OWASP Highlights Supply Chain Risks in New Top 10
Summary
OWASP published its 2025 Top 10, the first major update since 2021, shifting focus from classic coding flaws to systemic risks across the software lifecycle. The update elevates security misconfiguration to second place, introduces a broader “Software Supply Chain Failures” category and adds “Mishandling of Exceptional Conditions”. OWASP based the list on community input and analysis of roughly 220,000 CVEs mapped to 589 CWEs. The overall message: security is less about isolated bugs and more about design, configuration, pipelines and supply chain visibility.
Key Points
- OWASP’s 2025 Top 10 emphasises systemic and supply chain risks rather than only code-level defects.
- Security misconfiguration rose to #2, reflecting the prevalence of configuration-driven failures in modern applications.
- “Vulnerable and Outdated Components” was expanded and retitled to “Software Supply Chain Failures”, highlighting dependency and distribution risks.
- A new category, Mishandling of Exceptional Conditions, covers error-handling and logic flaws tied to abnormal states.
- Injection and cryptographic failures ranked lower than in 2021, indicating progress on traditional coding issues, while supply chain issues show high impact despite fewer recorded occurrences.
- OWASP analysed ~220,000 CVEs and 589 CWEs to inform the update, but notes testing gaps around supply chain weaknesses.
- Some experts welcomed the change, others criticised the list for not emphasising production-stage attacks enough.
Content Summary
OWASP’s 2025 Top 10 reframes application security as a continuum that spans design, implementation, CI/CD pipelines and production. The organisation consulted the community and large CVE/CWE datasets to reprioritise risk categories. Supply chain failures — now a broad third-place category — were elevated because of high exploit and impact scores, even though they appear less frequently in analysed data, a gap OWASP attributes to testing limitations.
Security misconfiguration climbed three spots to #2, underscoring how configuration complexity and defaults lead to compromise. Traditional categories such as injection and cryptographic failures dropped in rank, signalling that many organisations have improved defences for classic coding errors. The update also adds attention to exceptional-condition handling, bringing errors, logic flaws and abnormal-state handling into the Top 10 view.
Industry commentators say the new list pushes teams to look beyond patching vulnerabilities and towards managing the systemic conditions that produce them. Critics argue the update could do more to spotlight production-targeted attacks and operational monitoring gaps.
Context and Relevance
This update matters because modern development practices — microservices, heavy use of OSS, CI/CD pipelines and cloud configuration — increase the attack surface outside the code itself. Organisations that only focus on code scanning will miss many high-impact weaknesses that manifest through supply chains, misconfigurations or poor error handling. The OWASP shift aligns with wider industry trends emphasising supply chain security, secure-by-design practices and operational resilience.
For security teams, the practical implications are to extend visibility from repositories through CI/CD to production, tighten dependency management, bake security into design and configurations, and prioritise testing that can surface supply chain weaknesses.
Why should I read this?
Short answer: because if you work on apps, devops or secops, this changes where you should spend your effort. OWASP just told us to stop chasing only code bugs and to start tracking the whole delivery chain — so read it if you want to avoid getting surprised by a third-party library, a pipeline misstep or a messy config. We read it so you don’t have to — but seriously, skim the full Top 10 if this is your remit.
Author style
Punchy: This is a wake-up call. OWASP’s move is significant for defenders — it elevates supply chain and systemic design as first-class risks. If you manage application security programmes, treat this as essential reading: it shifts prioritisation and signals where board-level risk conversations will move next.