that expose stack traces or system details.
• Disabled or insecure settings after upgrades.
• Backward compatibility prioritized over secure configurations.
• Insecure default settings in servers, frameworks, or libraries.
• Missing or misconfigured security headers.

To follow best practices, establish a repeatable configuration hardening process for all environments, including development, QA, and production, with automated deployment and environment-specific credentials. This ensures consistent, locked-down configurations that can be replicated securely.

However, even when the process is designed well, cracks can still develop over time due to drift, human error, or rapid changes in the environment. Utilizing an overlay proxy with policy-based granular controls that apply automatically provides an important additional defense mechanism. It ensures security policies remain enforced continuously, even when configurations weaken or gaps emerge.

Software Supply Chain Failures

A newcomer to the list, Software Supply Chain Failures reflect today’s growing dependency on third-party code, libraries, and build tools. Modern development pipelines often include hundreds of components, any of which can become a vector for compromise. These failures occur when vulnerabilities or malicious changes are introduced during building, distributing, or updating software. Common risk indicators noted by OWASP include: 

• Not tracking component versions or transitive dependencies.
• Using outdated or unsupported systems and libraries.
• Failing to scan for vulnerabilities or subscribe to security advisories.
• Lack of change management or version tracking in CI/CD and repositories.
• Missing supply chain hardening and access control.
• No separation of duties, allowing unchecked code deployment.
• Using untrusted sources for components or packages.
• Delayed patching and slow upgrade cycles.
• Compatibility testing skipped after applying updates.
• Insecure CI/CD pipelines with weaker security controls than production.

Visibility, automation, and timely patching are essential, but they are not enough. Even with strong hygiene, implementing a Zero Trust approach provides an additional safeguard by isolating systems and enforcing deny-by-default policies. This limits the blast radius of a compromise, especially in large, distributed environments that include OT or IoT systems, where patching may lag.

OWASP’s 2025 Top 10 highlights a consistent truth: many of today’s most critical security risks come from persistent weaknesses such as misconfigurations, poor access controls, and unmanaged dependencies.

Organizations that integrate Zero Trust architectures, automate security configuration, and maintain strong supply chain governance will be better equipped to stay resilient against the evolving threat landscape.