Our predictions for the 2025 OWASP top 10

Why the OWASP Top 10 matters

The OWASP Top 10 is an industry benchmark for the most critical security risks to web applications. Updated every few years by the Open Worldwide Application Security Project (OWASP), it shapes how organisations and developers think about secure coding, design, and threat modelling. It also helps guide prioritisation during security assessments and scopes for testing engagements.

In the 2021 update, we saw some significant changes - with Broken Access Control taking the top spot and Cryptographic Failures replacing Sensitive Data Exposure. Now, with OWASP announcing an update for late summer or early autumn 2025, we’re looking ahead at what might change next.

How the selection process works

Before each OWASP Top 10 update, calls for data are posted on OWASP’s website and social channels. The final list is shaped by two sources:

1. Statistical data from organisations - typically submitted from testing vendors, bug bounty platforms, and security consultancies. These datasets inform eight of the ten risks.
2. Community survey results - reflecting perceived risk and emerging threats from security and development professionals. The top two community-voted risks not already represented in the statistical data are added to the list.

Key stages in the process

1. Initial Selection – CWEs (Common Weakness Enumeration) are pulled from previous lists, recent high-profile incidents, and near misses.
2.  Initial Vetting – A draft list is published for community review and feedback.
3.  Community Survey – Security professionals vote on their top concerns.
4. Final Review – Survey and statistical data are merged to determine the final Top 10.

OWASP uses the CWE framework to evaluate each risk, considering factors like exploitability, prevalence, detectability, and impact. The process is documented transparently.

How we made our predictions

Our predictions are grounded in real-world trends we see across the projects we work on, the tools we use, and the vulnerabilities we test every day. This includes hands-on experience, insights from recent breaches, and the impact of emerging software paradigms like serverless, low-code platforms, and LLM-powered applications.

Based on where the threat landscape is heading and how modern software is built, here’s what we expect in the 2025 OWASP Top 10:

1. Broken access control

Expect this to remain at or near the top. It continues to be one of the most exploited issues, with flaws like IDOR, privilege escalation, and improper authorisation checks still common in both traditional and API-first architectures.

2. Vulnerable and outdated components

This category will likely stay but may be renamed or split. We anticipate a new focus on Software Supply Chain Vulnerabilities - spotlighting risks in third-party libraries, containers, and CI/CD pipelines. Incidents like Log4Shell and npm ecosystem attacks have brought this into sharp focus.

3. Unsafe AI and LLM integration

AI is no longer experimental - LLMs are now part of real-world apps, from customer support bots to internal tooling. Risks like prompt injection, insecure plugin access, and overreliance on model output are becoming more common.

OWASP has already published a Top 10 for LLM Applications, but we expect they may introduce a new category focused specifically on the risks of integrating LLMs within traditional web applications.

4. Insecure design and logging/monitoring consolidation 

These two categories may be merged, reflecting a shared theme: lack of proactive and reactive security controls. Whether it's poor design of security features or missing telemetry, the result is the same - vulnerabilities that go undetected or unprevented.

5. API security issues - standalone or highlighted across risks 

As modern apps increasingly rely on APIs, familiar risks like Broken Access Control and Insecure Design are being exploited through API-specific attack patterns. The OWASP API Top 10 already calls out threats like BOLA and excessive data exposure - and we’re seeing these regularly in real-world testing.

We expect OWASP may either elevate API security to a dedicated category or integrate API-specific concerns more explicitly into the core Top 10, reflecting their central role in today’s web applications.

6. Cryptographic failures - evolving scope

In addition to encryption flaws, we’re seeing misuse of JWTs, poor key handling, and weak client-side crypto. OWASP may expand this category to reflect these nuances and newer cryptographic standards.

Key trends we're seeing

Working across a broad range of industries - from fintech APIs and ecommerce sites to government platforms and internal tools we’re observing clear shifts:

• API-first architectures are the new normal, but access control and input validation are often inconsistent. These gaps introduce new variants of familiar vulnerabilities and increase the risk of exploitation.
• Cloud-native misconfigurations are on the rise. Open S3 buckets, overly permissive IAM roles, and exposed Kubernetes dashboards are recurring issues. While currently grouped under Security Misconfiguration, future OWASP updates may break these out into more specific categories.
• AI integration is accelerating. LLMs and other models are no longer just prototypes — they’re powering production systems. The risks are real and growing. Prompt injection, excessive permissions, insecure plugin access, and over-reliance on model output are already being exploited in the wild.

What should developers and security teams do?

Even though the OWASP Top 10 is only updated every few years, threats evolve continuously. Teams can’t afford to wait for formal updates to start adapting. Treat emerging risks like AI misuse, API misconfigurations, and supply chain attacks as real threats - today. Not just when they are added to the list.

Use the OWASP Top 10 as a guide not a checklist. It's a great starting point, but you should also reference the OWASP ASVS, API Top 10, and LLM Top 10 to build a more complete picture of risk across your technology stack. 

For tailored support, explore our Cyber security services.

My final thoughts

We’re expecting some shifts in the next OWASP Top 10 - from AI and API security to supply chain risks and a possible rethink of insecure design. But you don’t need to wait for the official list to act.

Stay ahead, not reactive. Track emerging threats, embed secure design early, and use OWASP as a guide rather than a definitive check list. And if you need support navigating these challenges, don’t hesitate to get in touch with us for expert pen testing and security guidance.