Your security team is fielding findings from multiple scanners, developers are drowning in false positives, and somewhere in that noise are the vulnerabilities that will actually get exploited. The Open Web Application Security Project (OWASP) provides the industry with a shared, data-backed vocabulary for identifying vulnerabilities and how to fix them. Founded in 2001 as a global non-profit, OWASP makes security knowledge that might otherwise remain locked inside large corporations or expensive consulting engagements accessible.
TLDR:
- OWASP is a global non-profit that publishes open security standards, tools, and guidance. The OWASP Top 10 is its most widely referenced output.
- The Top 10 is built from real-world vulnerability data across thousands of applications and updated when the threat surface warrants it, most recently in 2021 and 2025.
- The 2025 edition puts Broken Access Control at #1, promotes Security Misconfiguration to #2, and introduces Software Supply Chain Failures at #3.
- The EU Cyber Resilience Act's reporting obligations start in September 2026. Four of the top five OWASP 2025 risks map directly to the controls the CRA requires.
- Traditional SAST catches predictable categories such as Injection and Cryptographic Failures, but misses business-logic flaws, broken authorization chains, and design-level vulnerabilities. ZeroPath's AI-native analysis covers the hard cases.
What are OWASP and OWASP Top 10: the web application security risks?
Founded in 2001, OWASP is a global non-profit that makes application security knowledge publicly available. Beyond the Top 10, OWASP maintains a broader toolkit: ZAP for active scanning, the Cheat Sheet Series for implementation guidance, and intentionally vulnerable apps like WebGoat and Juice Shop for hands-on practice. When security teams reference "OWASP," they almost always mean the Top 10.
The OWASP Top 10 has expanded from a ranked list into the closest thing the industry has to a shared standard for web application security risk.
- Based on real-world vulnerability data collected from thousands of applications.
- Includes insights from industry experts about new threats.
- Provides actionable solutions, beyond descriptions of issues.
Real vulnerability data, expert threat context, and concrete remediation guidance in one place: that combination lets security teams spend time on what actually gets exploited.
OWASP Top 10 (2021 edition)
ID | Name | Issue | Key risks | Top prevention | New in 2021 |
|---|---|---|---|---|---|
A01 | Broken Access Control | Access control fails, letting attackers act outside their permitted authority |
|
| No |
A02 | Cryptographic Failures | Improper encryption exposes sensitive data in transit or at rest |
|
| No |
A03 | Injection | Untrusted data reaches an interpreter without validation or escaping |
|
| No |
A04 | Insecure Design | Architectural flaws are baked in before any code is written |
|
| Yes |
A05 | Security Misconfiguration | Security controls are misconfigured across the stack, from infra to frameworks |
|
| No |
A06 | Vulnerable and Outdated Components | Components with known CVEs or no active maintenance running in production |
|
| No |
A07 | Identification and Authentication Failures | Weak identity verification or broken authentication state management |
|
| No |
A08 | Software and Data Integrity Failures | Code and infrastructure skip integrity checks on updates and CI/CD pipelines |
|
| Yes |
A09 | Security Logging and Monitoring Failures | Security events go unlogged or unmonitored, extending attacker dwell time |
|
| No |
A10 | Server-Side Request Forgery (SSRF) | App fetches remote resources without validating user-supplied URLs |
|
| Yes |
OWASP Top 10 and other security standards
NIST, CIS, and ISO 27001 handle enterprise-wide security controls. The OWASP Top 10 fills the gap they leave open: application-specific technical risks, ranked by real-world prevalence, with concrete remediation guidance attached.
The relationship is symbiotic, not competitive:
- NIST frameworks cover enterprise-wide security controls, with OWASP providing detailed guidance on application-specific implementations
- CIS Controls create broad security practices, with OWASP deepening the technical guidance for web applications
- ISO 27001 creates management system requirements, with OWASP informing the technical controls
OWASP Top 10 2025: what changed and why it matters
The OWASP Top 10 2025 was officially released in November 2025, with structural updates reflecting changes in the threat surface since 2021. We put together a detailed comparison of the 2021 and 2025 lists.
The key changes:
- Broken Access Control holds at #1, with SSRF folded into the category instead of standing alone at #10
- Security Misconfiguration jumps from #5 to #2, driven by how much modern application behavior now depends on configuration
- Software Supply Chain Failures enters at #3, expanding the old Vulnerable and Outdated Components category to cover the full dependency, build system, and distribution pipeline
- Cryptographic Failures drops from #2 to #4; Injection falls from #3 to #5
- Mishandling of Exceptional Conditions is a new entry at #10, covering improper error handling and logic errors that allow systems to fail open
- OWASP maintains a separate Top 10 for LLMs, handling AI-specific risks outside the core web application list

We also have a detailed guide on using LLMs securely for coding.
OWASP Top 10: what the 2025 assessment data shows
The OWASP Top 10 2025 is grounded in prevalence data from real application assessments, and the numbers behind the rankings are worth knowing. Broken Access Control appeared in 100% of applications tested for the 2025 edition, making it the most universal risk in the list's history. Security Misconfiguration also appeared in 100% of the tested applications, with an average incidence rate of 3%, explaining its jump from fifth to second place.
Supply chain risk is outpacing annual list updates. In 2025, supply chain attacks doubled, running at roughly 26 incidents per month. The $1.5 billion Bybit theft and the GlassWorm campaign (which pushed malicious code through auto-updating VS Code extensions) both fit squarely within Software Supply Chain Failures (A03). CVE volume is trending upward: 48,244 CVEs were published in 2025, up 20.4% from 2024's 40,077.
AI-generated code is adding exposure that existing tooling wasn't built to catch. AI-authored code still produces the same vulnerability classes as human-authored code (Injection, Broken Access Control, and Cryptographic Failures among them), but arrives at higher volume and often without the reviewer familiarity that catches obvious mistakes.
OWASP and the EU Cyber Resilience Act in 2026
OWASP's framework is gaining regulatory weight. The EU's Cyber Resilience Act (CRA), which entered into force in December 2024, requires manufacturers of software products to show cybersecurity due diligence across the full product lifecycle. Starting September 2026, reporting obligations for actively exploited vulnerabilities and severe incidents will apply to products already on the EU market.
The overlap with OWASP Top 10 controls is direct. Broken Access Control, Security Misconfiguration, Injection, and Software Supply Chain Failures (four of the top five risks in the OWASP Top 10 2025) align closely with the CRA's mandatory cybersecurity requirements. Teams shipping software to EU customers that haven't handled these controls now face compliance exposure, beyond security risk.
The practical takeaway: OWASP Top 10 coverage is becoming a documentation requirement. Tracking which controls your application handles and which remain open will matter when the CRA's full application date arrives in December 2027.
From OWASP Top 10 to fixed: how ZeroPath covers the hard cases
The OWASP Top 10 tells you what to look for. Whether your tooling can actually find it is a different question.
Pattern-matching SAST handles categories in which vulnerabilities follow predictable syntax. Injection (A05), Cryptographic Failures (A04), and Security Misconfiguration (A02) are well-covered by rule-based scanners. Software Supply Chain Failures (A03) is largely a dependency inventory problem. These are the categories in which traditional tools produce results, even if the false-positive rate makes those results painful to triage.
The harder categories are where rule-based engines break down. Broken Access Control (A01) is the most exploited vulnerability class in the OWASP Top 10 and the hardest to catch statically: authorization logic is spread across middleware, route handlers, service layers, and database queries. A rule that fires on a single call site misses the chain. Insecure Design (A06) is harder still. By definition, it exists before a line of code is written. No pattern matcher catches a rate-limiting gap or a missing ownership check that was never implemented in the first place.
ZeroPath's AI-native analysis approaches these differently. Instead of matching patterns against individual call sites, it builds a software property graph that maps data flow, authorization boundaries, and trust relationships across the full codebase. That lets it catch broken authorization chains that span multiple files, flag missing ownership checks in service layers, and surface business logic flaws that only become visible when you understand what the code is supposed to do. Findings arrive in the PR with a proposed patch, not in a backlog for a developer to interpret later.

ZeroPath detects and patches findings across Broken Access Control (A01), Security Misconfiguration (A02), Software Supply Chain Failures (A03), Cryptographic Failures (A04), Injection (A05), Authentication Failures (A07), and Software or Data Integrity Failures (A08). For Insecure Design (A06), ZeroPath's AI reasoning detects logic-level flaws that rule-based tools cannot, though design-level threat modeling still requires an architectural review. See how ZeroPath benchmarks against Snyk, Semgrep, and Bearer.
Try ZeroPath on your repo to see what AI-native analysis finds that your current scanner missed.
Final thoughts on OWASP Top 10 coverage
You can audit your codebase against the OWASP Top 10 manually, or you can use tooling that actually finds the vulnerabilities before attackers do. The list gives you the map, but execution comes down to whether your scanner can detect broken access control in your authorization middleware and catch SSRF when the URL comes from three layers of indirection. ZeroPath's AI-native analysis builds a software property graph across the full codebase, so it catches the broken authorization chains and logic-level flaws that pattern-matching SAST misses, and delivers a proposed patch in the PR instead of a finding in a backlog.
FAQ
What vulnerabilities can traditional SAST tools not detect that are covered in the OWASP Top 10?
Pattern-matching tools miss Insecure Design (A04), business logic flaws, and architectural vulnerabilities because they can't reason about design intent or cross-module authorization flows. ZeroPath's AI-native analysis understands code behavior beyond syntax, catching these gaps that OWASP flagged as critical enough to add in 2021.
Is the OWASP Top 10 a compliance standard?
No. It's a ranked awareness document, not a certifiable standard. That said, regulators increasingly reference it. The EU Cyber Resilience Act's mandatory cybersecurity requirements map directly to several OWASP Top 10 2025 categories, so coverage is becoming a de facto compliance input even if it isn't a formal checklist item.
How often does the OWASP Top 10 update?
There's no fixed release cadence. Updates occur when enough new vulnerability data and community consensus warrant changes. The 2021 edition followed the 2017 list, and the 2025 edition followed 4 years later. Major structural changes (like new categories or repositioned risks) signal real movements in the threat environment.
What's the difference between the OWASP Top 10 2021 and 2025?
The 2025 list keeps Broken Access Control at #1 but folds SSRF into that category instead of listing it separately. Security Misconfiguration jumps to #2, Software Supply Chain Failures enters at #3 as an expanded take on the old Vulnerable Components category, and Mishandling of Exceptional Conditions debuts at #10. OWASP also now maintains a separate Top 10 for LLMs outside the core list.
Does the OWASP Top 10 cover API security?
The core Top 10 covers web application risks that apply to APIs: Broken Access Control, Injection, and Security Misconfiguration are all highly relevant to API surfaces. OWASP maintains a separate API Security Top 10 that goes deeper into API-specific risks such as Broken Object-Level Authorization and Excessive Data Exposure.
Can ZeroPath scan for all OWASP Top 10 vulnerabilities?
ZeroPath covers the categories where code-level analysis is effective: Broken Access Control (A01), Security Misconfiguration (A02), Software Supply Chain Failures (A03), Cryptographic Failures (A04), Injection (A05), Authentication Failures (A07), and Software or Data Integrity Failures (A08). For Insecure Design (A06), ZeroPath's AI reasoning catches a broader set of logic-level flaws than traditional SAST, though design-level threat modeling still requires architectural review.



