The OWASP Top 10 just dropped its 2025 release candidate, and if you're expecting revolutionary changes, you'll be disappointed. Or relieved, depending on how you look at it.
Dave Wichers, co-founder of the OWASP Top 10, joined us recently to discuss what's actually changed over 22 years. The punchline? Not as much as you'd think.
The Numbers Tell a Story
Broken Access Control remains #1 for 2025, affecting 3.73% of tested applications across 40 Common Weakness Enumerations OWASP Foundation. It's been the top issue since 2021. SQL injection? Still around after two decades, now rolled into the broader Injection category at #5.
The 2025 list analyzed data from over 2.8 million applications, the largest dataset ever compiled for this benchmark. Security Misconfiguration jumped from fifth to second place, now affecting 3.00% of applications.
What Actually Changed
Two new categories made the cut:
Dave's observation from the webinar nails it: these threats evolve slowly. The basic coding mistakes that created vulnerabilities in 2003 are still creating vulnerabilities today.
The AI Angle Everyone's Missing
Here's what struck me during our conversation: AI is generating approximately one billion lines of committed code daily (just from Cursor alone, as of six months ago). Based on what we've seen with customers, that code isn't secure.
SAST and DAST tools will find the flaws. But who's fixing them? Not your developers — they're too busy shipping features. The economics don't work for manual remediation when you're looking at $5,000-$20,000 per fix and 200+ days to resolution.
Dave predicts that in five years, AI-generated code will have dramatically lower vulnerability density. Maybe. But we need solutions for the code being written today, not 2030.
What Actually Matters
The webinar revealed something useful: SAST tools have been the automation solution for 20 years, but they generate overwhelming false positives. AI can triage those results with 97% accuracy and generate actual working fixes, not just guidance.
The supply chain category in 2025 isn't just about using outdated npm packages. It's about hardening your entire development toolchain — from the developer workstation through CI/CD to production. That means integrity checks everywhere, not just dependency scanning.
Bottom Line
The OWASP Top 10 drives the industry. When a category gets added, vendors pivot. Training programs update. Audit checklists expand.
For 2025, the message is clear: basic access control is still broken, misconfiguration is exploding, and your supply chain needs serious attention. These aren't new problems — they're persistent ones that automation can actually solve.
The data from 22 years proves threats evolve slowly. That's good news if you're building an AppSec program, because you're not chasing new vulnerabilities every quarter. It's bad news if you think the problem will magically disappear.
Read the full OWASP Top 10 2025 Release Candidate and decide where automation fits in your strategy.
About the Speakers: Dave Wichers co-founded the OWASP Top 10 project in 2003 and led it for 15 years. Bruce Fram is CEO of AppSecAI, focused on results-based application security automation.
Want to learn more? Check out our book, The AI Security Advantage, available now!