Software Supply Chain Risks Join the OWASP Top 10 List, Access Control Still on Top

The OWASP Top 10 remains the de‑facto benchmark for web application risk, shaping security roadmaps across enterprises. Its 2025 edition blends quantitative breach data from nearly three million applications with expert opinion, yielding a list that reflects both historic patterns and emerging threats. While most categories persist, the inclusion of software supply‑chain failures and the elevation of security misconfiguration signal a shift toward protecting the broader development ecosystem, not just the code that runs in production.

Supply‑chain attacks have moved from niche incidents to a mainstream concern, as threat actors target open‑source libraries, CI/CD pipelines, and developer workstations. A compromised dependency can propagate malicious code to thousands of downstream applications, magnifying impact far beyond a single breach. Recent high‑profile incidents—such as the SolarWinds and event‑streaming library compromises—illustrate how attackers exploit trust relationships to insert backdoors, underscoring the urgency for integrity verification, signed artifacts, and zero‑trust principles throughout the build process.

For organizations, the persistence of broken access control at the summit of the list is a stark reminder that custom authorization logic remains a fertile attack surface. Automated testing that simulates multiple user roles, combined with runtime enforcement and continuous monitoring, is essential. Meanwhile, the “next steps” note on AI‑generated code urges developers to treat LLM output as untrusted, demanding thorough review and provenance checks. By integrating supply‑chain safeguards, robust access‑control validation, and disciplined AI code governance, firms can reduce exposure and align with the evolving OWASP guidance.