X
X
X
As we stand on the threshold of a new OWASP Top 10 release in 2025, it’s critical to reflect on the enduring impact of the 2021 edition, a list that has shaped how organizations, developers, and security practitioners address web application risks for the past four years.
The OWASP Top 10 has long served as the global standard, regularly updated in response to shifts in attack techniques, development practices, and emerging technologies. The 2021 update marked a significant evolution: introducing new categories like Insecure Design, consolidating others (such as merging Cross-Site Scripting into Injection), and responding to mounting risks in software supply chains and cloud-native application stacks.
Many of the risks highlighted then have been amplified by the rapid adoption of APIs, the explosion of AI-driven applications, and the ongoing open-source revolution. And as the threat landscape continues to evolve in 2025, assessing the ongoing relevance and real-world consequences of the 2021 OWASP Top 10 offers vital lessons for building modern, resilient, and secure systems.
The OWASP Top 10 has served as the industry’s standard awareness document for web application security, guiding development practices and risk management strategies worldwide. Released in 2021, its foundational categories remain the springboard for understanding and defending against today’s (2025) ever-evolving threats, especially as API-centric architectures, AI-driven tools, and supply chain risks continue to accelerate and reshape modern attack surfaces.
In 2021, broken access control was the most frequently observed risk, enabling attackers to exploit improper enforcement of permissions and gain unauthorized access or perform privileged actions.
This remains the top vulnerability, now most visible in API abuses (object-level authorization flaws), privilege escalation in cloud-native environments, and mismanaged authorization in LLM-driven and agentic AI apps. Persistent issues with granular access controls, insecure IDORs, and complex microservice authentication continue to expose organizations to data breaches and fraud.
Code Example (Java - Secure Access Control):
Note: This demonstrates enforcing authorization at the method level using Spring Security's @PreAuthorize annotation
Previously labeled Sensitive Data Exposure, this risk focuses on weaknesses in cryptographic protections, such as weak algorithms, flawed key management, and lack of encryption.
With personal, financial, and biometric data flows increasing, cryptographic failures now often involve legacy encryption algorithms, weak implementations in API calls, and improper credentials management in CI/CD pipelines and AI-integrated products. Attackers commonly exploit old TLS versions and mismanaged cloud secrets, underscoring the ongoing need for strong, adaptive encryption and secret hygiene across distributed systems.
Mandate strong algorithms (AES-256, TLS 1.2+), use secure key management systems (e.g., AWS KMS) , implement robust password hashing (Argon2, bcrypt, scrypt) , enforce HTTPS/HSTS , and use cryptographically secure pseudorandom number generators (CSPRNGs)
Code Example (Node.js Secure Password Hashing):
Note: This uses bcrypt for secure, salted password hashing.
Injection attacks, like SQLi, OS command injection, NoSQLi, or XSS, result when untrusted input is used in commands or queries. In 2021, XSS was consolidated into this broader category.
The attack surface has grown: prompt injection now targets large language models, while APIs expose new avenues for malicious input. Inadequate sanitization in LLM-integrated apps, event-driven APIs accepting unchecked data, and cross-context code execution (from AI plugins or workflow automation) have become major injection risks.
Strict server-side input validation and sanitization, use of prepared statements and parameterized queries for databases, context-specific output encoding, and Content Security Policy (CSP) against XSS.
A new category in 2021, Insecure Design highlights security weaknesses originating at the design and architectural stages, emphasizing "shift left" security.
With rapid adoption of complex, distributed architectures, insecure design failures now often surface through a lack of threat modeling for AI workflows, insecure defaults in API-first products, and omission of least-privilege principles in multi-agent or serverless environments. Shift-left security practices, if ignored, leave these systemic flaws unaddressed until exploitation.
Implement structured threat modeling early in the SDLC , adopt secure design principles (PoLP, "deny by default") , integrate security throughout the SDLC , design with secure defaults, and conduct regular security reviews and testing.
This category addresses risks from using third-party components with known vulnerabilities or those no longer maintained.
With supply chain attacks surging, threats now stem from malicious open-source packages, aging dependencies in LLM plug-in ecosystems, and untracked components in CI/CD. Automated software composition analysis, SBOMs, and prompt patching are critical in defending against exploitation at scale.
Create and maintain Software Bill of Materials (SBOMs) , integrate automated Software Composition Analysis (SCA) tools into CI/CD pipelines, establish robust patch management processes , use trusted repositories and code signing, and remove unused components.
The application security landscape has changed dramatically since 2021. Over the past year, threat actors have grown more sophisticated, empowered by advancements in AI, an explosion in API-first architectures, and the increasing complexity of software supply chains. As defenders work to adapt, new attack vectors continue to emerge, often targeting the same core weaknesses defined by the OWASP Top 10, but at unprecedented scale and scope.
AI is both a potent weapon for attackers (generating malware, prompt injection for LLMs) and an indispensable tool for defenders. AI-driven threat detection enables real-time analysis, automating tasks like vulnerability triage and remediation. Advanced ‘agentic AI’ systems can autonomously execute security actions, accelerating SOC workflows and enabling organizations to achieve 30–90% faster threat detection and up to 55% lower Mean Time To Respond (MTTR), according to recent industry reports and SOC benchmarks.
APIs are the "backbone of digital innovation," constituting over 71% of web traffic. This pervasive adoption has dramatically expanded the attack surface, with 27% of API attacks targeting business logic flaws and 46% of Account Takeover (ATO) attacks focusing on API endpoints. The rise of LLM-based applications further increases API-related breach probability. This necessitates specialized API security strategies, continuous API discovery, and automated remediation, with DevSecOps practices crucial for securing APIs from the outset.
The software supply chain is a critical vulnerability point due to pervasive open-source use and sophisticated attackers. Malicious open-source packages increased by 156% year-over-year (over 512,847 in 2024). Additionally, 80% of application dependencies remain unpatched for over a year. These issues impacted 87% of organizations in 2024. Mitigation requires SBOMs , automated SCA tools , secure dependency management , trusted repositories, and continuous monitoring.
The OWASP Top 10 (2021) continues to serve as a foundational guide for application security, even as the threat landscape grows more complex and interconnected in 2025. Classic risks like broken access control, injection flaws, cryptographic failures, and supply chain vulnerabilities remain not only relevant but are often amplified by today’s rapid adoption of AI, explosive API growth, and open-source integration. Cyber threats are faster, more automated, and frequently exploit core weaknesses highlighted by the Top 10, making continuous vigilance and adaptable strategies essential to defending digital assets.
AppSecEngineer delivers world-class, hands-on training tailored to the challenges of 2025 and beyond. With interactive labs, role-specific learning paths, and real-world scenarios (from AI & LLM security to DevSecOps and secure code review), AppSecEngineer helps your team move beyond theory into practical mastery. Invest in your organization’s security future, and start your journey with AppSecEngineer today!
.png)
.png)
Koushik M.
"Exceptional Hands-On Security Learning Platform"
Varunsainadh K.
"Practical Security Training with Real-World Labs"
Gaël Z.
"A new generation platform showing both attacks and remediations"
Nanak S.
"Best resource to learn for appsec and product security"
.svg)
.svg)
.svg)
