guisso guisso
Select language
PT EN
Open navigation menu
Home Blog Projects Talks Books Tags
PT

Article

OWASP Top 10 Update

Top 10:2025 is not just a list. It reflects how misconfigurations, supply chain, exception handling, and operational failures are breaking real businesses.

1,896 words 10 min
  • owasp
  • top10
  • appsec

The industry is not losing only to “bugs”. It is losing to engineering and operations: configuration, pipelines, dependencies, API access control, poorly handled exceptions, and systems that fail in unsafe ways.

2021 Categoria
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)
2025 Categoria
A01 Broken Access Control
A02 Security Misconfiguration
A03 Software Supply Chain Failures new
A04 Cryptographic Failures
A05 Injection
A06 Insecure Design
A07 Authentication Failures
A08 Software or Data Integrity Failures
A09 Security Logging & Alerting Failures
A10 Mishandling of Exceptional Conditions new

What changed in 2025

Two new categories + one consolidation

The focus is more on root cause than symptom.

  • A03:2025 Software Supply Chain Failures NEW: expands the old “vulnerable/outdated components” scope to the entire ecosystem (dependencies, build, distribution, updates, CI/CD, IDEs, and more).
  • A10:2025 Mishandling of Exceptional Conditions NEW: puts a spotlight on what engineering often pushes into generic “quality” work: fail-open flows, bad rollbacks, inconsistent states, data leakage in errors/logs, and broken recovery paths.
  • SSRF was absorbed into A01:2025 Broken Access Control: instead of treating SSRF as an isolated bug class, Top 10 emphasizes the SSRF scenarios that cross trust boundaries and become unauthorized access.

Misconfiguration is now Top 2, and this is the most interesting change

A02:2025 Security Misconfiguration moved up to #2 in the official list.

My read: OWASP is saying clearly that the easiest/default path is still insecure in many technologies.

With AI and agile software delivery, standing up systems got faster. But:

  • If the framework/library ships with insecure defaults, AI only scales the damage.
  • If hardening is complex, verbose, and not visual (for example Kubernetes + endless YAML), teams will “just make it work” and move on.

The risk here is not developer ignorance. It is ecosystem design. If delivery speed keeps increasing, “shift left” alone is not enough. The whole ecosystem must move toward Secure by Design.

Top 10:2025 is closer to an operating model than a vulnerability list

Look at the signals:

  • Supply Chain became a dedicated category and ranked high.
  • Exceptional Conditions became a dedicated category.
  • Logging & Alerting remains, but the text doubles down on a chronic issue: alert fatigue and weak playbooks.

This is OWASP talking directly to dev and AppSec: scanner + backlog is not enough; you have to change how software is produced.

My opinionated read with examples and countermeasures

I will cover each category with:

  • What it is
  • How it appears in the real world
  • 1-2 examples (CVE / well-known attacks)
  • What I would do in fintech, which is my current context.

A01 Broken Access Control

What it is: any flaw that lets a user/service act outside what it should do: read, change, delete, transact, or call functions without proper authorization.

How it appears: BOLA/IDOR in APIs, forced browsing, inconsistent authorization rules, frontend-only checks, unprotected admin endpoints, permissive CORS, long-lived JWTs, and more.

Examples:

What I would do in fintech:

  • Centralized and reusable authorization (internal standard/library/middleware).
  • Business rules as domain boundaries, not scattered if statements in controllers.
  • Rate limiting per identity and per sensitive operation.
  • Threat modeling for authn/authz and critical flows (payments/transfers/withdrawals) with a lightweight and repeatable process. Suggestion: Threat Modeling Express

A02 Security Misconfiguration

What it is: the stack is running, but insecurely: open permissions, no hardening, unnecessary features enabled, weak defaults, missing headers, verbose errors, public cloud shares, etc.

How it appears: Kubernetes/Ingress/NetworkPolicy YAML mistakes, over-permissive IAM to “avoid blockers”, public storage, debug mode in production, exposed admin consoles, and rapid-enable features.

Examples:

What I would do in fintech (where teams gain speed with security):

  • Golden paths and internal templates so the default path starts secure.
  • Policy-as-code for IaC to block obvious bad patterns at PR time.
  • Repeatable and automated hardening (not manual checklists).
  • For developer maturity, hands-on training like Dojo Shield: https://github.com/topics/dojo-shield

A03 Software Supply Chain Failures NEW

What it is: failure in how software is built, distributed, or updated.

This is where one of the biggest modern nightmares lives. Developers are trapped between:

  • endless Dependabot/SCA backlog,
  • increasing malicious packages (npm, PyPI, etc.),
  • and increasingly complex CI/CD chains.

Examples:

Other references worth reading (because they show waves, not isolated cases):

What I would do in fintech (and what I would not do):

  • I would not treat supply chain as a ticket queue.
  • I would treat it as a system:
    • Centralized and consumable SBOM.
    • Provenance/signing where it makes sense.
    • Strong duty segregation and CI/CD control.
    • Short-lived tokens, minimum scope, and OIDC where possible (less static secret exposure).

To frame the current wave: recent reports show strong growth in open-source ecosystem malware.

A04 Cryptographic Failures

What it is: failures in crypto usage/implementation, key management, weak TLS, weak password hashing, and unprotected sensitive data.

Examples:

What I would do in fintech:

  • Modern TLS (>= 1.2, and 1.3 where possible), HSTS.
  • Passwords with Argon2/scrypt/bcrypt and strong parameters.
  • Key rotation, KMS/HSM where needed, no keys in plain config.
  • Specialized review for unusual crypto. Custom protocols often become incidents.

A05 Injection

What it is: SQLi, command injection, LDAP injection, SSTI, XSS, and similar classes. Classic and still very alive.

Examples:

What I would do in fintech:

  • Strong typing where possible.
  • Parameterize every query.
  • WAF helps, but it is not the primary control.
  • SAST/DAST focused on critical routes (not only score dashboards).
  • Security testing on exposed flows (uploads, templates, integrations).

A06 Insecure Design

What it is: missing or poorly designed controls. This is not an implementation bug; it is a requirements and defensive architecture gap.

Why this hurts dev teams: product, scalability, and availability concerns naturally dominate implementation work. Attacker mindset and protection patterns are usually stronger in security teams. That mindset can be taught and significantly improve requirement definition and architecture design quality.

Examples:

  • Account recovery based on security questions (weak identity proofing).
  • Abusable business logic (discount/deposit rules), scalper bots, and unexpected state abuse.

OWASP already provides very realistic scenarios (cinema, e-commerce, bots): https://owasp.org/Top10/2025/A06_2025-Insecure_Design/

What I would do in fintech:

  • Lightweight iterative threat modeling during refinement with focus on critical flows and failure states. Preferably together with product teams, as in Threat Modeling Express.
  • Secure pattern catalog (paved road) for common flows: login, reset, transfer, limits, anti-fraud.
  • Misuse cases turned into automated tests (not only documents).
  • Hands-on dojos/training to raise maturity, including Dojo Shield.

A07 Authentication Failures

What it is: weak authentication, missing MFA, poor session expiration, insecure recovery, brute force without rate limit, hardcoded credentials, bypasses, etc.

Examples:

What I would do in fintech:

  • MFA for all admin surfaces, preferably phishing-resistant where appropriate.
  • Consistent session management (timeouts, real logout, short tokens).
  • Rate limiting + anomaly detection + progressive challenge flows.

A08 Software or Data Integrity Failures

What it is: treating artifacts, updates, plugins, serialized data, or externally loaded code as trusted without verification.

A03 covers the whole chain. A08 covers integrity and trust boundaries of what you consume, run, and accept.

Examples:

What I would do in fintech:

  • SLSA plus artifact signing/provenance where possible.
  • Internal “known-good” repository for critical dependencies and strict CI/CD segregation (builder is not sole deployer).
  • Pipeline telemetry and audit as first-class security products.

A09 Security Logging and Alerting Failures

What it is: missing critical logs, bad logging quality, too much noise, no playbooks, or no effective response capability.

This is the least glamorous Top 10 item and often one of the most expensive when it fails.

Examples:

OWASP highlights large-leak scenarios, late notification, and alert fatigue. https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/

What I would do in fintech:

  • Transaction audit with integrity guarantees (append-only where needed).
  • Structured logs with context, without secrets.
  • Fewer alerts, more actionable alerts (playbooks and ownership). Product teams must understand these cases and escalate appropriately to security teams.

A10 Mishandling of Exceptional Conditions NEW

What it is: when systems hit abnormal conditions and fail unsafely: fail-open paths, incomplete rollbacks, inconsistent state, data leaks in errors, or exception-driven bypasses.

This is the most expensive new category for fintech because it touches:

  • multi-step transactions,
  • messaging,
  • idempotency,
  • compensation logic,
  • and the nightmare of “it failed in the middle, now what?”.

Examples (representative):

  • Rollback failure in transactions can produce corrupted state and fraud.
  • Feature flag or external service becomes critical dependency, then someone proposes permissive fallback “to keep business running”.
  • Cloudflare outage (2019): great example of exceptional condition handling (heavy regex in WAF rules) becoming operational DoS, and why engineering must design limits and failure modes. https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/

OWASP provides realistic scenarios here as well (resource-leak DoS, error data leaks, state corruption in transactions). https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/

What I would do in fintech:

  • Define secure failure as a requirement (fail-closed by default for sensitive flows).
  • Chaos testing with security assertions: “when X fails, Y does not open”.
  • Observability that can detect error patterns as attack signals.
  • Threat modeling for both happy paths and failure paths.
  • Disaster recovery modeling with explicit attacker mindset.

OWASP:

Supply chain and ecosystem malware waves:

Practical internal execution: