We have some great news! On November 6th, the final draft of the OWASP Top 10:2025 was officially presented at OWASP Global AppSec DC. This is the first major update since 2021 and highlights significant shifts in how today’s web application risks are understood and prioritized.
Thanks to its long-standing partnership with OWASP, the SecureFlag team has been updating the OWASP Top 10:2025 Learning Paths since the announcement.
Development teams can now access the first OWASP Top 10:2025 learning paths, with additional paths for other languages and technologies coming in the weeks ahead.
What Changed from 2021 to 2025?
The latest OWASP Top 10 has several important updates. Here’s a breakdown of the key changes:
Categories That Stayed the Same or Moved Up
-
A01: Broken Access Control remains at number one.
-
A05 to A02: Security Misconfiguration moves up.
-
A02 to A04: Cryptographic Failures shifts in position.
-
A07: Authentication Failures stays in the same position.
-
A09 to A08: Logging & Alerting Failures stays in the same position, previously named Security Logging and Monitoring Failures.
Categories That Dropped in Rank
-
A03 to A05: Injection moves down from its long-standing top positions.
-
A4 to A06: Insecure Design moved down in position.
-
A08: Software and Data Integrity Failures stays in the same position.
Categories That Merged or Restructured
-
A06 to A03: Vulnerable and Outdated Components merged into a new category, Software Supply Chain Failures.
-
A10: Server-Side Request Forgery (SSRF) has been incorporated into another category, Broken Access Control.
New Categories
-
A03 2025 Software Supply Chain Failures: Combines multiple 2021 categories to cover risks from compromised or insecure third-party components and libraries.
-
A10 2025 Mishandling of Exceptional Conditions: Occurs when programs fail to prevent, detect, or respond to unusual or unpredictable situations, leading to crashes, unexpected behavior, or vulnerabilities. Highlights the importance of application resilience.
What’s New in SecureFlag’s Updated Learning Paths
SecureFlag’s updated OWASP Top 10:2025 Learning Paths now include:
-
Hands-on labs that are mapped to each new 2025 category.
-
Expanded coverage of supply chain failures, design flaws, and integrity risks.
-
Updated threat scenarios reflecting modern architectures and attack patterns.
-
Guided exercises that walk developers through exploitation, remediation, and prevention.
-
Practical secure coding patterns aligned with the new OWASP methodology.
SecureFlag provides practical, secure coding training to help teams understand and address the most critical web application risks. The updated OWASP Top 10:2025 Learning Paths give developers relevant experience in identifying and mitigating these vulnerabilities.
