OWASP Top 10 (2025) vs 2021: What Changed—and How to Respond with Cobalt PTaaS

Byboedickerchristopher

OWASP has published the Top 10:2025 (Release Candidate), introducing two new categories, one consolidation, and a stronger emphasis on root causes over symptoms. The 2025 list is: A01 Broken Access Control, A02 Security Misconfiguration, A03 Software Supply Chain Failures, A04 Cryptographic Failures, A05 Injection, A06 Insecure Design, A07 Authentication Failures, A08 Software or Data Integrity Failures, A09 Logging & Alerting Failures, A10 Mishandling of Exceptional Conditions. OWASP Foundation

For reference, the 2021 Top 10 included: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, Server-Side Request Forgery (SSRF). OWASP Foundation

Read the official 2025 RC1 introduction here: OWASP Top 10:2025 — Introduction. OWASP Foundation

What’s new in 2025 (at a glance)

  • Two new/expanded categories
    • A03: Software Supply Chain Failures — an expansion of 2021’s Vulnerable and Outdated Components that reflects risk across dependencies, build systems, and distribution infrastructure. It shows fewer occurrences in testing data but high exploit/impact from CVEs, and the community rated it a top concern. OWASP Foundation
    • A10: Mishandling of Exceptional Conditions — new umbrella for error handling, logical errors, fail-open behaviors and related abnormal-condition weaknesses (24 CWEs). OWASP Foundation
  • One consolidation/rename
    • SSRF (A10 in 2021) is rolled into A01 Broken Access Control for 2025. OWASP Foundation
    • A09 is renamed Logging & Alerting Failures (was Security Logging and Monitoring Failures) to stress actionable alerting. OWASP Foundation
    • A07 becomes Authentication Failures (was Identification and Authentication Failures). OWASP Foundation
  • Rank shifts
    • Security Misconfiguration jumps from #5 (2021) to #2 (2025) as config-driven behavior proliferates. OWASP Foundation
  • Methodology tweaks
    • Continued data-informed + community-survey approach (to balance what testing currently detects vs. emerging risk).
    • CWEs per category are capped (up to 40; total 248 CWEs across the 10 categories in 2025). Focus is deliberately on root causes for better training and remediation. OWASP Foundation

2025 vs. 2021: What this means for security teams

  1. Supply chain testing moves to the front row. 2025 elevates systemic risk across dependency graphs and build pipelines, not just outdated libraries. Expect more scrutiny on SBOM accuracy, build hardening, and artifact signing. OWASP Foundation
  2. Config becomes code—and a top risk. With A02 Security Misconfiguration rising to #2, treat IaC and product config as first-class security code. OWASP Foundation
  3. Alerting outcomes matter. Renaming A09 stresses that logs without alerts don’t drive action. Tie detections to on-call runbooks. OWASP Foundation
  4. Access control is still #1—now absorbing SSRF cases where trust boundaries are bypassed. Authorization testing across APIs, microservices, and data layers is non-negotiable. OWASP Foundation
  5. Exceptional-conditions resilience graduates to the Top 10. Treat error paths and fail-open logic as testable attack surface, not edge cases. OWASP Foundation

How Cobalt PTaaS helps you navigate the 2025 changes

Pentest-as-a-Service (PTaaS) pairs expert human pentesters with a delivery platform so you can launch quickly, collaborate in real time, push fixes into your SDLC, and re-test on demand—turning OWASP guidance into measurable closure.

  • Map tests to the 2025 Top 10
    • A03 Supply Chain: target artifact signing, CI/CD secrets, dependency confusion, package-repo trust, and SBOM gaps.
    • A02 Misconfiguration: harden cloud/IaC baselines, authz policies, CORS, headers, TLS, storage controls, and environment toggles.
    • A01 Broken Access Control (+ SSRF): exercise BOLA/IDOR, multi-tenant boundaries, pre-/post-auth endpoints, and SSRF-style egress paths.
    • A09 Logging & Alerting: verify detections fire (and reach the right channel) when pentesters trigger meaningful events.
    • A10 Exceptional Conditions: probe error paths, fail-open logic, race conditions, and boundary handling.
  • Real-time teamwork → faster remediation
    Chat with testers in-platform, request PoCs, and push findings to Jira/Azure DevOps/ServiceNow with owners and due dates.
  • Prove it’s fixed
    Click Re-test on closed items to validate controls (e.g., an SSRF egress rule, a new WAF policy, or an alert route) and export audit-ready evidence for leadership.
  • From point-in-time to continuous
    Set a cadence—quarterly or always-on—for the hottest 2025 risks (supply chain, misconfig, authz). That catches drift faster than annual tests.

If you want readers to learn more, you can link “Cobalt PTaaS” to your services page or Cobalt’s platform overview.

Similar Posts