What are the OWASP Top 10 vulnerabilities?

The OWASP Top 10 is the most widely referenced framework for web application security risk. Published by the Open Worldwide Application Security Project (OWASP), a non-profit foundation dedicated to improving software security, it identifies the ten vulnerability categories that cause the most real-world harm to applications. For any organisation running a web application, a customer portal, or an API, the OWASP Top 10 defines the territory where attackers are most likely to look first.

The current version is OWASP Top 10:2025, published in January 2026, following its release candidate announcement at OWASP Global AppSec in November 2025. It reflects fresh analysis of vulnerability data from thousands of applications and represents the first update to the list since 2021. Understanding what it contains and acting on that understanding is a baseline expectation for any organisation with meaningful exposure through its software.

What is OWASP?

The OWASP Top 10 matters because it is evidence-based. OWASP builds each edition from real vulnerability data contributed by security firms, testing providers, and bug bounty programmes. The categories on the list are not theoretical concerns. They are the weaknesses that attackers repeatedly find and exploit in production systems across industries and geographies.

For UK organisations in regulated sectors, the stakes are higher still. The OWASP Top 10 aligns with major compliance frameworks, including PCI DSS, ISO 27001, and GDPR, as well as Cyber Essentials, the UK government-backed certification that many regulated organisations and their suppliers are expected to hold. PCI DSS explicitly references OWASP as a secure coding resource; ISO 27001 and GDPR both require application security controls that the OWASP Top 10 directly supports. For UK SMEs, Cyber Essentials is often the most immediate baseline, particularly where clients or procurement processes require evidence of security posture. Auditors and regulators use it as an informal baseline when assessing whether an organisation takes application security seriously. An application that has never been tested against these categories is, in practical terms, an application with unknown exposure.

The list also matters because it is directional. Priorities shift between editions. The 2025 update introduced two new categories, signalling where attackers are increasingly focusing. Organisations that track the OWASP Top 10 across versions can see the threat environment moving before it reaches them.

The OWASP Top 10 explained

The following categories make up OWASP Top 10:2025. Each one represents a class of vulnerability rather than a single specific flaw. The rankings reflect a combination of prevalence, ease of exploitation, and severity of business impact.

1. A01:2025 Broken Access Control. Users can access data, functions, or systems they should not be able to reach. This is the most prevalent category on the list and covers everything from a standard user viewing another customer's account to an unauthenticated request reaching an admin panel.
2. A02:2025 Security Misconfiguration. Default credentials, unnecessary features left enabled, missing security headers, open cloud storage buckets, and verbose error messages all create exploitable gaps. This category is common because misconfiguration often occurs through inaction rather than a deliberate choice.
3. A03:2025 Software Supply Chain Failures. Applications that depend on third-party libraries, open-source components, or external services inherit the vulnerabilities of those dependencies. Attackers increasingly target the supply chain rather than the application itself, because a single compromised component can affect thousands of deployments simultaneously.
4. A04:2025 Cryptographic Failures. Applications fail to protect sensitive data in transit or at rest because of weak, missing, or misconfigured encryption. This category covers exposed passwords, unencrypted payment data, and the use of deprecated cryptographic algorithms that attackers can break with modern tooling.
5. A05:2025 Injection. Untrusted data is sent to an interpreter, such as a database, operating system, or LDAP server, in a way that alters how commands are executed. SQL injection is the best-known variant, but the category covers any context where attacker-controlled input can change program behaviour.
6. A06:2025 Insecure Design. Security is not an afterthought that can be tested in after the fact. This category covers architectural and design-level weaknesses where the application was built without threat modelling, secure design patterns, or adequate security requirements from the outset.
7. A07:2025 Authentication Failures. Weaknesses in how applications confirm who a user is and what they are permitted to do. Brute-force attacks, credential stuffing, weak password policies, and the absence of multi-factor authentication all fall here. Addressing this category often requires both testing to identify the gaps and identity access management controls to close them at an infrastructure level.
8. A08:2025 Software or Data Integrity Failures. Code and infrastructure updates, CI/CD pipelines, and serialised data are processed without verifying their integrity. This allows attackers to introduce malicious code into trusted workflows, including the update mechanisms organisations rely on for patching.
9. A09:2025 Security Logging and Alerting Failures. Applications that do not log meaningful events, or that generate logs no one reviews, cannot detect attacks in progress. This category covers the absence of alerting, inadequate log retention, and the failure to act on indicators of compromise. Organisations that cannot monitor and respond to log events in real time should consider whether a managed SOC is the right structural answer.
10. A10:2025 Mishandling of Exceptional Conditions. Applications that fail to handle errors, edge cases, and unexpected inputs predictably create opportunities for attackers. Unhandled exceptions can expose stack traces, bypass controls, or leave the application in states that are exploitable.

Why knowing the OWASP Top 10 is not enough

Awareness of the OWASP Top 10 does not tell an organisation anything about its own applications. The list defines the categories of risk that matter. It says nothing about whether those risks are present in a specific codebase, API, or web service. That distinction matters, because the question a board or auditor is asking is not whether OWASP Top 10 exists. They are asking whether the organisation has done the work to understand its own exposure.

The gap between knowing the categories and having evidence of your actual risk is where most organisations sit. Development teams may have absorbed the OWASP guidance. Security policies may reference it. But without active testing, there is no way to confirm whether access controls are correctly implemented, whether components have known vulnerabilities, or whether logging is capturing the events that matter.

The OWASP Top 10 is not a compliance standard in itself. The Open Worldwide Application Security Project positions it as an awareness document. But in practice, regulators, auditors, and prospective clients in regulated sectors treat it as a minimum baseline. An organisation that cannot produce evidence of testing and remediation against these categories is in a weaker position than one that can, regardless of whether formal compliance requires it.

If you want to understand where your applications sit against these categories, start with a scoping conversation.

How penetration testing maps to OWASP Top 10 risks

Penetration testing is the mechanism that converts OWASP Top 10 awareness into concrete evidence. A penetration test against a web application or API is not simply a scan. It is an active attempt to exploit the categories of weakness that OWASP defines, carried out by a tester who understands how those weaknesses manifest in real systems and how they interact with each other.

A well-scoped web application penetration test will cover the full OWASP Top 10 surface. The output maps findings directly to OWASP categories, giving the results a structure that auditors, board members, and certification bodies can interpret without requiring technical fluency. A finding under A01:2025 Broken Access Control means something to a risk committee in a way that a raw technical description of an access control bypass does not.

Testing without remediation and retesting is incomplete. Once findings are mapped and prioritised, the development or engineering team addresses them, and the tester returns to verify that the fixes hold. This cycle produces a dated, auditable record: what was found, what was fixed, and what residual risk remains. That record is what gives organisations something credible to present to boards, to insurers, and to clients who ask.

Conosco's penetration testing work follows this pattern. Scope is agreed before testing begins. Findings are categorised, prioritised, and written for a risk committee, not a development team. Remediation support is available, and retesting confirms the position before the work is signed off. The output is a dated, auditable report that a board, insurer, or auditor can read without needing technical fluency.

In a recent engagement for a retail e-commerce client running 400 endpoints, testing identified vulnerabilities in the customer login flow before any exploitation reached production. Fixes were applied within days and the client's support desk saw a 33% reduction in incident tickets in the following month.

A UK logistics business operating a fleet across 15 depots commissioned an external test and discovered a critical public-facing credential leak. The vulnerability was identified and closed before it was exploited. The client subsequently renewed a key contract, with the test outcome forming part of their evidence of security posture.

A penetration test tells you where you stood on a specific date. For organisations that need to know where they stand now, threat and vulnerability management provides continuous identification of weaknesses across the application and infrastructure estate, including ongoing exposure to the categories the OWASP Top 10 defines. The two services work best in sequence: test, remediate, then maintain visibility between tests.

What to do next

If your organisation runs web applications, customer portals, or APIs and has not tested them against the OWASP Top 10:2025 categories, the first step is to understand the scope of what needs testing. Not every application carries the same risk. The priority is the applications that handle sensitive data, process payments, authenticate users, or sit at the boundary between your organisation and the outside world.

Testing should be structured, evidenced, and connected to a remediation process. A report that lists findings without a path to resolution does not reduce risk. The test, the fix, and the retest together constitute the assurance. That sequence also gives the organisation something to present to auditors, board members, or clients who ask for evidence of application security maturity.

The OWASP Top 10 is updated approximately every three to four years. The 2025 edition reflects significant changes from 2021, including two new categories that signal where the threat environment has shifted. Organisations that review their application security programme each time the list changes are better positioned than those that treat testing as a one-off exercise.

Your applications carry risk. The question is whether you can evidence the controls you have in place. Conosco scopes, tests, remediates and retests to produce the audit-ready record your board and regulators expect. Start with a scoping conversation.

Frequently asked questions

What is the OWASP Top 10?

The OWASP Top 10 is a standard awareness document published by the Open Worldwide Application Security Project (OWASP). It lists the ten most critical security risks to web applications, ranked by prevalence, exploitability, and business impact. It is updated every three to four years based on real-world vulnerability data and industry input. The current version is OWASP Top 10:2025, published in January 2026, following its release candidate announcement at OWASP Global AppSec in November 2025. It is widely used by developers, security teams, and auditors as a baseline reference for application security.

Is the OWASP Top 10 a compliance requirement?

The OWASP Top 10 is not a legal or regulatory requirement in itself. However, it aligns closely with frameworks and standards that do carry compliance weight. PCI DSS explicitly references OWASP as a secure coding resource. ISO 27001 and GDPR both require appropriate application security controls that the OWASP Top 10 directly supports, even where neither standard names it by title. UK auditors frequently use the OWASP Top 10 as a practical baseline when assessing application security maturity, and failing to address these risks can affect your standing in due diligence reviews, supplier assessments, and audit findings.

How often is the OWASP Top 10 updated?

The OWASP Top 10 is updated approximately every three to four years. The 2025 version is the first update since 2021 and reflects significant shifts in the threat landscape, including two new categories: Software Supply Chain Failures and Mishandling of Exceptional Conditions. Organisations should review their security posture each time the list is updated, as the ranking changes signal where real-world attackers are focusing.

What is the difference between OWASP Top 10 and penetration testing?

The OWASP Top 10 is a classification framework: it defines the categories of risk. Penetration testing is the active process of testing whether those risks exist in your specific applications. Knowing the OWASP Top 10 tells you what to look for; a penetration test tells you what you actually have. A well-scoped pen test will map its findings to the OWASP Top 10 categories, giving you a structured, auditable view of your exposure that you can present to boards and regulators.

What does OWASP Top 10 risk number one mean in practice?

The top-ranked risk in OWASP Top 10:2025 is Broken Access Control. In practice, this means users can access data, functions, or systems they should not be able to reach. This might allow a standard user to view another customer's records, access an admin panel, or retrieve files they have no permission to see. It is ranked first because it is both widespread and consistently exploitable. Addressing it requires a combination of code review, access policy design, and active testing to verify controls are working as intended.

How should I present OWASP Top 10 findings to my board?

Boards respond to risk in business terms, not technical categories. When presenting OWASP Top 10 findings, translate each risk into operational or financial exposure: what data could be accessed, what service could be disrupted, what regulatory consequence could follow. A penetration test report that maps findings to OWASP categories gives you a credible, structured evidence base. Frame the conversation around residual risk after remediation, not just the initial finding, and include a clear timeline for fix and retest.

Meet with an expert to discuss OWASP-aligned penetration testing.