OWASP 2025 Top 10 Adds Software Supply Chain Failures, Ranked Top Community Concern

The OWASP Top 10 for 2025 introduces a new category, Software Supply Chain Failures, reflecting the growing recognition of risks in the tools and infrastructure used to build and deliver software, beyond just outdated components. This update marks a significant shift, as 50% of survey respondents identified it as their top concern, and it had the highest average incidence rate despite minimal CVE coverage. The report highlights how supply chain threats, such as compromised packages and CI/CD pipeline intrusions, pose substantial security risks. By grouping related Common Weakness Enumerations (CWEs) into broader categories, OWASP aims to provide a more relevant framework across diverse technology stacks, emphasizing the importance of managing dependencies and securing development processes. This new focus underscores the need for visibility, integrity, and strong access controls in managing supply chain risks, encouraging a cultural shift where dependencies and build pipelines are integral to the threat model rather than trusted by default.