Contact us
Blog

OWASP Top 10:2025: what changed and how QA helps reduce risk

As AI speeds up development and attackers exploit business logic, the latest OWASP Top 10 exposes why traditional security checks fall short and how QA must evolve to protect modern web applications.
31 December 2025
Cybersecurity testing
  • Home
  • Blog
  • OWASP Top 10:2025: what changed and how QA helps reduce risk
Article by a1qa
a1qa

Over the past 18-24 months, the threat landscape for web applications has shifted dramatically.

The massive adoption of AI assistants in software development accelerated feature delivery but also increased the amount of code that ignores implicit business rules: in 2025, AI accounts for 40-60% of new production code, and headline incidents increasingly stem from business logic flaws rather than classic CVEs.

At the same time, ransomware remains a macro‑risk: up to 78% of companies report being affected in 2025, with trends pointing to further growth in frequency and impact by 2026.

Regulatory expectations are tightening SOC 2, DORA, and cyber‑insurance questionnaires increasingly require demonstrable business‑logic testing, not just scanner reports.

In this context, OWASP Top 10:2025 is becoming a roadmap that shifts focus from isolated bugs to root causes and ecosystem vulnerabilities.

In the article, let’s explore the central idea of this compilation of the most severe vulnerabilities impacting web applications, an overview of each category, the gap between fast development and real security, and QA’s evolving security responsibilities.

What is OWASP Top 10:2025 and how It differs

The OWASP Top 10 is a global standard for web application risk awareness, built on broad community consensus, contributed datasets, and surveys.

This list serves as a guideline for identifying and alleviating the most consequential classes of hazards. By relying on it, project teams can gain an essential focus and prioritization within contexts where security mandates might seem vague.

For instance, by relying on this methodology, the developer building a Salesforce-driven digital system for B2B enterprises to offer insurance protection for clients or employees managed to uncover exploitable weaknesses, evaluate the system’s security maturity, and reinforce defenses based on the recommended actions.

In 2025, the project team updated categories and priorities to better reflect modern application risks.

Key changes in 2025:

  • Two new categories: A03 ‘Software Supply Chain Failures’ (expands focus from vulnerable components to the whole supply chain: dependencies, CI/CD, builds, distribution) and A10 ‘Mishandling of Exceptional Conditions’ (systematizes errors under abnormal/failure states).
  • Rebalanced rankings: A02 ‘Security Misconfiguration’ rises to #2 as cloud/microservice configurations grow in complexity, while A01 remains #1; Cryptographic Failures, Injection/, and Insecure design move down slightly but remain critical.

OWASP Top 10:2025 overview

Each OWASP Top 10 category represents a critical risk area for modern applications. Let’s break down what each category covers, why it matters for your business, and practical QA strategies to mitigate these vulnerabilities.

Threat group #1

What’s included: broad authorization flaws (RBAC/ABAC), vertical/horizontal privilege escalation, context mismatches; SSRF consolidated under access control when it enables authorization bypass.

Impact: unauthorized data/function access, multi‑tenancy breaches, compliance risk.

QA: role/tenant‑based API/UI testing (positive/negative), policy tests (least privilege, context‑aware access), defaults verified at gateways/services/data.

Threat group #2

What’s included: weak defaults, exposed endpoints, inconsistent configurations across environments, missing security headers, insecure defaults, exposed endpoints, optional insecure settings, and improper secret handling.

Impact: quick exploitation, lateral movement, higher incident cost.

QA: IaC scanning (Terraform/Helm), hardening checklists (HTTP headers, TLS, CORS, rate‑limits), ‘golden configs’ and drift tests in CI/CD.

Threat group #3

What’s included: dependency vulnerabilities, compromised package registries or update channels, CI/CD attacks, build/signing/distribution risks.

Impact: systemic incidents with large blast radius and long tail; regulatory exposure.

QA/AppSec: SBOM per release, approved sources/licensing policy, SCA scanning, artifact integrity (signatures/verification), build provenance and artifact traceability checks, hardened CI/CD with least privilege and role separation, trust‑but‑verify.

Threat group #4

What’s included: weak algorithms/modes, incorrect TLS, poor key/secret storage, insufficient encryption of sensitive data.

Impact: data leakage, non‑compliance (GDPR/ISO/SOC 2), financial risk.

QA: TLS profile checks, key‑management tests (rotation, scoped access, secret scanning), verify encryption in transit/at rest and cryptographic implementation.

Threat group #5

What’s included: SQL/NoSQL, OS command, LDAP, template/expression injections via unvalidated input.

Impact: loss of data/command integrity, full compromise of data stores.

QA: prepared statements and strict input validation, DAST/fuzzing on critical paths, code review of templates/expressions.

Threat group #6

What’s included: missing architectural controls, relying on post‑hoc fixes rather than designing constraints.

Impact: systemic defects with high change cost.

QA/architecture: threat modeling pre‑coding; derive business‑logic test cases from threats; ‘security‑by‑contract’ invariants and service contracts; architecture‑level tests (ATDD).

Threat group #7

What’s included: weak login, session mishandling, MFA issues, context‑free tokens.

Impact: account takeover, fraud, privilege escalation.

QA: negative MFA scenarios, anti‑automation/anti‑bruteforce, session management validation, device/context binding, secure recovery flows.

Threat group #8

What’s included: untrusted updates, integrity violations in critical configs/data, missing signatures.

Impact: stealth compromise, silent changes to business rules.

QA: enforce signatures/verification of updates and artifacts, integrity baselines (hash + monitoring) for critical tables/configs, two‑person rule for business‑logic changes.

Threat group #9

What’s included: incomplete logs, unvalidated events, unreliable or untriaged alerts, missing SLO for detection.

Impact: delayed response and higher loss.

QA/operations: detection tests (canary events, incident simulations), log format/context validation tied to tracing, purple‑team exercises with MTTD/MTTR metrics.

Threat group #10

What’s included: sensitive error disclosures, fail‑open behaviors, race conditions and abnormal states under failures.

Impact: DoS, leakage of internal details, broken transactional invariants.

QA: chaos testing and fault‑injection for services and network dependencies, safe error messages (sanitized, no stack details), test graceful degradation, timeouts/retries.

The silent risk behind AI-generated code

Imagine launching a new feature in record time thanks to AI-assisted development. The code looks flawless, passes all automated tests, and sails through CI/CD. But beneath the surface, something critical is missing, like business logic safeguards.

In 2026, most of production code will be AI-generated, and with it comes a new wave of vulnerabilities: logic flaws that no scanner can catch.

Think of scenarios like payment amounts changing after authorization, validation that only happens on page load, or cross-tenant access through chained APIs. Aren’t these hypotheticals? Or they’re the next big breach of headlines.

Why ransomware is still everyone’s problem

While companies are busy chasing zero-day exploits and AI-driven bugs, ransomware quietly remains like the elephant in the room. It’s a vivid trend that is climbing.

Attackers now use double extortion tactics, threaten public data leaks, and even target victims repeatedly. The financial impact? Escalating year over year, with no signs of slowing down.

What this means for QA

For QA teams, these trends redefine priorities. Automated tests alone won’t save ones from logic flaws introduced by AI or configuration gaps exploited by ransomware. The answer lies in proactive security testing: threat modeling, chaos engineering, and business logic validation.

Categories like A01 and A10 directly address these emerging risks. Embedding them into your QA strategy today means fewer sleepless nights tomorrow.

Conclusion

OWASP Top 10:2025 serves as a strategic reference for structuring secure development practices in an era of AI-driven innovation and rising cyber threats.

By embedding these principles into QA processes, organizations can reduce systemic risk, ensure compliance, and deliver predictable releases without sacrificing speed.

Start today: audit your QA practices against OWASP 2025, integrate security gates into CI/CD, and empower your teams with threat modeling and business logic testing.

Need help with QA? Let’s discuss how we can help.

More Posts

25 June 2025,
by a1qa
5 min read
Microservices testing: strategies for resilience, speed, and precision
Learn how a thoughtful QA strategy can keep distributed systems running like clockwork.
Cybersecurity testing
Performance testing
Test automation
14 April 2025,
by a1qa
5 min read
Cybersecurity: Top 5 questions to ask a QA vendor
What information to request from QA providers to get confident in the complete security of your software and protect end-user sensitive data? Read about that in the article.
Cybersecurity testing
2 December 2024,
by a1qa
6 min read
Addressing 4 security issues for digital transformation programs
Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity.
Cybersecurity testing
Migration testing
QA in Fintech
black-friday
5 November 2024,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
QA for retail software
29 August 2024,
by a1qa
4 min read
QA to address key pain points in retail 
Explore how QA helps address the main challenges that retailers face when developing software.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
QA to ensure smooth migration to the cloud
15 August 2024,
by a1qa
3 min read
QA to ensure smooth migration to the cloud
Learn how effectively migrate to the cloud by implementing QA activities.
Cloud-based testing
Cybersecurity testing
Functional testing
Migration testing
Performance testing
Quality assurance
Test automation
QA for fintech
7 May 2024,
by a1qa
5 min read
Navigating the fintech frontier in 2024: QA’s role in delivering high-quality financial software 
Unveil the future of fintech innovations and learn to refine their quality with the help of software testing.
Blockchain app testing
Cybersecurity testing
QA in Fintech
Quality assurance
Telecom trends 2024
15 April 2024,
by a1qa
5 min read
QA’s role in adopting telecom trends for 2024 
Let’s dive into the transformative trends set to redefine the telco industry in 2024 and discover QA strategies to adopt them with precision.
Cloud-based testing
Cybersecurity testing
Functional testing
General
Migration testing
Performance testing
QA trends
Quality assurance
Test automation
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
15 February 2024,
by a1qa
4 min read
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
Generative AI, cybersecurity, AR/VR — come and explore how these trends are reshaping the future of healthcare and how QA helps implement them with confidence.
Cybersecurity testing
Functional testing
Performance testing
QA in eHealth
QA trends

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
This file is too large
Up to 5 attachments. File must be less than 5 MB.
Allowed types: jpg, jpeg, png, svg, pptx, pdf, doc, docx, ppt, odt
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.