The OWASP Foundation has officially released the first Release Candidate for the 2025 OWASP Top 10 list. This list is used across the software development industry to rank the most important security concerns to keep in mind during the DevSecOps life cycle.

The 2025 list now includes two new notable concerns, namely: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10). These new concerns have taken the places of Server-Side Request Forgery (A10) and Vulnerable and Outdated Components (A06), which have been rolled into Broken Access Control (A01) and the new Software Supply Chain Failures (A03) respectively.

Many of the security concerns in the 2025 Top 10 list are in their same ranking position as in the 2021 Top 10 list. This is an interesting change compared to the numerous amount of ranking position shifts going from the 2017 to 2021 Top 10 lists.

The two "honorable mentions" of the OWASP list were (X01:2025) Lack of Application Resilience and (X02:2025) Memory Management Failures.
The Lack of Application Resilience (X01) is a rename of the 2021's Denial of Service. It was renamed as it described a symptom rather than a root cause. These weaknesses relating to resilience issues are still very notable and scored closely to A10:2025 but just did not make the cut.
Furthermore, Memory Management Failures (X02) also fell short of the list as a notable shift is being made away from traditional desktop applications, where this concern lies, to more web application focused development.

Another notable change is to the methodology of selection. This 2025 selection has now included a community survey section after 12 categories were selected based on the data contributed. This allows the list to "remain data-informed but not blindly be data-driven" as mention by owasp.org. This means that the data (and thus list) not only looks into the past for data insights but is now also forward thinking based on the risks that application security and development practitioners believe are underrepresented in the testing data when it comes to future development.

Overall, the 2025 Top 10 list has some very insightful shifts coming from 2021 and it will be interesting to see how these concerns move and develop in future iterations of the OWASP Top 10 list.

Image and information reference : owasp.org - visit https://owasp.org/Top10/2025/0x00_2025-Introduction/ for more info.