From the course: Learning the OWASP Top 10 (2025 Version)

How risks shift

From the course: Learning the OWASP Top 10 (2025 Version)

Start my 1-month free trial Buy for my team

How risks shift

When you look at the OWASP top 10 across different years, one thing becomes clear really fast. The list is not stable and it's not supposed to be. OWASP is a mirror. Every addition reflects where the real-world attack surface is moving, and where organizations are actually getting hurt. We're going to explore how risks shift over time and the deeper forces driving those changes. Let's start with a category everyone knows, Broken access control. In the 2017 OWASP top 10, it appears as a mid list item. By the 2021 edition, it rockets up to the number one spot, and it remains at number one again in the 2025 release candidate. That's not a fluke. Access control complexity has exploded as systems become API-centric, distributed, and permissioned at increasingly granular levels. When authorization logic is scattered across microservices, mobile clients, gateways, and backend APIs, it becomes incredibly easy to get wrong. Attackers love complexity and they love inconsistent guardrails even more. Broken access control rises because the architecture underneath it keeps getting harder to secure. Next is security misconfiguration. A category that has existed in some form since OWASP's earliest list, but has steadily grown in importance. In the 2025 release candidate, it sits at number two. That makes sense. 10 years ago, a misconfiguration might have meant leaving a default password enabled. Today, it means overly broad IAM roles, exposed cloud storage buckets, misconfigured managed services, or containers deployed with dangerous debugging flags. In an environment where infrastructure is constantly created, modified, and destroyed. Misconfiguration is no longer a beginner mistake. It's an operational reality, and the data reflects that. Then there's the most visible new presence in the 2025 release candidate, software supply chain failures, ranked at number three. This category expands on 2021's vulnerable and outdated components, but with a much broader lens. it reflects how modern software is being built. On layers of open source libraries, vendor SDKs, CICD plugins, container-based images, and infrastructure as code templates. Each dependency becomes part of your attack surface. A single compromise package or poisoned pipeline can cascade downstream into hundreds or thousands of applications. That systemic risk is why OWASP elevates supply chain failures into a top tier category. Some categories fall or get merged as the ecosystem matures. Cross-site scripting is a classic example. XSS dominated AppSec discussions for years and appeared as its own category through 2017. But modern frameworks, templating engines and browser protections dramatically reduce the need for manual output sanitization. In 2021, OWASP folded XSS into the broader injection category. The risk didn't disappear. The defaults simply improved. Similarly, insecure deserialization debuted as a standalone category in 2017 and was merged into software and data integrity failures in 2021, not because it stopped mattering, but because the industry recognized deserialization flaws as a one symptom of a broader integrity problem. That leads to the takeaway. OWASP evolves because the industry evolves. New architectures introduce new failure modes. Stronger defaults push old risks into the background. Attacker economics and increasingly AI-driven scale, shape what becomes cost-effective to exploit. Don't memorize the list. Understand the movement. When you understand why categories rise, merge, or fade, you stop chasing yesterday's threats and start anticipating tomorrow's.

Contents