What is the OWASP Top 10 and why does it matter in 2025?

The OWASP Top 10 is a regularly updated list published by the Open Web Application Security Project that identifies the most critical security risks facing web applications. In 2025, it matters more than ever because cyberattacks are growing in volume and sophistication—IBM's 2024 Cost of a Data Breach report pegged the average breach cost at $4.88 million. Understanding the OWASP Top 10 helps businesses prioritize their security efforts effectively.

How often should a business audit its web applications against the OWASP Top 10?

Ideally, businesses should perform a thorough security audit at least once a year and after every major release or infrastructure change. Continuous automated scanning (DAST/SAST) should complement manual penetration testing. Companies handling sensitive data—e-commerce, healthcare, finance—should consider quarterly reviews.

OWASP Top 10 in 2025: Web Security Risks Every Business Must Know

Why the OWASP Top 10 Still Matters in 2025

Cybercrime costs are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures. Behind that staggering figure lies a simple truth: the vast majority of successful attacks exploit well-known, well-documented vulnerabilities—precisely the kind catalogued in the OWASP Top 10.

The Open Web Application Security Project (OWASP) is a nonprofit foundation that publishes a consensus-driven list of the most critical web application security risks. First released in 2003, the list is updated every few years based on real-world data from hundreds of organizations. The most recent edition (2021) remains the authoritative reference heading into 2025, with community discussions already shaping the next revision.

Whether you run a PrestaShop e-commerce store, a WordPress corporate site, or a custom SaaS platform hosted on AWS, every one of these risks applies to you. Let’s break them down.

The OWASP Top 10 at a Glance

Below is a quick-reference table before we dive into each category:

#	Risk Category	First Appeared	Key Concern in 2025
A01	Broken Access Control	2004	#1 most common vulnerability
A02	Cryptographic Failures	2004 (as “Sensitive Data Exposure”)	Post-quantum readiness
A03	Injection	2003	Still deadly with NoSQL & ORM
A04	Insecure Design	2021 (new)	Shift-left security
A05	Security Misconfiguration	2004	Cloud sprawl amplifies risk
A06	Vulnerable & Outdated Components	2013	Software supply-chain attacks
A07	Identification & Authentication Failures	2004	Credential stuffing at scale
A08	Software & Data Integrity Failures	2021 (new)	CI/CD pipeline attacks
A09	Security Logging & Monitoring Failures	2017	Mean time to detect: 204 days
A10	Server-Side Request Forgery (SSRF)	2021 (new)	Cloud metadata exploitation

A01 – Broken Access Control

What It Is

Broken Access Control occurs when users can act outside their intended permissions. Think of a regular customer who can access another customer’s order details simply by changing an ID in the URL.

Why It’s #1

OWASP data shows that 94% of applications tested exhibited some form of broken access control. It jumped from #5 in 2017 to the top spot in 2021 and remains there heading into 2025.

Real-World Example

In 2023, a major airline’s loyalty program exposed the personal data of millions of members because the API endpoint /api/user/{id}/profile did not verify that the authenticated user owned that profile. A simple sequential ID enumeration revealed names, emails, and frequent-flyer balances.

Mitigation Tips

Deny access by default; grant permissions explicitly.
Enforce record-level ownership checks on every API endpoint.
Disable directory listing on your web server.
Log and alert on repeated access-control failures.

A02 – Cryptographic Failures

What It Is

Formerly called “Sensitive Data Exposure,” this category focuses on failures related to cryptography—or its absence. Transmitting passwords over HTTP, storing credit card numbers in plaintext, using deprecated hash algorithms like MD5: all qualify.

2025 Spotlight: Post-Quantum Cryptography

With NIST having finalized its first set of post-quantum cryptographic standards in 2024 (FIPS 203, 204, 205), organizations must begin planning crypto-agility strategies. Algorithms like RSA-2048 may become vulnerable to quantum attacks within the next decade.

Quick Checklist

Enforce TLS 1.3 everywhere—no exceptions.
Hash passwords with bcrypt, scrypt, or Argon2id.
Rotate encryption keys on a defined schedule.
Never store sensitive data you don’t actually need.

A03 – Injection

What It Is

Injection flaws—SQL, NoSQL, OS command, LDAP, XPath—occur when untrusted data is sent to an interpreter as part of a command or query. Despite decades of awareness, injection remains in the top 3.

A Concrete Code Example

Consider this vulnerable PHP snippet querying a MySQL database:

// ❌ VULNERABLE — Never do this
$query = "SELECT * FROM orders WHERE id = " . $_GET['order_id'];
$result = mysqli_query($conn, $query);

An attacker could pass order_id=1 OR 1=1 to dump the entire table, or worse, 1; DROP TABLE orders;-- to destroy data.

The secure version uses parameterized queries:

// ✅ SECURE — Use prepared statements
$stmt = $conn->prepare("SELECT * FROM orders WHERE id = ?");
$stmt->bind_param("i", $_GET['order_id']);
$stmt->execute();
$result = $stmt->get_result();

This single change neutralizes the vast majority of SQL injection attacks. At Lueur Externe, every project we deliver—whether on PrestaShop, WordPress, or custom PHP—follows this parameterized-query standard by default.

Modern Injection Vectors

NoSQL Injection: MongoDB queries built from raw JSON input.
ORM Injection: Developers assuming Eloquent or Doctrine are “safe” without validating inputs.
Template Injection: Server-Side Template Injection (SSTI) in Twig, Jinja2, or Handlebars.

A04 – Insecure Design

What It Is

This category, introduced in 2021, highlights flaws that cannot be fixed by perfect implementation because the design itself is flawed. A password-reset flow that sends a 4-digit code with no rate limiting is insecure by design, regardless of how cleanly the code is written.

Shift-Left Security

The industry buzzword for 2025 is “shift left”—integrating security thinking from the very beginning of the software development lifecycle (SDLC). Threat modeling, abuse-case writing, and secure architecture reviews should happen before a single line of code is written.

Practical Steps

Perform threat modeling using STRIDE or PASTA frameworks.
Write abuse stories alongside user stories (“As an attacker, I want to…”).
Establish and reference secure design patterns within your team.

A05 – Security Misconfiguration

What It Is

This is the broadest category: default credentials left in place, unnecessary services running, overly verbose error messages, missing security headers, open S3 buckets—the list goes on.

The Cloud Amplifier

With AWS, Azure, and GCP offering hundreds of configurable services, the attack surface from misconfiguration has exploded. A 2024 study by Qualys found that 60% of cloud workloads had at least one critical misconfiguration.

As an AWS Solutions Architect certified agency, Lueur Externe routinely audits client infrastructures for misconfigurations—from open security groups to overly permissive IAM policies—before they become headlines.

Essential Security Headers

Make sure your web server sends at least these headers:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self';
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

A06 – Vulnerable and Outdated Components

What It Is

Your application is only as secure as its weakest dependency. Using libraries, frameworks, or CMS plugins with known vulnerabilities is an open invitation to attackers.

The Numbers

The Log4Shell vulnerability (CVE-2021-44228) affected an estimated 93% of enterprise cloud environments.
Synopsys’ 2024 OSSRA report found that 84% of codebases contained at least one known open-source vulnerability.
The average PrestaShop or WordPress site relies on 20-50 third-party plugins or modules, each a potential vector.

What You Can Do

Maintain a Software Bill of Materials (SBOM) for every project.
Use tools like npm audit, composer audit, or Dependabot to automate vulnerability scanning.
Remove unused plugins and modules—they still get loaded, and they still get exploited.
Subscribe to security mailing lists for your CMS (PrestaShop, WordPress core, WooCommerce).

A07 – Identification and Authentication Failures

What It Is

Weak authentication mechanisms enable credential stuffing, brute force attacks, and session hijacking. This category covers everything from allowing weak passwords to improper session management.

2025 Trend: Passkeys and Passwordless

The FIDO Alliance’s passkey standard is gaining rapid adoption. Apple, Google, and Microsoft now support passkeys natively. By eliminating passwords altogether, passkeys neutralize phishing and credential stuffing in one stroke.

Best Practices

Implement multi-factor authentication (MFA) for all privileged accounts.
Enforce minimum password complexity and check against breached-password databases (Have I Been Pwned API).
Set session tokens to expire and rotate after authentication.
Rate-limit login attempts and implement account lockout policies.

A08 – Software and Data Integrity Failures

What It Is

This category addresses assumptions about software updates, critical data, and CI/CD pipelines without verifying integrity. The SolarWinds supply-chain attack of 2020, which compromised 18,000 organizations including US government agencies, is the textbook example.

CI/CD Pipeline Security

If an attacker can inject malicious code into your build pipeline, every deployment you push becomes a weapon. In 2025, securing your pipeline is non-negotiable:

Sign all commits and verify signatures in CI.
Use hash verification for all downloaded dependencies.
Restrict pipeline permissions using the principle of least privilege.
Audit third-party GitHub Actions and CI plugins.

A09 – Security Logging and Monitoring Failures

What It Is

Without adequate logging, you can’t detect breaches. Without monitoring, you can’t respond in time. IBM’s 2024 report found that the average time to identify a breach was 194 days, and another 64 days to contain it. Organizations with robust logging and automated detection reduced that timeline—and their costs—by over 30%.

What to Log

All authentication events (success and failure).
Access control failures.
Server-side input validation failures.
Administrative actions (user creation, permission changes).

What Not to Log

Passwords, tokens, or credit card numbers—ever.
Personally Identifiable Information (PII) unless absolutely necessary and properly secured.

A10 – Server-Side Request Forgery (SSRF)

What It Is

SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL. Attackers exploit this to access internal services, cloud metadata endpoints, or perform port scanning from within your network.

The Cloud Metadata Danger

On AWS, the instance metadata service at http://169.254.169.254 can reveal IAM credentials, instance identity documents, and more. A single SSRF vulnerability can escalate to full cloud account compromise.

Mitigation

Validate and sanitize all user-supplied URLs.
Use allowlists for permitted domains and IP ranges.
Block access to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.x.x) from server-side HTTP clients.
On AWS, enforce IMDSv2 (Instance Metadata Service Version 2) which requires session tokens.

Beyond the Top 10: Emerging Threats in 2025

The OWASP Top 10 is a starting point, not a finish line. Several emerging risks deserve your attention as we move through 2025:

AI-Powered Attacks: Large Language Models are being used to craft more convincing phishing emails, generate polymorphic malware, and automate vulnerability discovery.
API Security: OWASP now maintains a separate API Security Top 10 because APIs have become the primary attack surface for modern applications.
LLM Application Risks: OWASP published its Top 10 for LLM Applications in 2023, covering prompt injection, training data poisoning, and more. If you’re integrating AI into your products, this list is essential reading.
Supply Chain Security: The rise of dependency confusion attacks and compromised package registries means every npm install or composer require is a potential risk vector.

Building a Security-First Culture

Technology alone won’t protect you. The most secure organizations combine robust tooling with a culture where every team member—from the CEO to the junior developer—understands their role in security.

Practical Steps for Any Organization

Train your team: Annual security awareness training is the bare minimum. Developers should receive OWASP-specific training.
Automate scanning: Integrate SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) into your CI/CD pipeline.
Perform regular penetration testing: Automated tools catch the low-hanging fruit; human testers find the business-logic flaws.
Maintain an incident response plan: Know who to call, what to shut down, and how to communicate—before a breach happens.
Partner with experts: Not every company can maintain a full-time security team. Working with a specialized agency like Lueur Externe gives you access to certified expertise in AWS architecture, CMS hardening, and application security without the overhead of building an internal team.

Conclusion: Security Is Not Optional—It’s a Competitive Advantage

The OWASP Top 10 isn’t just a checklist for developers—it’s a business roadmap. Every vulnerability on this list has been exploited in the real world, costing companies millions in breach remediation, regulatory fines, and lost customer trust.

In 2025, the question isn’t if your application will be targeted, but when. The organizations that treat security as a continuous process rather than a one-time checkbox are the ones that survive and thrive.

Whether you need a security audit of your PrestaShop store, a hardening review of your WordPress site, or a comprehensive AWS infrastructure assessment, the team at Lueur Externe has been helping businesses secure their digital presence since 2003.

Don’t wait for a breach to take action. Contact Lueur Externe today for a free initial security consultation and find out where your web applications stand against the OWASP Top 10.