OWASP officially unveiled the updated 2025 OWASP Top 10 for Web Applications list today at Global AppSec in Washington, DC, marking a significant milestone. This critical update, which sets the standard for web application risk awareness, is the culmination of immense effort by the project co-leads (including Tanya Janca and Neil Smithline, who presented the list), as well as the broader community, which contributed data and expertise.

While the entire list has shifted (soon to be published on the official OWASP Top 10 project page), the biggest headline is the introduction of a new risk landing at #3: A03:2025 Software Supply Chain Failures.

2025 OWASP Top 10 for Web Applications

The evolution of a critical threat to application security

The inclusion of A03:2025 Software Supply Chain Failures in the third spot marks a major shift in how the community views and ranks application security risk. This new category is a necessary evolution of previous, narrower categories:

• 2017: "Using Components with Known Vulnerabilities"
• 2021 (A06:2021): "Vulnerable and Outdated Components"
• 2025 (A03:2025): "Software Supply Chain Failures"

The industry term "software supply chain vulnerability" has become ubiquitous, recognizing that the risk extends far beyond just old third-party libraries. This new category encompasses the entire process of how software is built, integrated, and deployed.

Why software supply chain failures are in the top three

Software supply chain failures moved into the top 3 three risks for web applications because the community overwhelmingly recognizes its growing danger:

• Top-ranked in survey: It was the top-ranked item in the community survey. 100% of respondents ranked it in the top 3, with 50% ranking it as the number one risk.
• Increasing risk and cost: These types of attacks are growing in frequency and are known to be very costly.

We've already seen the devastating real-world impact of these failures, including high-profile incidents such as SolarWinds, the widespread Log4J vulnerability, and the $1.5B Bybit crypto attack.

Where software supply chain failures occur

Software supply chain failures are not confined to a single area. They can take place across your entire development and deployment environment, but we can broadly categorize them into three groups:

Compromises of the software build systems

So far, these compromises have been less common, but they can have a devastating impact, as failures here can result in software of verifiable provenance containing malware and backdoors, with catastrophic effects, as demonstrated by the SolarWinds hack of 2020.

• CI/CD and build servers 
• Developer workstations, IDEs, and development environments (could include MCP servers!)
• Imported build automations (e.g., GitHub actions)

Weaknesses in the surrounding application or deployment infrastructure:

Components outside of your application code and build infrastructure can represent a significant risk, as can the third-party APIs your applications communicate with. The best-case scenario might be data loss, but the worst-case scenario can expose your entire cloud infrastructure to compromise. 

• APIs / external services integral to your application
• Configuration files, secrets, and Infrastructure as Code (IaC)

Third-party dependencies or platforms:

This category probably represents the most prevalent supply chain risk. New weaknesses in third-party code occur so frequently that it can be challenging to keep up, and they can remain undetected within the application runtime.

• Open source libraries and packages
• Container images

Mitigation: securing the software supply chain

The new ranking serves as a clear call to action. To prevent software supply chain failures, organizations must adopt a holistic security approach:

1. Know and monitor your dependencies: Use a Software Composition Analysis (SCA) tool or a Software Bill of Materials (SBOM) to gain visibility into your dependencies and continuously monitor them for vulnerabilities that pose a business risk.
2. Harden the entire pipeline: Perform regular hardening across your entire software supply chain.
3. Enforce strict access control and auditing: Be extremely careful with access control and auditing across all components of the chain.
4. Protect developer access: This is a key vector of attack. Protect developer access, provide necessary training, enforce Multi-Factor Authentication (MFA), apply the principle of least privilege, and monitor for suspicious behavior.

Get involved!

While the list is final, the work is not! The co-leads are asking the community to help review and edit the draft, and they’re looking for translators.

• Join the OWASP Slack channel #project-top-10 for updates
• Volunteer to translate through the channel #top-10-translations
• Log issues at https://github.com/OWASP/Top10