Reading the 2025 OWASP Top 10 RC as a Market Trend Map

Reading the 2025 OWASP Top 10 RC as a Market Trend Map

#appsec #cybersecurity #devsecops #owasp
Shem Tov Fisher
November 11, 2025

For years, many managers and developers told themselves, “Security breach? It won’t happen to us” – but by the law of big numbers, it always happens to someone. From early-stage startups to global enterprises, breaches are no longer rare events; they’re a routine test of resilience.

Even if a breach doesn’t instantly bankrupt the company, it can quietly destroy trust and reputation.

Just a few examples from 2025:

  • In April, Marks & Spencer had to suspend online orders for nearly a week after a major cyberattack took down its website and app, right in the middle of a critical sales period.
  • In October, Muji’s online stores were forced offline after a ransomware attack on its logistics partner, Askul, leading to cancelled orders and frustrated customers.
  • Very recently, business services provider Conduent disclosed a breach affecting more than 10 million patients, triggering SEC filings and regulator notifications.

These incidents aren’t isolated. They’re signposts in a broader shift – where application security defines brand stability as much as uptime or UX.

That’s what makes the OWASP (Open Web Application Security Project) Top 10 so influential.
While OWASP reflects existing threats, it also shapes the next generation of security priorities for software companies, vendors, and regulators alike.

A few days ago, OWASP released the Release Candidate (RC) for the 2025 Top 10 – the first major update since 2021.

And while it may look like another technical list, it’s worth paying attention even if you’re not deep into AppSec or DevSecOps. Reading it through a market lens reveals where the next wave of investment, tooling, and hiring will go.

I’m not going to review everything, but here are a few changes that stood out to me and their potential market impact.

#1 – A01:2025 Broken Access Control (still #1)

Access control is what makes sure users can’t act outside their intended permissions.

In the 2025 RC, this category still sits in first place. OWASP mentions that 100% of applications tested had some form of broken access control. That’s… a lot.

Market impact

  • Higher demand for developers who understand secure authorization patterns, especially in API-first and multi-tenant SaaS.
  • More value in architects and platform engineers who can design centralized auth/authorization layers, instead of one-off checks hidden in each service.
  • Pentesters skilled in access abuse (IDOR, privilege escalation, tenant breakout) stay in very high demand.

On the tooling side:

  • Growth for solutions that centralize and standardize authorization (OPA, Cerbos, custom AuthZ services).
  • Since access control is only truly effective when enforced in trusted server-side code or serverless APIs (where attackers can’t modify checks or metadata), identity and API gateways become even more critical pieces of the stack.

#2 – A02:2025 Security Misconfiguration moves up (from #5 to #2)

Security misconfiguration is basically “everything was built correctly, but wired up wrong.”
Typical issues include things like: publicly exposed resources, debug or admin endpoints left open, overly permissive roles and policies, and weak or missing TLS and security headers.

From the DevOps perspective, we encourage “config as code,” but the flip side is that a single wrong value can expose an entire environment.

Security is now an architecture problem, not just a “bug” problem.

Market impact

  • This puts a big spotlight on configuration security, meaning:
    • Growing demand for qualified DevSecOps engineers and
    • Continued rise of CNAPP platforms (Wiz, Orca, Upwind, Aikido, etc.).
  • More shift-left: configuration scanning and policy enforcement move earlier into CI/CD, not just runtime audits or manual reviews at the end.

#3 – A03:2025 Software Supply Chain Failures (expanded from “Vulnerable & Outdated Components”)

The old “Vulnerable and Outdated Components” (A06) has evolved into a broader A03: Software Supply Chain Failures.

This new category goes beyond outdated libraries. It now covers things like:

  • Compromised build systems and signing keys
  • Tampering during CI/CD processes
  • Malicious package uploads to npm, PyPI, etc.

The old “outdated components” framing (find vulnerable library → patch) is now part of a larger ecosystem risk narrative – provenance, trust, build integrity. Integrity is now a first-class citizen; it’s not just “is this library vulnerable?” but “can we prove where this build came from and that no one tampered with it?”

For example, the recent PhantomRaven campaign showed how 126 malicious npm packages (over 86,000 downloads) hid their payload in “invisible” remote dependencies, completely bypassing most traditional dependency scanners and stealing npm tokens, GitHub credentials, and CI/CD secrets – exactly the kind of attack stronger signing and supply chain controls are meant to prevent.

Market impact

  • Traditional dependency scanners (Snyk, WhiteSource/Mend, JFrog Xray) are now only one piece of a much larger risk model. To stay relevant, they’ll need to evolve toward end-to-end supply chain integrity.
  • Expect rapid growth in AI-driven supply chain security platforms that focus on package trust, CI/CD integrity, artifact attestation and provenance.
  • CI/CD vendors like GitHub and GitLab will double down on SBOM generation, artifact signing, and built-in policy gates around deployments.

#4 – New category: A10 – Mishandling of Exceptional Conditions

This new category highlights security risks that appear when systems fail to handle unexpected or abnormal states – for example:

  • Unhandled exceptions
  • Resource exhaustion
  • Race conditions and timing issues
  • Load spikes and partial failures

It represents a shift from purely static vulnerabilities toward resilience, fault-tolerance, and runtime behavior.

Market impact

  • This basically introduces a new product vertical: “Resilience->Security” – making sure failure states are safe, not just that normal operation is secure.
  • As the focus moves from static analysis to runtime resilience, traditional AppSec scanners by themselves are no longer enough.
  • This opens a new frontier where AppSec meets SRE, pushing observability platforms (Sentry, Honeycomb, Datadog, etc.) to expand deeper into the security context, not just performance metrics.
  • We’ll see rising demand for tools that enable chaos and resilience testing, including things like fault-injection security validation, runtime anomaly detection, and automated exception-handling checks. These tools won’t just measure performance – they’ll also help reveal potential security threats hidden in how systems behave under stress.

To wrap up, the OWASP Top 10 isn’t just a “security checklist” – it’s a survival guide for your product and your brand.