Here's a question that might surprise you: After 22 years of OWASP Top 10 guidance, how many of the original 2003 vulnerabilities remain fundamentally unchanged?
The answer is three. Just three out of ten.
Buffer overflows? Gone. Application denial of service? Obsolete. But broken access control, injection flaws, and security misconfigurations? Still dominating breach reports in 2025, with broken access control claiming the #1 spot.
This evolution tells a story about what actually works in application security, and what doesn't.
On December 4th, we're hosting a discussion with someone uniquely positioned to decode these patterns: Dave Wichers, co-founder of the OWASP Top 10 project and its leader for 15 years. Dave also created the OWASP Benchmark Project and recently collaborated with AppSecAI on our Python Benchmark contribution to the community.
This isn't a vendor pitch or product demo. Dave will share his perspective on the data, methodology, and trends he's observed across two decades of vulnerability analysis.
We'll explore what the persistence of certain risk categories reveals about the fundamental challenges in application security.
The Historical Context: From "Unvalidated Input" in 2003 to "Supply-Chain Failures" in 2025, we'll trace how expanding trust boundaries reshaped our security priorities. The evolution from defensive coding to defensive systems design reflects the growing sophistication and increasing complexity of our industry.
The Data Behind the Changes: Why did some vulnerabilities disappear while others persist? The patterns reveal important insights about what security interventions actually work at scale versus what remains stubbornly resistant to traditional approaches.
The Economics Reality: Our CEO Bruce Fram, will discuss how automated remediation aligns with the realities the Top 10 reveals, particularly as vulnerability backlogs continue growing faster than teams can triage them. When SQL injection fixes still consume weeks of developer time in 2025, something needs to change.
Looking Forward: The Top 10 represents testing capabilities from recent years, but understanding these historical patterns helps security teams anticipate where testing needs to evolve and where traditional manual approaches create impossible economics.
As security leaders finalize 2026 budgets and strategies, this historical perspective provides valuable context for investment decisions. Which approaches have proven their worth over decades? Where are the persistent gaps that new technologies might finally address?
Dave's insights will help you as AI and automation reshape what's possible in application security.
Date: December 4, 2025
Time: 12:00 PM Eastern
Duration: 30 minutes + Q&A
Format: Live discussion with Q&A
Cost: Free
We'll record the session, but the live Q&A is where the real insights emerge. Bring your questions about OWASP methodology, historical trends, or how current data might inform future security strategies.
This conversation builds on our commitment to community contribution over competition. Just as our Python Benchmark work with Dave advances the entire field, this discussion aims to benefit all application security practitioners... regardless of their current tool choices.
Sometimes the best way to plan for the future is understanding what we've learned from the past. Join us on December 4th for that conversation!
About the Speakers: Dave Wichers co-founded the OWASP Top 10 project in 2003 and led it for 15 years. Bruce Fram is CEO of AppSecAI, focused on results-based application security automation.
Want to learn more? Check out our book, The AI Security Advantage, available now!