Back to blog

OWASP Top 10 2025: New Threats and Their Impact on Pentesting Methodologies

November 24, 2025 Grzegorz Tworek 8 min read

An analysis of the latest OWASP Top 10 release from the perspective of a practicing pentester. How the new threat categories will affect web application security testing methodologies in 2025.

OWASP Top 10 2025 - New web application security threats

OWASP Top 10 2025 introduces new threat categories for web application security

OWASP Top 10 2025 RC1 was officially published on November 6, 2025, introducing significant changes to the classification of web application security threats. As a pentester with many years of experience, I analyze the impact of these changes on the practice of security audits.

Key changes in OWASP Top 10 2025

The latest edition of the OWASP Top 10 list is based on an analysis of more than 2.8 million applications, making it the largest and most comprehensive dataset on application security. It introduces two key new categories that will fundamentally change the approach to pentesting.

New threat categories

A03:2025 - Software Supply Chain Failures

A new category focused on threats related to the software supply chain, including malicious packages, compromised maintainers and tampered build processes.

A10:2025 - Mishandling of Exceptional Conditions

A category covering 24 CWEs focused on improper error handling, logic errors, "failing open" mechanisms and similar scenarios.

Analysis of the most important threats from a pentester's perspective

A01:2025 - Broken Access Control

Access control remains indisputably the number 1 category for web applications, APIs and many other digital systems, affecting 3.73% of the applications tested. In pentesting practice this means a need for particularly thorough testing of:

  • Horizontal privilege escalation - testing the ability to access resources of other users with the same level of permissions
  • Vertical privilege escalation - verifying mechanisms that prevent privilege escalation to higher roles
  • Insecure Direct Object References (IDOR) - systematic testing of all object identifiers
  • JWT token manipulation - analysis of token implementation and the potential for manipulating them

A02:2025 - Security Misconfiguration

The jump from 5th place in 2021 to 2nd position in 2025, affecting 3.00% of applications, reflects the growing complexity of configuring modern systems. During pentesting, particular attention should be paid to:

  • Cloud misconfigurations - incorrect configurations of AWS S3, Azure Blob Storage, GCP
  • Container security - the security of Docker, Kubernetes and orchestrators
  • Default credentials - systematic checking of default passwords in components
  • Unnecessary services - identifying and exploiting unnecessary services

New challenges for pentesters

Software Supply Chain Security

The introduction of the A03:2025 category requires pentesters to expand their skill set to include software supply chain analysis. In practice this means:

New testing methodology:

  • Dependency analysis - analysis of all dependencies and their origins
  • Package integrity verification - verifying the integrity of npm, pip and maven packages
  • Build process security - auditing CI/CD processes and the potential to compromise them
  • Vendor assessment - assessing the security of component suppliers

Error Handling and Exception Management

The A10:2025 category highlights the importance of proper exception handling. Pentesters must now systematically check:

  • Information disclosure - whether errors reveal sensitive information about the system
  • Fail-open scenarios - testing application behavior in the event of errors
  • Race conditions - identifying race conditions in error handling
  • Resource exhaustion - testing resilience to resource exhaustion

Impact on testing methodologies in 2025

Automation vs. manual testing

Data from 2025 shows that pentesting automation grew 2.5x in 2024, which is crucial for scaling test coverage. At the same time, there was an almost 2000% increase in vulnerabilities detected manually, especially in areas that automation still struggles with:

  • API security testing - complex business scenarios
  • Cloud configurations - context-dependent configuration errors
  • Complex chained exploits - combining multiple vulnerabilities

Continuous Pentesting

The shift from annual tests to continuous pentesting is becoming the standard in 2025. This means integration with CI/CD pipelines and the implementation of:

  • Automated security gates - automated security gates
  • Real-time vulnerability scanning - real-time scanning
  • DevSecOps integration - close collaboration with development teams

Practical guidance for audits

Tools and techniques for OWASP Top 10 2025

In response to the new threat categories, pentesters must expand their toolkit:

Supply Chain Analysis:

  • Dependency-Check (OWASP) - analysis of known vulnerabilities in dependencies
  • Syft + Grype - SBOM generation and vulnerability scanning
  • npm audit, pip-audit - specialized tools for different ecosystems

Configuration Assessment:

  • Scout Suite - multi-cloud security auditing
  • kube-bench - CIS Kubernetes benchmark
  • Docker Bench Security - security configuration for containers

The testing methodology in practice

I propose the following extended pentesting methodology that accounts for OWASP Top 10 2025:

  1. Pre-engagement - extended with supply chain analysis
  2. Reconnaissance - mapping the entire infrastructure and its dependencies
  3. Vulnerability Assessment - automation with a focus on the new categories
  4. Exploitation - testing chain attacks and edge cases
  5. Post-exploitation - analysis of the impact on the supply chain
  6. Reporting - business impact assessment that accounts for the supply chain

Do you need a professional security audit?

As a certified pentester with many years of experience, I offer comprehensive penetration tests that account for the latest OWASP Top 10 2025 standards.

Book a free consultation

Summary

OWASP Top 10 2025 introduces fundamental changes to the approach to web application security. The new categories - Software Supply Chain Failures and Mishandling of Exceptional Conditions - reflect the evolution of threats in the world of modern applications.

For pentesters this means a need to:

  • Expand their skill set to include supply chain analysis
  • Implement new tools and methodologies
  • Move to a continuous testing model
  • Develop a deeper understanding of modern application architectures

These changes are not just an update to the list - they are a fundamental transformation in the way we think about application security. Organizations that adapt their testing practices to these new realities will be far better prepared for the threats of 2025 and the years to come.

Pro tip: Start implementing methodologies that account for the new categories right now. Every day of delay means potentially greater risk for the organization you are testing.

Back to blog